Originally published November 27 2005
Expert believes two-factor authentication will fail to secure online banking
by Mike Adams, the Health Ranger, NaturalNews Editor
On Information Week, Mitch Wagner questions the efficacy of two-factor authentication in preventing fraudulent online transactions.
In the name of protecting against phishing, identity theft and other forms of fraud, federal regulators handed banks and consumers an enormous job recently.
The work required will make online transactions a great deal more expensive for banks--who will no doubt pass the expense on to customers.
As reported in a story by my colleague Steve Marlin, the Federal Financial Institutions Examination Council is giving banks until the end of next year to implement two-factor authentication for online transactions.
Right now, banks only use one-factor authentication: You go to the bank's web site, enter in a login and password, and you're in your account.
Generally speaking, that something else is a hardware token, such as a smart card or a gadget the size of a key fob that generates one-time passwords.
(For a photo of one of those gadgets, follow the link in the previous story.)
Steve's article points out that crooks will simply trick consumers into giving up their one-time passwords; this has already happened at a Scandinavian bank that implemented two-factor authentication.
Security expert Bruce Schneier, CTO of Counterpane Internet Security, explains further.
He notes that two-factor authentication will be impotent to stop two of the most common attacks perpetrated on the Internet today: man-in-the-middle attacks, and attacks using Trojan Horses.
The e-mail directs you to a Web site where you log into your account.
But the Web site is a phony--it's relaying your login information to criminals, who are, in the background, using your login information to log in to the real bank site, and then stick a (metaphorical) vacuum cleaner hose into your bank account and suck all the money out.
Secondly, two-factor authentication will reduce the criminal market in passwords.
All content posted on this site is commentary or opinion and is protected under Free Speech. Truth Publishing LLC takes sole responsibility for all content. Truth Publishing sells no hard products and earns no money from the recommendation of products. NaturalNews.com is presented for educational and commentary purposes only and should not be construed as professional advice from any licensed practitioner. Truth Publishing assumes no responsibility for the use or misuse of this material. For the full terms of usage of this material, visit www.NaturalNews.com/terms.shtml