New attacks leave online transactions vulnerable even after sign-on authentication

Companies are trying to demonstrate that they're getting better at securing online transactions by adding multiple forms of authentication at sign-on, such as site keys. But experts say they could do 10 types of authentication at the start of the session and users would still be subject to attacks.

"Once that user is authenticated, they think they're OK. But instead companies have given them a false sense of security to merrily transact business," says David Burns, CEO of 2factor Inc. in Maumee, Ohio.

Burns, who leads one of several start-ups that are trying to tackle this problem, says the real threat for online transactions these days comes from intrasession attacks, where a secure session is hijacked without the user's knowledge. These usually occur in two ways -- during a piggyback attack or a spoof server attack.

According to security expert Joel Snyder, a senior partner at Opus One in Arizona, a piggyback attack is one where a hacker "attacks by trying to use someone else's credentials" via malicious code. The hacker targets the user when the user visits an infected public Web page or reads an infected blog, downloading JavaScript to the user's computer that sends the hacker his cookies. Then, during a "live" session with a bank or other Web site, the hacker can access the cookies and use them to transfer money or change the user's password before the session ends.

In a spoof server attack, the hacker pretends to be someone the user trusts, such as his bank, and gets him to visit the spoof site instead of the real site via an e-mail message, a link on a Web site or some other method. "Then the hacker puts up the screen where you log in and he grabs the user name and password," Snyder says. The fake log-in process appears legitimate to the user, who then gets a site error message or is handed off to the real site via a proxy connection. Once the hacker has the log-in information, he can transfer funds or alter the user's account settings. "Both have complexities that make them difficult to carry out ... but they are not uncommon," Snyder says.

Burns says one problem that makes users vulnerable to these attacks is that many transactions go through multiple hops across multiple networks. Users might log onto one system but carry out transactions with another. For example, a health care company could be dependent upon a third party to fill prescriptions online, and users would never know. He says this leaves them incredibly vulnerable.

"The user needs to know that from the front end to the back end, every part of that transaction is secure -- no matter how many hops or how many business partners are included," he says.

Burns says 2factor achieves this level of security by guarding every transaction between the client and the browser using SecureWeb, which uses the company's Real Privacy Management technology to continuously and mutually authenticate and encrypt transactions. "Every time a transaction occurs, an encryption key is exchanged between the browser and the server -- that way no one can hijack the session," he says.

Page Break

Watch out for the man in the browser

Gartner analyst Avivah Litan agrees that more has to be done beyond sign-on authentication, but she says that even the newer security methods have trouble easily addressing emerging problems like "man-in-the-browser" attacks.

In a man-in-the-browser attack, malicious code is placed on a user's computer to manipulate Web transactions in real time. As a user enters a URL for his bank or some other site, hijackers intervene and begin manipulating information. "To avoid browser takeover, you have to authenticate the user's machine and the bank's machine, not just the piece of software," she says.

Burns says that 2factor's SecureWeb system can only prevent browser takeover if the client configures it at start-up to invoke a secure browser that is preconfigured to disallow certain types of browser add-ons and extensions. However, "SecureWeb assumes the browser itself is not infected," he says. "And it does not do any type of spyware check on the browser itself, but rather assumes that the user has real-time antispyware, anti-adware and antivirus protection."

According to Litan, the best way for companies to combat this problem is to use a layered security approach that includes strong intrasession mutual authentication. She recommends fraud detection tools that "constantly monitor behavior and transactions beyond, and including, initial log-ins and application access."

Litan calls these tools "a practical way to validate customers and their behavior without imposing costly tokens or interfaces on them." With fraud detection, a background server process -- unseen by users -- monitors customers based on where they are and what types of transactions they are executing, according to Litan. The information is then compared with a profile of the user's expected behavior. If it's found to be out of range with what's expected, the transaction can be stopped and appropriate action taken.

"If the crook came in during the session, a company [using fraud detection] will be able to see unusual behavior such as large or frequent money transfers. When they see something anomalous, they need to go back to the user to make sure the transaction was the one the user wanted to execute," she says.

It's critical that this be done over "another channel," Litan says, explaining that the company should, for example, call the customer on the phone or have him come into a branch office in person to execute the transaction.

She says companies should base the decision about which channel to use on factors such as the value of the transaction or the degree of disparity between actual behavior and expected behavior. However, she warns companies not to use e-mail as alternate channel for verification. "E-mail's not a good solution, because if they can take over your browser, they can take over your e-mail account," she says.

These fraud detection services are similar to those used in the credit card industry. "Often using neural networks, the card fraud detection systems analyze the behavior of the card transactions and compare them to what's expected of the card holder and what constitutes normal behavior," she says.

These applications do not intrude on people's use of online systems unless their activity is suspect.

While these techniques could protect companies from fraudulent transactions, many organizations have been reluctant to use them because they could delay the completion of transactions. However, Litan says that's something consumers would get used to, like they have when using their credit cards. "On balance, consumers are going to like that banks are watching out for them, and they'll learn to work within the system," she says.

Sandra Gittlen is a freelance technology editor near Boston. A former events editor and writer at Network World, she developed and hosted the magazine's technology road shows. She is also the former managing editor of Network World's popular networking site, Fusion. She has won several industry awards for her reporting, including the American Society of Business Publication Editors' prestigious Gold Award. She can be reached at sgittlen@charter.net.