UK Banks in Need of Stronger Authentication Security
Not every two-factor authentication solution is made the same - and some authentication methods are more secure than others. Security company Bronzeye has reported the possibility of a bypass of two-factor authentication (referred to as ‘two-step authentication’) used by a large UK bank, as the Financial Times reported. The security issue has also been reported to the Financial Conduct Authority (FCA), the financial regulatory body in the UK, dubbed ‘Britain’s markets watchdog’ by FT.com.
This is not a new issue - Trend Micro reported on the very same authentication security ‘holes’ last July in a research paper, Finding Holes: Operation Emmental (PDF) that detailed attacks targeting users in Austria, Switzerland, Sweden and Japan. The company similarly reported on Zeus mobile malware variants that can also bypass OTP-based two-factor authentication back in September 2010. Read more in Answer to OTP Bypass: Out-of-Band Two-Factor Authentication.
The attack sequence is also similar - by targeting customers and workers at financial organizations with phishing emails, attackers may successfully steal credentials and deliver malware that allows them to breach bank networks.
Yet another report by IBM security researchers found that OTP-based two-factor authentication can be bypassed using a remote overlay toolkit. Whenever a user navigates to a banking site, an alert is sent to attackers. Attackers can control the user’s PC remotely, as well as display fake bank login pages in their browser and effectively steal their passwords and passcode generated by their two-factor authentication mobile app or token. Learn more in Remote Overlay Toolkit Bypasses OTP Two-Factor Authentication.
An out-of-band two-factor authentication method is a better, more secure solution to the issue. Out-of-band refers to using a separate channel to verify authentication requests. So, if the first authentication request is sent over the Internet, the second authentication request should be sent over a different channel.
An example is an authentication request sent via push notification to your smartphone, requiring the use of a personal device to verify your identity. This protects against man-in-the-browser attacks and other attempts to steal one-time passcodes. Out-of-band authentication is highly recommended by the Federal Financial Institutions Examination Council (FFIEC) in their online banking security guidelines designed to protect transactions for banking institutions in the U.S.
Last month, I wrote about the deadline for European Union organizations to meet online security payment guidelines, set for August 1, 2015. Part of their guidelines include using two-factor authentication to secure transactions such as wire transfers. However, not every two-factor solution provides the most secure method. Learn more about evaluating different solutions in our Two-Factor Authentication Evaluation Guide.