Hackers getting to grips with 'secure' authentication warns Gartner
One-time passwords and phone authentication no longer enough
By Jaikumar Vijayan | Computerworld US | Published: 06:25, 16 December 2009
Security measures such as one-time passwords and phone-based user authentication are no longer enough to protect online banking transactions against fraud, according to a new report from Gartner.
Increasingly, such measures are overwhelmed by online criminals looking to pillage bank accounts using valid login credentials stolen from customers, the report said.
Going forward, banks need to quickly implement additional layers of security to protect their customers from falling victim to online fraud, said Avivah Litan, Gartner analyst and the report's author.
Related Articles on Techworld
Gartner's warning comes amid a sharp uptick in fraud involving the exploitation of valid online banking credentials. In August, NACHA- the Electronics Payments Association issued an alert, warning members about attacks involving the theft of online banking credentials, such as usernames and passwords mostly from small- and medium-size businesses. Cybercriminals used the stolen credentials to take over corporate accounts and initiate unauthorised transfers of funds via electronic payment networks, NACHA said in its warning. NACHA, with more than 11,000 financial institutions as members, oversees the Automated Clearing House (ACH) electronic payments network.
Just a few days earlier, a similar alert was sent to members of the Financial Services Information Sharing and Analysis Center. The alert identified organised cybercrime groups in Eastern Europe as predominantly responsible for illegally siphoning millions of dollars off corporate accounts and sending the money overseas via popular money and wire transfer services.
Last month, the FBI's Internet Crime Complaint Center noted that as of October, cybercrooks had attempted to steal approximately $100 million from US banks using stolen log-in credentials. On average, the FBI is seeing several new cases opened each week, the complaint center said. In most instances, the crooks used sophisticated keystroke logging Trojan horse programs to steal login credentials from company employees authorised to initiate funds transfers on behalf of the business, the FBI noted.
According to Litan, several Gartner banking clients have reported being victimised or targeted by attacks involving the use of malicious code hidden in web browsers to intercept and corrupt banking transactions.
