Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication Man In The Browser Attacks Beat Two Factor Authentication

Man In The Browser Attacks Beat Two Factor Authentication

Out of band strong authentication options that send one time passwords via phone based systems are widely used by banks and other financial institutions. However, as the research group Gartner points out [Where Strong Authentication Fails and What You Can Do About It], these methods  are susceptible to man in the browser and social engineering attacks when they are not deployed using a layered approach:

“ In instances where a bank might use a phone-based, "out-of-band" authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Gartner said. If security application places outbound call, synchronized to a Web session - then this outbound call can be forwarded to fraudsters. If in addition security application displays a number on the Web screen that must be entered via telephone keypad in the phone - then this number can easily intercepted by Man-in-the-Browser Trojan and forwarded to the same fraudsters , thus hijacking the session. We can reverse the loop and request user to sent some transaction info using phone keypad. But this does not make any difference.”

A layered, risk based approach takes into consideration additional authentication factors in relation to activity type. In addition, requirements are typically raised for higher risk transactions. These additional security elements have demonstrated effectiveness in a variety of scenarios.