Two days ago, the SecuriTeam, a well respected security group out of Israel, published a blog that shows a step by step analysis of how to thwart multi-factor authentication. They referenced this link out of Spain. If you click on the link, it will show you exactly how the keyboardless entry of the bank pin is captured.
Now think for a moment about your enterprise internal security. As people like myself recommend, your enterprise should be using stronger and stronger authentication for higher risk networks, applications and information. But what happens when a targeted phishing attack occurs on your enterprise ("spear phishing")? The authentication mechanism can likely be captured.
This is why I also strongly recommend that for your enterprise crown jewels, you also deploy transaction authentication. Even if the user successfully authenticates, the ip address, computer hardware used, time of day, user profile information, etc. is all used to validate the authenticity of the user. This is the final line of defense.
There is no silver bullet in security. No magic technology is going to make you safe. Implement layers of security to mitigate your enterprise risk.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us