Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, December 15, 2009

Hackers Are Defeating Tough Authentication, Gartner Warns

Security measures such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a new report from research firm Gartner Inc. warns.  Increasingly, such measures are overwhelmed by online criminals looking to pillage bank accounts using valid login credentials stolen from customers, the report said.  Going forward, banks need to quickly implement additional layers of security to protect their customers from falling victim to online fraud, said Avivah Litan, Gartner analyst and the report’s author.

In August, NACHA- the Electronics Payments Association issued an alert, warning members about attacks involving the theft of online banking credentials, such as usernames and passwords mostly from small- and medium-size businesses.  NACHA, with more than 11,000 financial institutions as members, oversees the Automated Clearing House (ACH) electronic payments network.

The alert identified organized cybercrime groups in Eastern Europe as predominantly responsible for illegally siphoning millions of dollars off corporate accounts and sending the money overseas via popular money and wire transfer services.  In most instances, the crooks used sophisticated keystroke logging Trojan horse programs to steal login credentials from company employees authorized to initiate funds transfers on behalf of the business, the FBI noted.  The malware copies the user’s ID, password and one-time password and immediately uses them to transfer funds, while the victim gets an error message on the computer screen.

For instance, a request to transfer a certain amount of money from one account to another could be modified so that the request the bank gets would be different from the request sent by the user.

“Other strong authentication methods, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated,” she said.

Because any authentication method that relies on a browser can be attacked and defeated, banks need to start using server-based fraud detection to monitor transactions for suspicious behavior, she said.

Posted on 12/15