June 28, 2012, 2:15 PM — Does two-factor authentication need to be fixed? Tough criticisms heard this week from researchers about the effectiveness of two-factor authentication, especially as it's used in its token form for one-time passwords and smartcards, suggest advances need to be made to restore its luster as security protection.
Two-factor authentication sounded tarnished enough in the report "Dissecting Operation High Roller" from McAfee and Guardian Analytics that describes how an international crime gang has been targeting bank accounts of businesses and individuals to try and steal millions through unauthorized, fraudulent funds transfers using an automated process tied to remote servers elsewhere. Not only did two-factor authentication tokens for accessing bank accounts not stop the crooks, which had subverted the victim's computers with malware, but the user's commandeered authentication process was actually integrated into the automated flow of criminal processing.
"I'd never seen it anywhere else," says Dave Marcus, director of advanced research and threat intelligence at McAfee, co-author with threat researcher Ryan Sherstobitoff at Guardian Analytics about the discoveries the two security firms made as part of the forensics and investigation into a cybercrime spree that appears to have started last winter as European banks and their customers, primarily, were hit.
The fraudsters in this case designed their account takeover process for optimum exploitation of two-factor information. "They developed a fraud technology that relies on two-factor — it requires the two-factor authentication," Marcus says.
The automated system the crooks came up with takes the credentials of the person logging into the compromised machine and embeds the chip-and-pin information into the automated hacking process to carry out fraudulent funds transfers. "The collection of the token information is part of the fraud process, it's integrated into it," Marcus says.