Gartner in two-factor authentication warning

Fraudsters have found that two-factor authentication can be circumvented

Organisations must employ a multi-layered approach to fraud prevention if they are to thwart increasingly persistent hacking attacks that can now circumvent two-factor authentication devices, according to analyst firm Gartner.

In a new report released today, Where Strong Authentication Fails, Gartner recommends that organisations firstly monitor user access behaviour, by analysing all of a user's web traffic and spotting any automated programs.

Firms also need to keep an eye out for suspect transaction values, by looking at a particular transaction and comparing it to a profile of what constitutes " normal" behaviour. Out-of-band transaction verification can be used to further secure a transaction, by enabling the user to verify via a phone call.

"Fraudsters have definitely proven that strong two-factor authentication processes can be defeated," said Litan.

"A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats.

"Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions."

Litan warned that while such attacks have thus far been targeted at financial institutions and their users' accounts, they are likely to "migrate to other sectors and applications" that contain sensitive data in the future.