Posts Tagged ‘strong authentication’

The Malware Threat Landscape Creates an Increasing Need for Strong Authentication

malware threat landscapeIf a polymorphic financial malware variant does not make sense to you, then it is doing its job. With the malware threat landscape growing rapidly through new malicious applications, it is very difficult to keep up with terminology for the majority of computer users. It is estimated by The Aite Group that 25 million new types of malware were distributed in 2011 and the number could possibly rise to 87 million released per year by 2015. So what is a polymorphic financial malware variant? Why is it increasing the need for better online banking security and ultimately the overall need for strong authentication?

Polymorphic just means the malware is ever changing, constantly growing into a more malicious and nefarious program to steal information. Some variants are targeted to hijack browser sessions and in extremely targeted attacks they are solely financial based. The real threat behind these new forms of software used to trick internet banking users is that they are incredibly hard to detect and get rid of.

Shylock is the name of a sophisticated new malware which hijacks financial live chat sessions to impersonate a member of the bank and steal confidential data which can be used for greater attacks. This is considered a browser based man-in-the-middle attack which is very deceptive and effective.

It is the new form of phishing since traditional phishing attacks required a user to visit the false site through some sort of initiation. These phishing sites are now quick to be taken down and often blacklisted before too much damage can be made so hackers needed a new trap. Now instead of initiating the victim to visit a hacked website, the malware lays dormant hiding until the user accesses a secured banking application. By being between the user and the bank this man-in-the-middle attack allows the thief to ask personal questions to steal confidential data. This is a combination of social engineering and hacking.

Malware is becoming so sophisticated that the programs can now avoid antivirus scans. Shylock actually utilizes 3 ways of staying active on an infected machine while also being undetectable. Instead of the software running its own process it instead latches onto every other application on the victim’s machine, effectively hiding in the memory. Even with an up-to-date anti-virus detection is still not a solution because the program will actually detect when a scan has started. By removing all files on the computer related to the malware it can avoid detection however the application remains hidden in the memory still active. Now that the program is hidden from antivirus software it is still hidden deep in the victim’s computer and has actually taken over the window shutdown process. During shutdown of the computer all files are recreated for the next time the user starts up their device.

If a victim’s computer can be hijacked without them knowing and the malicious software running undetected can be reinstated at startup then how secure could any security process be? Strong authentication which utilizes an out-of-band authentication method can protect against these types of man-in-the-middle attacks by separating a piece of the login process from the malware. Through a time based one-time password banks can securely identify a user by transmitting the OTP to the customer’s mobile phone. Not only does this remove a piece of the login credential from malware but it provides the customer with an alert when access is requested.

It has been said by Kaspersky Labs that 780 new malware applications are created everyday to siphon confidential financial data. This means man-in-the-middle attacks such as this are more common on the horizon as the malware threat landscape becomes more aggressive. Without effective, efficient and customer friendly security adoption of another process may not be easy. Strong authentication which utilizes an out-of-band one-time password not only provides a low cost solution but also creates a notification platform for online banking access.

FFIEC Authentication Guidance Update: The Need for Out Of Band Authentication

ffiec authentication guidanceThe Federal Financial Institutions Examinations Council’s (FFIEC) guidance for financial institutions, which was first issued in 2005, supports the use of strong authentication processes to protect the identities of customer identities and information during transactions that occurred online.

The FFIEC revisited these guidelines and addresses several areas because of the increasing number of identity fraud cases, phishing attacks, malware and man in the middle attacks. The FFIEC authentication guidance update addresses evaluating better risk assessment, adopting stronger authentication standards, using layered security, advanced authentication techniques and providing technology guidance for compliance.

Much of the focus of the FFIEC guidance update is regarding adoption of strong authentication for consumers and commercial banking. Financial institutions need to provide solutions and offer advice to the customers they service in addition to enhancing their online security measures.

