That's why McAfee and Guardian Analytics made the strong statement they did in their report this week, saying, "The defeat of the two-factor authentication that uses physical devices is a significant breakthrough for fraudsters. Financial institutions must take this innovation seriously, especially considering the technique used can be expanded for other forms of physical security devices."
Marcus is careful to say he's not advising anyone to stop using two-factor authentication or that it's somehow intrinsically broken. "Chip and pin is a solid defense," he says. But he adds the European crime spree all suggests there needs to be some kind of design improvement in two-factor to outwit such wily cybercrime.
Steve Hope, technical director at Winfrasoft, based in the United Kingdom, which has come up with its own two-factor authentication method called PINgrid, agrees it's time for innovative approaches. Although it's not something the firm sees its enterprise customers doing today, it's possible to suggest new approaches to two-factor authentication to address the issues raised.
"Today, two-factor authentication has nothing to do with the transaction," Hope points out, saying the underlying problem may be that it is not directly tied into validation of transactions and the account code, he points out. The two processes are separate today but it should be possible to unite them to ward off sophisticated attacks. But he adds: "malware has the power, at the moment."
Did "Team Prosecco" score a goal against two-factor authentication?
Another debate that has stirred up against two-factor authentication came when cryptographic researchers based in France at the National Institute of Research in Computer Science (INRIA) issued a highly technical paper claiming they've found practical means to speed up attacks on token devices. The paper in which they describe this carries the geeky title "Efficient Padding Oracle Attacks on Cryptographic Hardware."
Calling themselves "Team Prosecco," the group intends to discuss their findings more at the upcoming CRYPTO conference. In saying they could extract encryption keys from tokens such as those from Alladin, Gemalto, RSA SecurID , Safenet and Siemens, the researchers stirred up a hornet's nest of response in some quarters.
RSA, the security division of EMC, ardently rebutted Team Prosecco's findings about the SecurID token, which Team Prosecco said it had narrowed an attack time to 13 minutes. Tokens from other manufacturers were also called vulnerable to attack by Team Proseccor, but attack times were said to be longer, ranging from 21 minutes to 92 minutes.