The Washington Post covers a pretty nice attack which allows the bad guys to steal two factor authenication credentials. What is not so well covered is what banks are doing about it. The answer is risk based authentication.
For example: You as the bad guy, login to megabank.com with the right credentials you have stolen from a valid customer.
If the bad guy is coming from an IP in say Russia when the customer usually logins in from Ohio, that might trigger a "challenge" question. [The question changes at random].
If the bad guy tries to do an ACH transfer or wire transfer of funds, that would definetly trigger a "challenge" question.
Meanwhile, once the bank detects that the account has been compromised, it will then flag the IP and or network of the bad guy as a place compromised logins tend to come from -- thus triggering even more challenge questions at the login phase.
The point is that the systems security is never fully compromised - but instead additional layers require circumventing. Given a virtual environment, there will always be the possibility that someone (eg. a spouse) can pretend to be someone else. However risk mitigation is the name of the game. With risk based authentication AND two factor authentication, banks can reduce the fraud and customer impact to negligible levels. The better banks will simply offer to reimburse customers from any negative financial impact.
No comments:
Post a Comment