Watch out for the man in the browser
Gartner analyst Avivah Litan agrees that more has to be done beyond sign-on authentication, but she says that even the newer security methods have trouble easily addressing emerging problems like "man-in-the-browser" attacks.
In a man-in-the-browser attack, malicious code is placed on a user's computer to manipulate Web transactions in real time. As a user enters a URL for his bank or some other site, hijackers intervene and begin manipulating information. "To avoid browser takeover, you have to authenticate the user's machine and the bank's machine, not just the piece of software," she says.
Burns says that 2factor's SecureWeb system can only prevent browser takeover if the client configures it at start-up to invoke a secure browser that is preconfigured to disallow certain types of browser add-ons and extensions. However, "SecureWeb assumes the browser itself is not infected," he says. "And it does not do any type of spyware check on the browser itself, but rather assumes that the user has real-time antispyware, anti-adware and antivirus protection."
According to Litan, the best way for companies to combat this problem is to use a layered security approach that includes strong intrasession mutual authentication. She recommends fraud detection tools that "constantly monitor behavior and transactions beyond, and including, initial log-ins and application access."
Litan calls these tools "a practical way to validate customers and their behavior without imposing costly tokens or interfaces on them." With fraud detection, a background server process -- unseen by users -- monitors customers based on where they are and what types of transactions they are executing, according to Litan. The information is then compared with a profile of the user's expected behavior. If it's found to be out of range with what's expected, the transaction can be stopped and appropriate action taken.
"If the crook came in during the session, a company [using fraud detection] will be able to see unusual behavior such as large or frequent money transfers. When they see something anomalous, they need to go back to the user to make sure the transaction was the one the user wanted to execute," she says.
It's critical that this be done over "another channel," Litan says, explaining that the company should, for example, call the customer on the phone or have him come into a branch office in person to execute the transaction.
She says companies should base the decision about which channel to use on factors such as the value of the transaction or the degree of disparity between actual behavior and expected behavior. However, she warns companies not to use e-mail as alternate channel for verification. "E-mail's not a good solution, because if they can take over your browser, they can take over your e-mail account," she says.
These fraud detection services are similar to those used in the credit card industry. "Often using neural networks, the card fraud detection systems analyze the behavior of the card transactions and compare them to what's expected of the card holder and what constitutes normal behavior," she says.
These applications do not intrude on people's use of online systems unless their activity is suspect.
While these techniques could protect companies from fraudulent transactions, many organizations have been reluctant to use them because they could delay the completion of transactions. However, Litan says that's something consumers would get used to, like they have when using their credit cards. "On balance, consumers are going to like that banks are watching out for them, and they'll learn to work within the system," she says.
Sandra Gittlen is a freelance technology editor near Boston. A former events editor and writer at Network World, she developed and hosted the magazine's technology road shows. She is also the former managing editor of Network World's popular networking site, Fusion. She has won several industry awards for her reporting, including the American Society of Business Publication Editors' prestigious Gold Award. She can be reached at sgittlen@charter.net.