March 16, 2005 - (HOSTSEARCH.COM) - Security expert Bruce Schneier published a paper(http://www.schneier.com/crypto-gram-0503.html#2) on online security yesterday that slams the banking industry for looking to technology thats decades old to solve the current problems faced by the online banking industry.
The technology which banks are just beginning to implement is called two-factor authentication and involves the standard password we are all familiar with as well as a sequence that changes by the minute or a response to a unique challenge. If someone is using a keystroke logger or eavesdropping, for example, then they still wont be able to come back later and use that information to log in.
Thats wonderful for defending against the methods hackers were using 20 years ago but Schneier is critical of the security method for failing to defend against todays security situation.
Schneier describes 2 current hacking methodologies, the Man in the Middle Attack and the Trojan horse, In a Man-in-the-Middle-Attack, an attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
With a Trojan attack, the attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.
See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.
Online security company, Netcraft also recently published an article criticizing online banking security, Phishing Attacks reported by members of the Netcraft Toolbar community show that many large banks are neglecting to take sufficient care with the development and testing of their online banking facilities.
Netcraft cites the example of the phishing attack that caught Citizens Bank flat.
Not only is identity fraud and online security vulnerability damaging in itself but it also is damaging to the online economy overall as consumers are becoming increasingly wary of typing in a credit card number or making an online transaction. There is seemingly a large window of opportunity for web hosts to step into the process in terms of offering expertise and protection in terms of software and hardware to non-technical companies engaging in eCommerce.