Does two-factor authentication need to be fixed? Tough criticisms heard this week from researchers about the effectiveness of two-factor authentication, especially as it's used in its token form for one-time passwords and smartcards, suggest advances need to be made to restore its luster as security protection.
Two-factor authentication sounded tarnished enough in the report "Dissecting Operation High Roller" from McAfee and Guardian Analytics that describes how an international crime gang has been targeting bank accounts of businesses and individuals to try and steal millions through unauthorized, fraudulent funds transfers using an automated process tied to remote servers elsewhere. Not only did two-factor authentication tokens for accessing bank accounts not stop the crooks, which had subverted the victim's computers with malware, but the user's commandeered authentication process was actually integrated into the automated flow of criminal processing.
"I'd never seen it anywhere else," says Dave Marcus, director of advanced research and threat intelligence at McAfee, co-author with threat researcher Ryan Sherstobitoff at Guardian Analytics about the discoveries the two security firms made as part of the forensics and investigation into a cybercrime spree that appears to have started last winter as European banks and their customers, primarily, were hit.
The fraudsters in this case designed their account takeover process for optimum exploitation of two-factor information. "They developed a fraud technology that relies on two-factor - it requires the two-factor authentication," Marcus says.
The automated system the crooks came up with takes the credentials of the person logging into the compromised machine and embeds the chip-and-pin information into the automated hacking process to carry out fraudulent funds transfers. "The collection of the token information is part of the fraud process, it's integrated into it," Marcus says.
That's why McAfee and Guardian Analytics made the strong statement they did in their report this week, saying, "The defeat of the two-factor authentication that uses physical devices is a significant breakthrough for fraudsters. Financial institutions must take this innovation seriously, especially considering the technique used can be expanded for other forms of physical security devices."
Marcus is careful to say he's not advising anyone to stop using two-factor authentication or that it's somehow intrinsically broken. "Chip and pin is a solid defense," he says. But he adds the European crime spree all suggests there needs to be some kind of design improvement in two-factor to outwit such wily cybercrime.
Steve Hope, technical director at Winfrasoft, based in the United Kingdom, which has come up with its own two-factor authentication method called PINgrid, agrees it's time for innovative approaches. Although it's not something the firm sees its enterprise customers doing today, it's possible to suggest new approaches to two-factor authentication to address the issues raised.
"Today, two-factor authentication has nothing to do with the transaction," Hope points out, saying the underlying problem may be that it is not directly tied into validation of transactions and the account code, he points out. The two processes are separate today but it should be possible to unite them to ward off sophisticated attacks. But he adds: "malware has the power, at the moment."