New Approaches Are Needed to Counter Attacks on Strong Authentication Factors
Fraudsters have started to raid user accounts by beating strong two-factor authentication methods, according to Gartner Inc.
Gartner analysts said that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled through one-time password (OTP) tokens. Other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.
Two-factor authentication based on telephony is also being circumvented, using call forwarding so that the fraudster, rather than the legitimate user, is called by the service provider performing the authentication.
"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009," said Avivah Litan, vice president and distinguished analyst at Gartner. "However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data."
Examples of attacks that have worked to date include:
"A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats," advised Ms. Litan. "Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions."
Ms. Litan recommended that more than one measure be used to achieve optimal fraud prevention results and outlined some proven measures that can prevent attacks from succeeding:
"Fraudsters have definitely proven that strong two-factor authentication processes can be defeated," said Ms. Litan. "Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction."
Additional information is available in the Gartner report "Where Strong Authentication Fails." The report is available on Gartner's website at http://www.gartner.com/resId=1245013.
Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, U.S.A., and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit www.gartner.com.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.