And it goes without saying that single factor identification is totally inadequate.
Gartner has issued a report: "Where Strong Authentication Fails and What You Can Do About It,"that describes how current authentication methods are being circumvented. EWeek has a write up: 2-Factor Authentication Falling Short for Security, Gartner Says:
Gartner analyst Avivah Litan contends that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication and proving that any authentication method that relies on browser communications can be defeated. This includes chip cards and biometric technologies.
“Fraudsters have been raiding user bank accounts that seemingly were protected by strong two-factor authentication, but any sensitive Web application is similarly vulnerable,” she wrote. “In some cases, the malware copies the user's ID, password and OTP, and immediately uses them. Other times, the malware overwrites user transactions with the crook's transactions, unbeknownst to the user or service provider, e.g., the online bank.”
Solutions to this dilemma include behavioral and location monitoring, server based fraud detection and out of band verification.
The problem exists because malware can be delivered to your browser. To eliminate malware we need to be able to authenticate web sites as well as email. Both can be authenticated if we have deployed DNSSEC. DNSSEC is an essential part of any authentication process.
Until DNSSEC is implemented we will never get ahead of this game.
Comments