Viewpoint: 2-Way Authentication Needed for Safety

Article excerpt

Consumers who do not feel safe online are increasingly steering clear of Internet banking sites and shutting out an important channel for financial services providers to expand their customer relationships.

The industry research firm Gartner Inc. estimates that almost nine million adults in the United States have stopped banking online and that another 23.7 million decline to start out of security concerns.

The continual spread of online scams - and the reality that people are increasingly wary of online banking channels - raise the stakes for banks to protect customers and themselves from increasingly sophisticated cyberattacks.

In the past year, customers at several of the world's largest banks have fallen victim to "man-in-the-middle," or MITM, identity theft schemes that have shaken customer confidence in online banking and battered bank reputations. As the term implies, identity thieves position themselves "in the middle" of sensitive communications between customers and banks in order to steal account and other personal information.

In one MITM scheme last summer involving a large U.S. banking company, the thieves sent seemingly authentic e-mails asking customers to verify their account information. The e-mails directed customers to a spoofed bank Web site that seemed legitimate but actually redirected the customers to a fake Web site set up by a hacker in Russia.

In redirecting customers to the spoof site (also known as "pharming") the hacker was positioned to intercept user password/account information and potentially to use the records in fraudulent transactions or as goods for sale to other criminals. Criminals also use MITM Web sites to read, insert, and change messages between the bank and its customers.

These attacks spotlight the shortcomings of secure socket layer protocol and multifactor authentication security measures that many financial institutions have adopted. These security measures are limited because they only require that the bank and customer trust one another and do not provide the added assurances required to thwart MITM or related schemes.

Two-factor authentication also comes up short in shielding banks and their customers from MITM attacks. The two-factor authentication model uses an online password and an additional form of authentication (such as an access card) for online security. This approach authenticates users but does not enable them to confirm that they are communicating with legitimate online sites.

For example, fraudsters can create pharming sites that present their own credentials for encrypted sessions to fool users (and their PC/client-based computer security systems) into thinking they are connected to legitimate sites. The users then enter password and personal information that is intercepted on the pharming site.

Other narrow security safeguards - such as images that each user selects as a unique identifier when logging in - are ineffective against MITM. Online banks use a Web browser cookie (which serves as a small software identification tag) downloaded on a user's computer to match the user and the appropriate image. …