Layered Fraud Prevention Approach Can Thwart Malicious Attacks

Article excerpt

Fraudsters have started to raid user accounts by beating strong two-factor authentication methods, according to Gartner Inc.Gartner analysts said that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled through one-time password (OTP) tokens. Other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.Two-factor authentication based on telephony is also being circumvented, using call forwarding so that the fraudster, rather than the legitimate user, is called by the service provider performing the authentication.Examples of attacks that have worked to date include:1. Malware overwrites transactions sent by a user to the online banking website. This happens behind the scenes, so that the user does not see the revised transaction values. Many online banks will then communicate back to the user’s browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.2. Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudster asks the phone carrier to forward the legitimate user’s phone calls to the fraudster’s phone. …