September 30, 2014 By Etay Maor 3 min read

If Two-Factor Authentication (2FA) Is Not Bulletproof, How Will We Authenticate?

In the past couple of years, we have repeatedly been reminded of the weakness of passwords as an authentication method. High-profile breaches with millions of lost credentials, sophisticated desktop malware, advanced mobile malware, phishing scams and other attacks have proven time and time again that a username and password combination cannot provide the adequate evidence required for authentication.

One of the most popular and trusted methods for strong authentication has been the use of one-time passwords (OTPs) in the form of tokens. While OTP tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.

As two-factor authentication (2FA) is based on the assumption that two of the three factors of authentication are used (something you know, something you have and something you are), tokens no longer qualify as “something you have.” The moment a user looks at a token’s randomly generated number, it becomes something he knows. While this new password does have a short time to live, it is still just another password in the user’s possession. As we have witnessed repeatedly, extracting passwords from an end user with malware is not a difficult task.

Targeting OTPs is nothing new. Today’s cybercriminal has a long list of tools that can be used to extract everything from passwords to secret questions, token-generated passwords and even device ID data.

Cybercriminals regularly defeat SMS passwords, emulate users’ online behavior and even outsmart combinations of smart cards, passwords and unique card readers. Phishing attacks dating back to 2008 used OTP-stealing mechanisms by asking victims repeatedly for their token-generated password. The criminal simply monitored his command-and-control server and attempted to use these credentials as they were stolen and sent to his server in real time.

When malware became cybercriminals’ main tool, malware designers and users approached the OTP issue through social engineering and HTML injection. From login page OTP stealers to SMS OTPs, everyone — not just financial institutions — was targeted. Some techniques were so good that gangs started copying ideas from one another. Even in a recent court case, multifactor authentication alone as a method of authentication was not deemed secure enough.

All in all, a cybercriminal can now choose between simple credential-stealing tools that will report the OTP in real time to sophisticated remote-session hijacking if there is an OTP challenge.

Top Challenges With Biometrics

One rising but infrequently used authentication measure these days is biometrics (“something you are”). Using biometrics in its various forms (voice, fingerprint, retina scan, behavioral biometrics, etc.) poses the following challenges:

  • Registration: To register a biometric, one must make sure the registration process is done in a clean and safe environment. While this is true for any form of password, it is much more important for biometrics. A password can be re-credentialed, while a fingerprint cannot.
  • Accuracy: This is the question of how accurate you want your biometric to be. If you require very high accuracy, be prepared to deal with many angry users. A fingerprint that requires the same exact position of your finger every time (ask iPhone 5s users) or a voice biometric ruined due to a slight change in voice (phone reception, the flu, background noises) can be very frustrating for an end user.
  • Database Security: Biometrics cannot be re-credentialed. If you plan on collecting such strong authentication measures from your users, you have to make sure this data is properly secured. If it were ever compromised, the backlash would be unprecedented.
  • Forgery: Last but not least, if you can’t make it, fake it. Using high-resolution scans and pictures, voice sampling and mouse movement capturing, attackers can forge a biometric.

It remains to be seen how financial institutions will implement various forms of biometrics and how the cybercrime gangs will react when biometric adoption rates grow. For every evolution in authentication, the cybercriminals have determined a countermeasure to continue their fraud operations.

So Where Is Authentication Heading?

New authentication solutions are taking a much wider view and approach to the problem than 2FA. We are moving away from relying on passwords and secrets that the user holds to the correlation of multiple events and elements to decisively understand whether the session, device and user are who they claim to be.

While passwords will not die anytime soon (they aren’t completely worthless, after all), security experts today correlate multiple fraud indicators to better understand an incoming authentication event. These indicators include multiple data elements and decisions such as the following:

  • Is the authenticating device infected with malware?
  • Has the authenticating user been identified as a phishing victim?
  • Is the session actually controlled by a remote computer?
  • Have any of the user’s devices been compromised?
  • Is there evidence of typing anomalies during the authentication process?

By moving away from adding another form of “something you know/have/are” and checking hundreds of other indicators, both the user and the security officer experience less friction and have less of a need for manual authentication and case investigation. In my next article, I will analyze two different approaches for such invisible authentication.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today