Two days ago, Bruce Schneier, the industry security guru, wrote a blog titled "Fighting Fraudulent Transactions". In the blog he again repeats that using stronger authentication by the banks won't stop attacks. He points out the increase in "Man in the middle attacks" and "Trojan" attacks and then points to a great story in CSO "Success Factors" that outlines the use of transaction authentication as part of a strong authentication program.
The point of my blog is to point out that in your enterprise you should be thinking the same even though you're not a financial institution. Why?
Let's say that due to all the press about passwords being insecure and dead, you have invested heavily in secureID tokens, smartcards and biometrics. Now you're feeling really secure....right? Wrong.
Let's say that organized crime targets your enterprise. They quickly are able to insert a trojan malware program behind your firewall (this isn't hard to do...read my blogs on spear phishing and others on the state of anti-malware protection).
The trojan is smart, just like the one's used to phish the banks. It waits until you've logged on using your biometric, smartcard and/or secureID token. Then the trojan software takes over your access to your most sensitive applications, databases or whatever. The criminals can then extract information, change settings or whatever to make money from you or sell the information to others.
How hard is this for the criminals to do? They have to do some research on your enterprise. The rest is simply adjusting existing Trojan code to suit your enterprise's strong authentication and then implementing the Trojan malware inside your enterprise.
Bottom line: Don't rely one one technology or vendor to protect your enterprise. The firewall, AV, IPS and IDS solutions are only the first layer. The reduced or single sign on systems requiring stronger authentication as the risk rises are only another layer. Use transaction authentication as yet another layer protecting the enterprise crown jewels.
If you don't, you may end up like the bank customer who watches their account emptied after using the two factor authentication.