Dual-Factor Authentication, Even With Tokens and Eye Scans, Not Cure-All for Cyber Crime
Safety is most often a state of mind. If we think we're safe, then certainly we must be safe, regardless of the danger lurking within the next iceberg. Who can blame us? With phishing, pharming and virus attacks working on our psyches like water rising in the Titanic's engine room, we want to believe that something, anything, can protect us once and for all. Lawmakers and regulators have heard the public's cry for safety and they are gathered in capitols across the country to deliver us from evil by requiring credit unions to utilize dual authentication. Legitimate consumers will get physical tokens and passwords to guarantee their identities to every legitimate financial institution. And we will be safe, safe, safe, for no one can fake a random number or a fingerprint or a retinal scan! Or can they? Hollywood has sold millions of movie tickets demonstrating that all of these mechanisms can be duped. Mission Impossible? Not really. Let me explain why: What passes over the Internet and is stored on Web database servers is never the actual random number, fingerprint or scan. It's data, which can be intercepted, manipulated, and replaced. No matter that the data started out authentically, it's vulnerable to misuse in far too many ways. Let's review the key points of vulnerability: Surrendering the Prize. In spite of Herculean efforts to educate members, an astounding number continue to respond to phishing scams. All the protection in the world can't completely prevent the simple act of consumers handing over the account numbers, passwords and other personal information needed to defraud them. Data Entry. Yes, the number is random and your password unique, but once entered, even a medium-level hacker can easily "piggy-back" your online session and have a field day in your name. This is often accomplished with code installed on your computer that hides its malicious activity even while it's happening. Hopefully, someone will discover that you really didn't buy two plane tickets to Bulgaria! Re-Directing Traffic: Few hackers sit on data lines waiting to pounce on financial transactions. They're smarter than that. They prefer to redirect traffic from legitimate financial sites to their own illegal sites that look and feel like the original. This is called "pharming" and it can be remarkably effective at capturing authentic information for illegitimate purposes. The Site: Your institution's Web site offers its own opportunities for worms and trojans to redirect personal data to another site. Your Web developer may have dishonest motives, or more often, he or she may just be sloppy about updating the forms and other code that delivers web site functionality. Sometimes, the Web hosting service is the culprit. The recent iframeDOLLARS.biz and bestcounter.biz exploits actually paid Webmasters to insert malicious code onto visiting PCs. We're talking back doors, spyware and adware, among other exploits. At six cents per visitor, thousands of Web sites were compromised! Storage: Most losses of personal data held at financial institutions' Web sites were the result of improper storage. Verifying procedures and conducting periodic checks are the latest critical paths for keepers of credit union web site databases. If non-credit union keepers of personal financial data could be held to the same high standards, our members might stand a chance! As you can see, dual-factor authentication is not the reinforced hull that would have saved the great Titanic from tragedy back in 1912. Rather, dual-factor authentication represents a few extra lifeboats that would have helped more of the 2,200 passengers survive the boat's demise. While mandating dual-factor authentication will help and even make us feel safer, it won't make the Titanic an "unsinkable ship." The best ways to protect your members' assets and trust continue to be vigilance, attention to detail, and relentless pursuit of potential breaches. In our experience protecting credit unions from Internet-based fraud, the members themselves are your best early warning system. A recent phishing exploit at one institution was shut down a few hours after members alerted staff to irregularities on the Web site. The few hours could have been reduced still further had the institution paid closer attention to its members' alerts!