Two-factor authentication placed under spotlight

Two-factor authentication, the supposed panacea of online banking, has been hit from several sides in the past few weeks. As early as the beginning of this summer reports began appearing about so-called “man in the middle” attacks. These are attacks in which a phishing site is placed between the client and the legitimate online banking system, using the clients details to immediately login into the system. The new type of phishing attack has affected Citibank business customers, who were directed to phoney sites, set up by fraudsters.

These fake sites “phished” for the customers banking details and also asked for the passwords generated by the tokens provided by the bank. The phishing site was then used as a bypass to carry the customers data, including the random-number password from the authentication system, to the actual online banking site to login as the user being defrauded.

Now the head of fraud technology at HSBC has suggested the drive to implement new security technology may actually harm the security of some customers, as fraudsters would begin targeting online banking systems that lack this kind of protection. Brendan Pickering spoke about remote banking security and HSBCs view on the issue on Tuesday at the European Gartner IT Security Summit in London. As reported by ZDNet, Mr Pickering mentioned some other banks, which continually strive to introduce new two-factor authentication measures, are using an “arms race” approach. This, according to the HSBC expert, can create a climate in which customers of banks that have not introduced these systems may experience a rise in attacks, as fraudsters target the “less protected” banks. Additionally, Mr Pickering believes that the currently popular two-factor authentication systems alone cannot be a long-term solution for security problems and may only serve to “buy some time”.