Welcome Guest | |
Follow Us:
    
Newsletter Signup:
How to plug the loopholes in two-factor authentication
Sophisticated hackers are challenging the idea that two-factor authentication methods are completely safe By Sameer Ratolikar, Bank of India, February 12, 2010
In the evolving landscape of security, hackers are always a step ahead of protectors and keep devising new tricks to hoodwink the best security defenses. Security administrators, on the other hand, try to fend off these attacks by building new lines of defense.

For instance, two-factor authentication methods were created to give an additional layer of protection to the static password mechanism. By using a combination of something one knows (static password) and something one has (a token that generates random numbers), two-factor authentication scaled up the level of security traditionally provided by static passwords.
 
A common example is the ATM card which also serves as a two-factor authentication device. If an individual does not have an ATM card, she will not be able to withdraw money unless she also has the ATM pin. Over time, two-factor authentication methods have proved to be undoubtedly the best mitigating solution to counter online identity theft related attacks.

However, today, sophisticated hackers are challenging the idea that two-factor authentication methods are completely safe. A recent Gartner report titled ‘Where strong authentication fails and what you can do about it,’ highlights that Man in the browser (MITB) or Man in the middle (MITM) attacks based on Trojans are circumventing strong two-factor authentication, enabled through one-time password tokens.
 
Traditional two-factor authentication solutions are unable to counter these Web 2.0-based attacks as they are executed in real time. There have also been few cases where Trojans and MITM attacks have been successfully carried out against leading banks that were using traditional two-factor solutions.

The MITB attack is successful as the attack intercepts communication between the user and the browser, instead of the traditional method of intercepting communication between the user’s computer and the website. If a session is hijacked, it fools both the website and the customer into thinking they are dealing with genuine entities. The hacker or the malware can change information as it is displayed to the customer, and even modify requests sent to the bank.
 
For example, if a customer makes a payment to a website, the hacker can change the destination account number. In such a case, the bank has no reason to suspect as the session is authenticated by a password. Similarly, the hacker changes the information which is sent back to the customer—making him believe that it was a genuine transaction. In such a scenario, even if a password is changed dynamically, the hacker still has control of the session, and knows the information being communicated by the website and the user. Hence, chances of failure of two-factor authentication are extremely high.

Since most leading financial institutions in India use two-factor authentication methods, what should they do to mitigate these threats? The answer lies in having a long-term vision for security, and strengthening existing lines of defense.
While there is no ‘One size fits all’ approach, a holistic framework that blends together people, processes and technology seamlessly will help in addressing the loopholes that are exploited by hackers. In addition to two-factor authentication, enterprises must use ‘Mutual Authentication’ where both the entities identify each other before conducting a transaction. Enterprises must also use technologies that monitor web traffic, and are able to spot or detect unusual patterns.

Many security vendors are also guilty of not providing end-to-end encryption technology. Hence, before selecting two-factor authentication technologies, enterprises must ensure that the vendor provides end-to-end encryption for the password that is shown in the hardware token.

Most importantly, in addition to the identity of the customer, the transaction must also be verified by the customer. This means that whenever a shopping transaction or a payment is done, the customer will be asked to digitally verify the transaction through a different channel, such as say, a cell phone.

Security is always an evolving journey, and it is imperative that enterprises keep evolving their security infrastructure to proactively address emerging and new threats.

Sameer Ratolikar is Chief Information Security Officer, Bank of India


blog comments powered by Disqus
Featured Videos


 
    
 
Latest Security News
All Articles By Sameer Ratolikar
Top Stories
Webcast (On Demand)
"The Social Organization"
Attend Webcast on "The Social Organization" presented by Mark McDonald, Ph.D. Group Vice President, Gartner Fellow, Gartner Executive Programs - He discusses the approaches necessary to bring social media technology together with people to create mass collaboration and transform the way you work. This webcast discusses why it’s important to become a social organization rather than just having social media. Attend this webcast on Demand
Interview
CIOs must leverage social media to increase their presence in the boardroom
Arun Sundararajan, NEC Faculty Fellow and Associate Professor at New York University’s Stern School of Business, discusses with InformationWeek the relevance of social media to the overall business, and how CIOs must handle social media
BankTech India - IT News for BFSI Segment
We're on Google+
InformationWeek India on Facebook