Monday, April 9, 2007

Two-factor authentication and Banks

Some noise is being made based on some declarations from Ross Anderson, from Cambridge University, about the Banks using two-factor authentication to fight Phishing.

I partially agree with Mr. Anderson, who says that "There are a whole bunch of things that can go wrong with two-factor authentication". He is right about it. But I believe that the two-factor authentication can work if properly deployed.

On our Black Hat presentation last month we shown how malware can beat two-factor authentication in a Bank Website. The malware doesn't need to steal credentials, it can (1) simply steal the session ID (you can be authenticating with two-factor a session that is identified by a simple HTTP cookie or URL parameter) or (2) perform the malicious transactions using the user navigation process (check our paper from the presentation).

However, some two-factor authentication devices can be used to authenticate not only the user, but the transaction itself. It's a giant leap forward, as both strategies mentioned above won't work if you include transaction authentication in the process. It's important to say that it's not just about re-authenticating the user during the transaction, but authenticating the data from the transaction too. It's very important to avoid transaction tampering. And it's not that hard, some banks are already doing it, like RaboBank in Europe and the ex-BankBoston (now ItauBank) in Brazil. They use different approaches (hardware token / software digital certificates and digital signature), but both rely on the concept of authenticating the transactions. It would be nice to compare fraud numbers from these Banks to others. I'm sure we would see very good results from their initiatives.

1 comment: