- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - The trusty telephone is emerging as one of the key elements in new multifactor authentication schemes designed to protect online banking and other web-based financial transactions from rapidly evolving security threats.
New federal guidelines, which took effect last month, recommend multiple layers of security controls beyond the traditional username/password, particularly out-of-band authentication methods.
SLIDESHOW: Hot authentication tools
While the Federal Financial Institutions Examination Council (FFIEC) rules apply specifically to banks, credit unions, mortgage lenders, and savings and loans, every organization that deals in online financial transactions such as shopping portals, credit card companies, online bill payments, etc. is affected.
One of the main weapons in the today's hacker arsenal is password phishing. In this scenario, hackers use phishing emails to steal online banking credentials and break into user accounts.
In response, banks and other financial institutions have deployed technologies like device identification, challenge questions and one-time password tokens, according to Sarah Fender, vice president of product management at authentication vendor PhoneFactor.
Forrester analyst Andras Cser emphasizes that login IDs and passwords are no longer enough. He says preselected images, challenge questions, device information, and device reputation are all effective second factor authenticators.
But the problem with many of those "in-band" authentication methods is that the device itself might be infected with malware, adds Fender.
Plus there are more advanced threats, such as keyloggers, Man in the Browser (MITB) and Man in the Middle (MITM) attacks, which require even more sophisticated security measures.
Gartner analyst Ant Allan says, "Virtually every authentication technique can be compromised or circumvented. Authentication is better than legacy passwords to minimize the risk for 'quick and dirty' attacks such as phishing, but there is a limit to the utility of seeking higher-assurance methods that are harder to compromise directly. At some point, the attackers will move to MITB attacks, which hijack already authenticated sessions, effectively bypassing authentication, to manipulate transaction details or insert bogus transactions."
Allan says there are two advanced technologies that are effective in combatting the current crop of attacks: Web Fraud Detection and Transaction Verification.
According to Allan, Web Fraud Detection evaluates contextual information about the user's connectivity (endpoint identity, geographic location, and so on) and looks for anomalous transactional behavior (compared to user history and to other users; e.g., are multiple users making transfers to the same new account?). (See "Well organized, sophisticated, fast cybercriminals scare U.S. banks".)
Transaction Verification uses a number of techniques to confirm that the transaction details received by the bank (a) originated with the user and (b) are what the user intended. Interactive transaction confirmation via an out-of-band method, as outlined in the FFIEC guidance, is effective for desktop browser sessions and is possibly the most attractive option.