The Failure of Two-Factor Authentication

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint. This BBC article describes exactly that: After logging in to the bank's real site, account holders are being tricked by the offer of training in a new "upgraded security system". Money is then moved out of the account but this is hidden from the user. [...] Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered. Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities. How to spot if you have been infected If your transaction seems to be taking longer than normal, there is a chance it is going via a fraudster's system If you are asked for more information than normal, especially entire passwords where previously you were only asked for part, your machine may have been infected Computers that have been infected often slow down while malware monopolises both the processor and the internet connection The solution is to authenticate the transaction, not the person. ...

read more...

Source: Schneier on Security - Monday, 6 February

Related articles:

• Older News
• 4Vote! Fujitsu develops world's smallest and slimmest palm vein biometric authentication sensor deployable in tablet devices PhysOrg - Wednesday, 2 May
  • Italy doctors save baby with smallest artificial heart - LabSpaces
  • Android vulnerability neutralised - PhysOrg
  • Hacking code of leaf vein architecture solves mysteries, allows predictions of past climate - PhysOrg
• 6Vote! Password Security at Linode Schneier on Security - Wednesday, 18 April
  • Handy Password generator on Attiny85 - Embedds.com
  • ZTE scrambles to get at root of phone flaw - PhysOrg
  • How to Securely Share a Password with Someone Using LastPass - Lifehacker
• 6Vote! Explaining heart failure as a cause of diabetes PhysOrg - Tuesday, 3 January
  • Scientists turn patients' skin cells into heart muscle cells to repair their damaged hearts - e! Science News
  • Scientists turn skin cells into beating heart muscle - Yahoo Science News
  • Images show risk of sudden heart failure - Futurity.org
• 7Vote! NIST special publication expands government authentication options PhysOrg - Wednesday, 21 December
  • Spin polarized supercurrents optimized with a simple flip - PhysOrg
  • First of 2 papers on lab-made bird flu published - Yahoo Science News
  • Fujitsu develops world's smallest and slimmest palm vein biometric authentication sensor deployable in tablet devices - PhysOrg
• 13Vote! Can nerve growth factor gene therapy prevent diabetic heart disease? PhysOrg - Tuesday, 20 December
  • Growth factor in stem cells may spur recovery from MS - LabSpaces
  • Non-Communicable Diseases Cause Most Deaths Worldwide -- Voice of America - Harvard World Health News
  • Raising HDL not a sure route to countering heart disease - LabSpaces
• 18Vote! Healthy lifestyle habits lower heart failure risk PhysOrg - Tuesday, 13 September, 2011
  • Calcium supplements linked to significantly increased heart attack risk - e! Science News
  • Scientists turn patients' skin cells into heart muscle cells to repair their damaged hearts - e! Science News
  • Scientists turn skin cells into beating heart muscle - Yahoo Science News
• 22Vote! Why kidney failure risk 4x higher for blacks Futurity.org - Tuesday, 6 September, 2011
  • Kidney Stone Rate Nearly Doubles in 16 Years - Yahoo Science News
  • Images show risk of sudden heart failure - Futurity.org
  • Test score estimates schizophrenia risk - Futurity.org
• 28Vote! 'Smelling' heart failure: Evaluation of an electronic nose PhysOrg - Monday, 29 August, 2011
  • Scientists turn patients' skin cells into heart muscle cells to repair their damaged hearts - e! Science News
  • Scientists turn skin cells into beating heart muscle - Yahoo Science News
  • Images show risk of sudden heart failure - Futurity.org
• 18Vote! Not faster, but longer -- new drug changes beat in treating heart failure PhysOrg - Friday, 19 August, 2011
  • Scientists turn patients' skin cells into heart muscle cells to repair their damaged hearts - e! Science News
  • Scientists turn skin cells into beating heart muscle - Yahoo Science News
  • Images show risk of sudden heart failure - Futurity.org
• 17Vote! Heart failure: Doing what your doctor says works PhysOrg - Wednesday, 13 July, 2011
  • Scientists turn patients' skin cells into heart muscle cells to repair their damaged hearts - e! Science News
  • Scientists turn skin cells into beating heart muscle - Yahoo Science News
  • Images show risk of sudden heart failure - Futurity.org