Real-Time Hackers Foil Two-Factor SecurityContinued from page 1
One solution is to use software or a dedicated terminal to ensure that no malicious program can intercept a consumer's communications with a bank. Consumers who have an old PC or laptop lying around could install the free Linux operating system on the machine and use the machine exclusively for financial transactions, suggests SecureWorks's Stewart. Some security firms are also developing software to allow people to run a secure zone on their computer that eliminates the threat of communications being intercepted. "It goes back to the question, 'Can you trust the computer that you are using? Has it been infected by something that can impact you when you log on to your bank?'" Stewart says. Another solution is to use a second means of communication, such as calling from a phone or sending an SMS message, to confirm that a transaction is valid, says Ariel Avitan, manager of information security for the Europe, Middle East, and Africa region of Frost & Sullivan, a global business consultancy based in San Antonio, Texas. "It's a cat-and-mouse game," Avitan says. "The [criminals] open a new door, and we shut it. Then they find another one." Finding solutions and pushing financial firms to adopt them are two separate challenges. Banks only implemented two-factor authentication in October 2005, after the Federal Financial Institutions Examination Council (FFIEC) mandated additional security for online bank accounts. Ferma's Ferrari has already arrived decided to fall back on a low-tech solution. "We have gone back to issuing manual checks," he says. |
E-mail
Audio »
Print
Favorite
Share »
Digg this
Add to del.icio.us
Add to Reddit
Add to Facebook
Slashdot It!
Stumble It!
Add to Newsvine
Add to Connotea
Add to CiteUlike
Add to Furl
Googlize this
Add to Rojo
Add to MyWeb
Web Security Tool Copies Apps' Moves
11/09/2009
Massachusetts Institute of Technology
Comments
"We have gone back to issuing manual checks,"
A more reasonable, yet still drastic reaction, would be to dedicate a terminal or virtualized OS to only be able to connect to the business's bank website.
colinnwn
09/18/2009
Posts:65
The solution, technically, is simple and cheap - just get a simple PINPad, just like those used at any supermarket/gas station/any merchant and enable it to be connected to the business/home PC (USB/bluetooth/etc). This enables a trusted device (hard-wired/coded in PROM) to possess the crypto keys needed by the bank and the user to authenticate each and every transaction that is displayed on the little screen and any data entered on its own little keyboard - just like shopping! Simple, easy and secure!
So, why not now? Again simple. Governments have not been willing to regulate for security in the computer and data comms industries!! Remember, as Ralph Nader knew and Al Gore portrayed in another area as an "Inconvenient Truth", safety and security has NEVER been market driven, e.g. fire extinguishers in offices, seat belts in cars, and on and on.
PS: That PINPad, with its associated "card present" transaction backing, would also enable secure social service operations and the like and, by the way, in large quantities we are talking about less than $35 per unit(cheaper than any anti-Trojan/Virus/Botnet or like malware detection package.
The trusted solution is there, now...Is there the willingness of government to act in the interest of the security of its citizens and the protection of a critical national infrastructure, the banking, finance and payments sector.
wjc
09/18/2009
Posts:2
nhjeff
09/18/2009
Posts:2
On top of that I use a bootable DVD of Ubuntu, so no viruses are present for my banking session, even if the rest of my computer potentially contains trojans, my banking should stay safe.
nanobody
09/18/2009
Posts:3
Furthermore we need greater encryption for transmission on the web. My bank (Huntington) for my business for instance gave me my account information via 3 different methods (not one instance provided all the required information to login and access the account) as well as the securID generator.
Perhaps a NFC technology could be implemented here, or a 2d barcode scan via webcam then encrypted while transmission between the server and client take place. Thoughts? Cheers!
brianjking
09/24/2009
Posts:4
Thus, the problem has nothing to do with the authentication. Would it be one, two or even three factor authentication, the exploit would work. The problem is the integrity of the user's computer. And this one is tougher to succeed, especially with generic open computers. If using non dedicated device, then we will have to access this risk and try to mitigate it: checking the integrity of computer often, monitoring often banking transactions,...
Wunderbarb
09/18/2009
Posts:6
Call_me_a_ko...
09/18/2009
Posts:1
Creator1326
09/18/2009
Posts:3
Shiladie
09/18/2009
Posts:56
If malware is on the device, it can take over what is displayed, so a confirmation can be thwarted.
To use a second device for a confirmation, need to make sure the malware doesn't change the phone number or address while you are logged in.
Too many people don't read confirmations carefully enough.
I'd have to ask how a bank site can allow 27 transfers to accounts that have never been used by this account holder before, all in one session. The transaction system needs to be smarter. For may account, I'd say if there is ever a transfer to an account I haven't used before, flags should go up and should require double verification. Two such transfers, or one over $1000, I want triple verification. Especially if the target account is not a well-trusted business account. This is a problem with some of these accounts. They don't let me put limits on what can be done.
gvguy
09/19/2009
Posts:1
skingw
09/22/2009
Posts:22
Having the user actually see the type and amount of the transaction they are sopposed to be authenticating embedded within the actual visual challenge would prevent the average user from authenticating them.
MattPW
09/24/2009
Posts:1
An email with a confirmation "link" should be sent informing you of that activation. That would give you notice to confirm and a timely phone call to lock/remove unauthorized entries.
steverjk
09/28/2009
Posts:1