Wednesday, September 23, 2009

Security of Online Banking Threatened by Defeat of Two-Factor Authentication

What's happening: Cybercriminals have learned how to steal money from business bank accounts even when bank security controls include second-factor authentication.

What it means: Most banks and businesses believe online banking is safe when protected with what's known as 2nd-factor [or multi-factor] authentication. While second-factor authentication is a step-up over single-factor, it is still not fail-safe. Take a look at our blog posting about a $447,000 cybertheft from a company that uses second-factor authentication. The two stories below describe the ease with which cybercriminals are bypassing second-factor authentication. After bypassing inadequate protection of the IT infrastructure, the cybercriminals succeed by taken advantage of untrained unaware staff.

What to do: Management must get on top of this problem. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider replacing antvirus / antimalware solutions with intrusion detection / prevention solution. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.

**********************************
From ZDNet: Modern banker malware undermines two-factor authentication

Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process, to which cybercriminals have successfully adapted throughout the last couple of years. http://blogs.zdnet.com/security/?p=4402

From MIT Technology Review: Real-Time Hackers Foil Two-Factor Security. One-time passwords are vulnerable to new hacking techniques. http://www.technologyreview.com/computing/23488/