Gartner: Hackers Defeating Tough Authentication
Hackers are now defeating two-factor authentication methods.
Research firm Gartner Inc. reports that one-time passwords and phone-based user authentication no longer protects online banking transactions against fraud. The analysts determined that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication methods including chip cards and biometric technology that rely on browser communications.
"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009," said Avivah Litan, vice president and distinguished analyst at Gartner. "However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data."
Avivah Litan, vice president and analyst at Gartner, suggests that financial institutions implement fraud detection that monitors user access behavior. The method would capture and analyze the user's Web traffic including login, navigation, and transactions. The method could then spot abnormal access patterns that could indicate that an automated program is accessing the system.
"Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction," Litan said.
Get more tech and gaming news by hitting me up on Twitter here.
- Hacked Nook Reveals MMS, Speech Recognition
- Best Buy, Samsung Named in Copyright Lawsuit
- Australia Approves ISP-Level Internet Filters
- Best Video Games of the Year at the VGA 2009
- Sony: PS3 Slim Could Have Been Slimmer, But Nah
- Fuse Shows What Next-Gen Touch Phones Are Like
- VIDEO: Lights+Guitar Hero = Christmas Light Hero
- Study: iPhone Users Are Delusional
- Chinese Couple Sell Baby to Buy Cell Phone
- Court to Rule on Text Message Privacy at Work
- Popular Author Gives Amazon Exclusive eRights
- id Software Nuking Ports from Android Market
- Nintendo Trademarked Zii, Cii, Bii, Oii, Vii Names
- Scammers Use Google Logo to Spread Malware
- AT&T Responds to iPhone Flashmob's Threats
- iPhone 2G and 3G Get Video Recording (Finally)
- YouTube is Considering Subscriptions
- FBI Finally Arrests Alleged ''Wolverine'' Uploader
- Adobe Investigating Reports of Acrobat Exploits
"Any society that would give up a little liberty to gain a little security will deserve neither and lose both"
Bank teller asking for a waiver signature:
"Well, if you want to be protected against fraud, we will need to track absolutely everything you do so that we know it is you when you log in. Sign on the bottom please."
YOU HAVE BEEN PWNED ,,,,,,
SIGN HERE: X______________
How do you do a man in the middle attack with ssl active?
man-in-the-browser attack .... not in the middle attack ... 2 very different attacks .... MITM intercepts outgoing traffic ... MITB intercepts data submitted directly by the user to his browser, and then re-routes traffic accordingly. (this happens before ssl is even active)
How do you do a man in the middle attack with ssl active?
This has been going on for awhile now and it works like this:
Worm on your system, possibly protected by a RootKit to evade detection.
It waits till you log into your account, the worm then gets immediate access to your account without the need to bypass security as you just let it in the door.
While you are logged in, the worm transfers money out of your account without your knowledge as the bank will think it's you doing the transfer.
So you would not install locks on your front and back door if you lived in a high crime area to just keep a little liberty instead of gain a little security.
The point is you work hard for your money. Would having to sign a little piece of paper saying you understand they will do more to help protect your hard earned money really hurt. Unless your receiving dirty money what are you really giving up by protecting yourself.
"The definition of stupidity is doing the same thing over and over again and expecting different results." — Albert Einstein ...
So you would not install locks on your front and back door if you lived in a high crime area to just keep a little liberty instead of gain a little security.
Umm, keeping a little liberty instead of gaining a little security was highly touted by one of the Founding Fathers of America. To quote Benjamin Franklin, "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
So you would not install locks on your front and back door if you lived in a high crime area to just keep a little liberty instead of gain a little security.
lol. how do you gain liberty by leaving the locks off the doors?
We could just use the bank office and snail mail to manage and pay our bills and accounts...
It's not the bank's security that's compromised, it's YOURS. People need to stick to their AV and firewall solutions, and be careful with what they do online. Making banks scan customer behavior is just asking for commercial abuse.
Well, I had my account robbed, but it was the good ole' skimmers, not the hackers...
I can imagine if a hacker took my account though, seeing orders on the transcripts for mountain dew, blow up dolls, lube, hot pockets, and a 5970 (or atleast what I'd use someone else's money for).