Is two-factor authentication now passe?
In its bid to keep sensitive customer information and their money safe, many banks adopted a two-factor authentication system. Which basically boils down to a system that confirms the user is legitimate by using two checks: One could be a password, the other could be a password-generating token, or chip or something biometric. The rise of such authentication techniques was once hailed as good news from the security point of view. Unfortunately, the effectiveness seems to be on the wane.
In a new report, Gartner says that banks that deploy such authentication are still vulnerable, as the crooks have wised up to these systems. In some cases, users are tricked into forwarding a call from a bank to an unauthorized would-be crook. In other cases, malware lurks until two-factors have been allowed access and then it does its dirty work.
So banks have to keep pushing ahead toward a multi-layered approach that would include server-based fraud detection and out-of-band transaction verification that precludes call forwarding. Something to think about anyway. Some think that tokens have proven to be a failure at the consumer level. AOL for one will scrap its system.
For more:
- here's a release
Related Articles:
A good case for two-factor authentication
Bank spending on fraud and authentication soars
Time for multi-factor authentication?
Irony: Authentication tools a threat to privacy?
SHARE WITH:
Comments
By Joseph A'Deo | Posted 2:51pm | December 22, 2009
I would contest the claim that 2FA's effectiveness is "on the wane"...as with most security solutions effectiveness will boil down to implementation, and I think part of the problem has been the tendency of websites to take one or two solutions as the end-all-be-all and leave it at that. Any gaps in the security loop must be closed (I'm sure I don't need to point out that MITM attacks that reroute phone calls have very little to do with two factor authentication technology). The point being: AOL will regret its decision when it realizes that there's no single online protection product that will cover everything. At VeriSign we blogged about this earlier in the month: http://blogs.verisign.com/identity/2009/12/layered_security_strategy_the.php
Post new comment
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site MapTHE FIERCEMARKETS NETWORKFierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceVoIP | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2010 FierceMarkets. All rights reserved. |
 |