Two-factor authentication is good, but 'hackers are responding'
Hackers crack two-factor security
/v3-uk/news/1965927/hackers-crack-factor-security
04 Jul 2005, Iain Thomson , V3
IT experts warned today that, contrary to popular belief, two-factor authentication is not secure enough to curb internet banking fraud.
"Two-factor is good, but hackers are responding," Graham Cluley, senior technology consultant at Sophos, told vnunet.com.
"The latest generation of spyware not only includes key-loggers that trap passwords, but screen-grabbing software. This takes multiple images of what the user is doing and sends it straight to the hacker."
Cluley is not the only expert to warn of the danger of putting too much faith in two-factor technology, which combines conventional passwords with portable electronic tokens that generate a unique code in synchronisation with a central security server.
Bruce Schneier, chief technical officer at Counterpane, has also raised doubts about the technology's ability to cope with man-in-the-middle and pharming attacks.
Nevertheless, the banking industry looks set to implement two-factor authentication after talks with the police and vendors.
Patrick Runald, senior antivirus consultant at F-Secure, said: "Where I'm from in Sweden two-factor works very well. The banks can sell themselves on security and it reassures customers."
The warnings follow announcements from Microsoft and BT that they are planning to adopt two-factor authentication to enhance security.
The system still uses passwords, but adds a second layer of security with a physical token that synchronises with a remote server to prove the user's identity.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
--
endless talks.
Posted by _CyB0rG, 04 Jul 2005
The Idiots are at it again!
Two factor is as secure as the implementation. If the server allows multiple log-ins on one code then it's as porous as can be. But, if only one log-in per code is adhered and the sixty second time-out is observed and obeyed then it's very secure. I mean how the heck could a hacker get in if all he has is expired codes and can't initiate a second and simultaneous log-in?
Posted by George, 05 Jul 2005
bad idea
anyone who has used two factor schemes such as RSA with a remote server doing the authentication knows what a waste of time this is
Posted by techie, 05 Jul 2005
Risks mitigated if implemented corrected
Screen grabbing can have no impact on two-factor authentication, such as physical tokens, smartcards, USB tokens, etc. only upon psuedo two-factor software solutions.
Two-factor solutions should require mutual authentication, to mitigate man-in-the-middle attacks as a matter of course, anyway.
As with any security solution, two-factor authentication can be implemented poorly.
Posted by Ian Howard, 06 Jul 2005
Disservice
Articles like this give financial institutions the ammunition they need to avoid doing anything. Two-factor isn't the complete answer, but there is no complete answer. Two-factor authentication is a huge improvement over simple passwords.
It's interesting that the article did not explain how hackers compromise the new scheme. Keystroke logging is not enough since the token changes each minute.
Posted by Anon, 06 Jul 2005
In response to 'techie'
I would love to know where your justification for dismissing two-factor authentication as a 'bad idea' comes from. The other posts here are sensible, and balanced. Two-factor authentication IS more secure, providing the implementation is done well. It is a well-known fact that tokens can be compromised if the hacker has access to config files, e.g. the RSA .asc files, but as long as organisations are cautious about the implementation, then you can expect two-factor authentication to be as secure as it can be at present.
It is perhaps more relevant to train people to not download 'dodgy' content, or open attachments from unknown senders!
Posted by An IT Professional, 07 Jul 2005
Where is the value in this article? Just more hype...
I am disappointed by the quality of this article - and that Vnunet editors allowed it to be published in its current (incomplete) format/lack of content.
Why add to the the media hype with a title such as "Hackers crack two-factor security" without substantiating this claim and adding the required depth to the article. The quotations by the author's cited Info.
Security experts do not add any significant understanding or contribution to the preceived "problems" faced with two-factor authentication, and no mention is made of the number of best-practice implementations across the world where two-factor authentication is really making a difference!
Posted by Knersus, 07 Jul 2005
What he is talking about?
Author of the article does not seems to understand, what he is talking about.
Proper two factor authentication required out of band electronic device, producing a number. This number synchronizied with the server and changes every minute.
Even if somebody can capture this number, it is unless next time around. Unless hacker can crack actual server, the authentication is very secure.
Posted by Igor, 07 Jul 2005
One way or the other...
The chain is as strong as it's weakest link, in this case, the compromised workstation on the end-user side.
Instead of continually enhancing and redesigning security concepts, I'd rather see a bank taking action on the human mess-ups on the client side.
When I leave my front door open, with a blinking neon sign in front of it yelling "Burglars Wanted", I can be sure of two things.
a) I'll be robbed blind
b) The insurance company won't pay me anything.
There is more to win in education and common sense than technology... though technology still scratches that geek-itch I have.. ;)
Posted by DSCX, 08 Jul 2005
Do Your Homework - Two-factor works!
I, like a great deal of readers, was very suprised at the lack of depth in this article.
When it comes down to it, most security in Banking (both physical and logical) can be by-passed in one way or another.
Two-factor authentication is a great improvement over static passwords and has been proven to reduce online banking fraud dramatically. Strong, two-factor authentication combined with transaction authentication, and host authentication is the way forward for online banking.
Hardware token vendors such as VASCO Data Security are leading the field in this space and all of the so called 'hacks' in your article are mitigated by a correctly implemented two-factor authentication solution.
I would advise that the author do his homework because I'm sure that Bank's who are implementing two-factor have done theirs.
I know for a fact that a large bank that has used hardware tokens for over 3 years (with over 500,000 online customers) has NEVER been victim to online banking fraud.
Posted by Stuart Lees, 14 Jul 2005
two-factor security in no danger
I?m sorry but I must disagree with the sentiment that this post seems to establish. Dismissing a form of technology simply because it?s been proven that it is vulnerable is simply folly. While two factor authentication is still a young technology its growing by leaps and bounds all the time and at some point I believe it will be something that is adopted by 100% of all on and offline businesses.
Posted by Charlie, 29 Apr 2008
cracking two-factor security
Though it?s not perfect by any means, two-factor security is the best in the fight against theft and fraud. Applying such tools to banking is a big step forward, one I?m happy to see. I think once the technology advances, it will provide even stronger security. You also have to remember that there will always be someone, somewhere waiting to break through our digital security meausres.
Posted by Robert Swartz, 12 Mar 2008
IT CAN BE CRACKED
Well this authentication syatem can be cracked ..ya it's very difficult to crack wd guessing attack bt SQL injection and phishing can be performed ..
Posted by cyrus, 12 Mar 2009