Reducing Online Banking Fraud with Stronger Authentication Methods

By Nick Owen, January 24, 2006.
Reducing Online Banking Fraud with Stronger Authentication Methods


See Also: Rethinking Endpoint Security

ccount fraud is frequently the result of single-factor (e.g.,ID/password) authentication exploitation. As a result, the FFIEC is now urging financial institutions to deploy multi-factor authentication and assess the adequacy of their authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques. The guidelines are definitely a step in the right direction. However, guidelines are just guidelines and a bank's goal should be secure online banking. Consider this: the appendix to the FFIEC guidelines lists one-time password scratch cards as a means of stronger authentication. However, phishers have already successfully attacked a bank that uses that system, forcing a 12 hour shutdown of their online bank.

Financial institutions should strive to provide their customers with a consistent, secure process of authentication that minimizes potential avenues of attack, especially attack vectors beyond the control of either the user or the bank.

Understanding the types of attacks that can occur is a requirement for deciding what authentication mechanisms are needed. There are two main attack vectors discussed: man-in-the-middle attacks and malware.

The vast majority of attacks are Man-In-The-Middle (MITM) attacks. Phishing is email calls-to action to get users to fake MITM websites. DNS-cache poisoning attacks a DNS server somewhere between the user's computer and the server to misdirect users to a fraudulent website.

Malware is malicious software that captures and forwards private information such as ID's, passwords, account numbers, and PINs. Keystroke loggers log keystrokes and send them back to the author for later use. Many activate only when a user types in specific information, such as a bank site URL. Time-bound, one-time passcodes thwart keystroke loggers, as they would be used or expired before the attacker gets them.

Session-hijackers run inside an SSL session and perform nefarious transactions. Session-hijackers are particularly tricky in that they work after session and mutual authentication have been complete. They are why many pundits have suggested that two-factor authentication won't stop online fraud. These pundits miss an important point: that the server can ask for a second one-time passcode to validate the transaction. It is key, however, that the transactional authentication method be distinct from the session authentication method or the attacker will just generate a "Connection Lost" error message, prompt the user to log in again and use that OTP for the fraudulent transaction.

An important question to answer in determining what type of authentication to use is: What exactly are you wanting to authenticate? Most people think of authentication as validating the identity of the user for a session. We add to that: session authentication is validating the user to the site; mutual authentication adds validation of the site to the user; and transactional authentication is validating that it is the correct user requesting the transaction.

Strong session authentication is a base requirement for securing online banking. Session authentication must include some time-bound, one-time use passcodes. MITM attacks can be automated to a high degree. For example, a fraudulent site could accept a time-bound one-time passcode and immediately use it to log into the bank within the time allowed. Only strong mutual authentication can stop MITM attacks.

Mutual authentication is really site authentication to the user combined with user authentication to the site. Site authentication is already provided by SSL. Unfortunately, many sites ask users to log into non-SSL sites and users rarely check SSL certificates for validity. Fraudulent websites can use self-issued SSL certificates to fool users or generate a fake SSL 'key lock' and position it over the key location in the browser. SSL site authentication is clearly broken.

Some have suggested using unique images as a shared secret to identify a server before the user enters their password. One possible attack against this is that a MITM could replay the initial request and any additional information from the user's computer to the server and in turn provide the user with the image. Also, if the mutual authentication method uses machine authentication as a primary mechanism and knowledge authentication as a back up, then all the MITM has to do is present the user with the questions asked by the site. Since there is a lack of consistency in the session authentication method, the mutual authentication method becomes suspect.

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Analysis: Why the OPM Breach Is So Bad

Just how bad is the U.S. Office of Personnel Management breach? Consider that spies may now have...

Latest Tweets and Mentions

ARTICLE Analysis: Why the OPM Breach Is So Bad

Just how bad is the U.S. Office of Personnel Management breach? Consider that spies may now have...

The ISMG Network