European Banks: 29 American Banks: Zero |
Bottom line? Online Banking MUST be done "outside" the browser space. We've seen the ZeuS, Clampi, URLZone, BlackEnergy2 banking trojans, we've seen lawsuits filed by customers against banks accusing them of lax authentication procedures, we've see keylogging, man in the middle and man in the browser attacks, we've seen billions of phishing attempts, we've seen the head of the FBI swear off online banking, we've been told we need a "dedicated" machine for online banking. We've seen Avivah state that nothing in the browser can be trusted, I can go on and on... and I will because...
OTP's (One Time Passwords) will be circumvented by MITB attacks. (and real-time keylogging) |
Either I don't get it or the banks don't. I'm confident enough to say that if you were to go back through the PIN Debit blog over the past 18 months or so and look at everything I've posted regarding online banking, you will see that I'm not the one who doesn't get it. (type "online banking security" into the custom search box for proof)
I'm not Nostradamus, but I can tell you this. Banks would "prophet" from the eradication of all the problems associated with Typing vs. Swiping.
When Kaspersky Labs calls for the mass adoption of peripheral card readers and suggests that banks could be big drivers of this type of hardware, then banks might want to pay more attention. On the horizon is a new dilemma for online banking security.
Avivah Litan, distinguished analyst from Gartner Research points out that banks rely on "flash cookies" to identify legitimate users and that's about to change. Again...Why not use a common sense approach to authenticate legitimate users. Take your "bank issued" card out of your purse/wallet and swipe it through a PCI certified PIN Entry Device designed for online commerce and securely enter your PIN. What you have (card) and what you know (PIN) is entered into what the bank owns (the peripheral PED card reader)
Adobe Flash Player Private Browsing May Force Change in Fraud Fight
A report from Gartner highlights how the reliance on Flash cookies as an authentication mechanism by online banks may need to change with the release of Adobe Flash Player 10.1. Flash Player's "Private Browsing" feature will make it easier to clear Flash cookies, and e-commerce businesses will need to adjust, some say.
Banks Should Be Big Drivers of this kind of hardware. First they need to admit that they're in a losing battle with hackers and must stop with the band-aid responses to the real threats they face. |
Flash cookies, also known as LSO (local shared objects), are used by many banks and e-commerce sites to identify legitimate users and block unauthorized or fraudulent access. In a report entitled, "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," Gartner analyst Avivah Litan writes that the practice of using HTTP browser cookies for authentication gained steam roughly three years ago due to guidelines imposed by the Federal Financial Institutions Examination Council.
“Most banks responded by implementing stronger authentication that depended in large part on knowing that their online banking customer was logging in from a known PC,” Litan wrote.
“Most banks responded by implementing stronger authentication that depended in large part on knowing that their online banking customer was logging in from a known PC,” Litan wrote.
“Upon entering a user ID to log into an online banking session, the bank Web server would check for the presence of this cookie…If the bank software could not find the cookie – for example because the user was logging in from a different PC – then the bank software would generally challenge the user with a series of questions that only the legitimate user could presumably answer.”
But a growing desire for privacy led users to delete their browser cookies more often, meaning banks had to find something else to rely on, the report noted. Enter Flash LSOs, which are “basically hidden from casual users who aren’t aware of them and don’t know how to delete them.”
Now that approach could be threatened as well, Litan told eWEEK...<<read more>>
Read more: http://pindebit.blogspot.com/2010/06/yet-another-reason-banks-should-call.html#ixzz0rEqSGASJ
0 comments