Moves by banks to introduce two-factor authentication will
not protect the public against phishing attacks and identity theft,
international security expert Bruce Schneier said last
week.
Schneier, a security technologist, author and founder and chief
technical officer of Counterpane Internet Security, said it will
only be a matter of time before criminals develop countermeasures
to the technology. "Two-factor authentication is not our saviour.
It will not defend against phishing. It is not going to prevent
identity theft. It is not going to secure online accounts from
fraudulent transactions," he said.
Two-factor authentication was developed 10 years ago as a more
secure replacement for passwords, which are vulnerable to cracking
or interception on the internet.
Although a few banks are now beginning to issue two-factor devices
such as smart tokens to their customers, new attacks have been
developed which make two-factor authentication less secure.
These include man-in-the-middle attacks, in which an attacker puts
up a fake bank website and entices the user to log on. When the
user keys in a password, the attacker uses it to access the real
bank website.
Sophisticated Trojans have also been developed which can piggyback
on a customer's banking session to make fraudulent
transactions.
"Two-factor authentication is not useless. It works for local
log-in and it works with some corporate networks. But it will not
work for remote authentication over the internet," said
Schneier.
"I predict that banks and other financial institutions will spend
millions outfitting their users with two-factor authentication
tokens. Early adopters of this technology may well experience a
significant drop in fraud for a while as attackers move to easier
targets, but in the end there will be a negligible drop in fraud
and identity theft."