The most effective strategy for detecting and preventing banking fraud schemes is to implement the use of layered security. “Layered security,” as defined by the FFIEC is “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” Multiple layers of security have been proven to prevent identity attacks. If one security layer fails, the other layer of security is in place to prevent fraud attacks. Layered security options include out of band authentication and advanced transaction verification.

As financial institutions analyze online risks, they need to consider mobile devices as an effective layer for out of band authentication. Financial institutions aren’t doing enough when it comes to using mobile devices as an out of band layers for additional authentication. Most financial institutions are not flexible enough to respond to fraudulent attacks because they have the fraud detection technologies, but they can’t respond to these attacks fast enough to stop them.

The majority of financial institutions rely on risk controls and fraudulent detection technologies that don’t prevent or stop the new kind of attacks. Their security programs are not strong enough to combat these fraud attacks and they need to be building risk and security programs that aid fraud departments. These financial institutions also need to be dedicating budgets to quickly respond to these new kinds of attacks when they’re detected to minimize their losses. It’s not so much that the technology is a problem, but rather the minimal budgeting financial institutions have to combat these attacks.

Many of today’s financial institutions are relying on weak multi factor authentication such as a combination of usernames/passwords and some form of knowledge based authentication such as a question and answer or using a pin number. The FFIEC guidance has a stance on single factor authentication and many online fraud and identity attacks are the result of single factor authentication or weak multi factor authentication.

The FFEIC guidance and recommendations addresses better risk assessments, adopting stronger authentication standards, pushing towards multiple layers of security, exploring advanced authentication techniques and providing technology guidance for compliance.

Driving better risk assessments for financial institutions requires a better understanding of the new attacks and how to respond to them in a timely matter. This includes guidance for regular reviews of the internal systems of banks and the ability of these systems to detect and deal with fraudulent attacks.

Adopting stronger authentication standards is a must with the new types of attacks. User names and passwords aren’t enough to protect customers and neither are weak forms of multi factor authentication. Today’s attacks require stronger means of authentication especially for the high risk transactions such as wire transfers and ACH transactions. A way to adopt stronger authentication is to implement out of band authentication with a mobile device to prevent fraud attacks.

Multiple layers of security are a proven way to prevent fraud attacks which include malware. If one security layer fails, another layer can prevent the fraudulent attack. Security such as out of band authentication and advanced transaction verification can be very effective forms of multiple security layers.

Authentication technology needs to evolve and stay innovative as fraudulent attacks increase in sophistication. Financial institutions can implement mobile devices with out of band authentication and use stronger challenge questions as an example.

Providing technology guidance is a focus of the FFEIC and they provide instruction on technology and solutions such as fraud detection platforms. Other solutions also include fraud transaction monitoring and/or anomaly detection software.

Financial institutions can increase their security and at the same time keep their costs low by implementing out of band authentication solutions. Out of band authentication can be cost effective and a user friendly option since existing devices are already owned by users. This eliminates the high costs of implementing or deploying additional devices. By using a different medium such as a mobile device, smart phone, tablet, email, or SMS, an independent authentication can be delivered to users.

In using an out of band authentication, a customer can enter a one time password when prompted during an online session and the password can be sent through a mobile device. Without using the out of band authentication network (customer’s mobile phone), a transaction cannot be completed and a message can be sent to the customer that an attempt to access an online session was not complete. Out of band authentication is a highly effective technology and can prevent fraud attacks.

Most authentication methods can be comprised by phishing attacks and the focusing needs to be on authenticating transactions to prevent fraud attacks. Financial institutions need to have filters in place for any and all transactions. There is always a risk for fraud, but managing the risk by implanting out of band authentication can help lower these risks dramatically.
Many financial institutions consider out of band authentication a crucial part of preventing fraud, but some institutions find that customers may find using out of band authentication too difficult to implement with their users. The effectiveness of out of band authentication must be balanced with usability so that integration is not an issue for institutions or their customers. When the risk is higher than the cost to implement a security measure, it’s worth it for a financial institution to implement security like out of band authentication to prevent attacks and to protect their customers.