Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on November 29, 2006 8:35 AM.

The previous post in this blog was Scotland Yard victim of identity theft.

The next post in this blog is 97 million US identities stolen since 2005!.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Scotland Yard victim of identity theft | Main | 97 million US identities stolen since 2005! »

Why strong authentication alone isn't enough

Two days ago, Bruce Schneier, the industry security guru, wrote a blog titled "Fighting Fraudulent Transactions". In the blog he again repeats that using stronger authentication by the banks won't stop attacks. He points out the increase in "Man in the middle attacks" and "Trojan" attacks and then points to a great story in CSO "Success Factors" that outlines the use of transaction authentication as part of a strong authentication program.

The point of my blog is to point out that in your enterprise you should be thinking the same even though you're not a financial institution. Why?

Let's say that due to all the press about passwords being insecure and dead, you have invested heavily in secureID tokens, smartcards and biometrics. Now you're feeling really secure....right? Wrong.

Let's say that organized crime targets your enterprise. They quickly are able to insert a trojan malware program behind your firewall (this isn't hard to do...read my blogs on spear phishing and others on the state of anti-malware protection).

The trojan is smart, just like the one's used to phish the banks. It waits until you've logged on using your biometric, smartcard and/or secureID token. Then the trojan software takes over your access to your most sensitive applications, databases or whatever. The criminals can then extract information, change settings or whatever to make money from you or sell the information to others.

How hard is this for the criminals to do? They have to do some research on your enterprise. The rest is simply adjusting existing Trojan code to suit your enterprise's strong authentication and then implementing the Trojan malware inside your enterprise.

Bottom line: Don't rely one one technology or vendor to protect your enterprise. The firewall, AV, IPS and IDS solutions are only the first layer. The reduced or single sign on systems requiring stronger authentication as the risk rises are only another layer. Use transaction authentication as yet another layer protecting the enterprise crown jewels.

If you don't, you may end up like the bank customer who watches their account emptied after using the two factor authentication.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on November 29, 2006 8:35 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/57

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)