- Is Microsoft preparing us to move beyond Vista?
- Why Google wanted to lose wireless spectrum auction
- iPhone shortage fuels rumors of imminent 3G phone
- XP for cheap PCs: a second crack in the wall
- Darts into data: Leveraging random action to competitive advantage
- Most iPhone buyers are existing Apple customers
- AT&T's so-called open network principles
- Mono dev tool offered
- ActiveState upgrades IDE
- Serena plans SaaS products
July 14, 2006 | Comments: (0)
Phishing with two factors -- What's really changed?
There's been a lot of heavy breathing in recent days about phishing attacks that target two factor authentication technology used by banks and financial services companies. While this is clearly a new wrinkle in the phishing epidemic, I don't think its anything anybody should be peeing down their leg over. First of all, as the good folks at the SANS ISC pointed out months ago, two factor authentication isn't a magic bullet, its just another roadblock for fraudsters to have to navigate around. In fact, in an excellent research note on phishing with two factors SANS ISC handler Jason Lam predicted the very same man in the middle attack that's now being used against Citi. Namely: fradusters set up a Phishing site to be a Web proxy, passing the OTP and challenge response information to and from the actual bank customer, then ride into the online banking session on top of his or her credentials. The only thing that's surprising about the Citi phish is that fraudsters were so quick to try to break the OTP technology rather than just moving on to an easier mark (i.e. a bank that doesn't require OTP), as Lam predicted they would.
That said, two factor authentication is far from obsolete just because phishers have figured out one way to trick banks that use it. True, most banks are implementing it because the government is telling them to, but the technology will be a major improvement in security for most online banking customers, first and foremost because fraudsters can now only steal credentials for a single online banking session, not permanent credentials that can be used in perpetuity.
Couple the "one time only" access with antifraud features that many banks (including, I would bet, Citibank) use to flag and block unusual activity and you have a much more thorough defense than the recent reports let on. For example, many banks will look at traffic being proxied from a server in, say, China, and flag that. Couple the "geolocation" flag with a behavioral flag ("Why is this person suddenly requesting a wire transfer of the balance of their account?") and you've probably got a frustrated and unsuccessful phisher.
So two factor isn't a silver bullet, but its also not like this is the only thing banks are doing. In addition to OTP technology, there are lots of other technologies that banks are throwing at fraud, from antiphishing and brand protection services like MarkMonitor, RSA(EMC?)/Cytoa, and Cyveillance, to behavioral biometrics that companies like FairIsaac can use to determine that you are who you say you are. As with network security, antifraud is one of those problems where layered security works best. Tricking OTP technology is just one piece
Posted by Paul Roberts on July 14, 2006 08:33 AM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Is your smaller organization ready for High Availability?
- Is system maintenance doing more harm than good?
- Virtual Test Lab Automation: Manage development infrastructure
