Hackers can beat security tokens
Two-factor authentication 'doesn't solve anything', claims security expert
IT security expert Bruce Schneier has warned that plans to move to two-factor authentication will not solve online fraud.
Schneier pointed out that the tokens will not stop the most common types of attacks. Tokens can work well in corporate environments but will be ineffective against much of today's crime since it relies on tricking users rather than beating passwords.
"Two-factor authentication doesn't solve anything. It won't work for remote authentication over the internet," he said.
"I predict that banks and other financial institutions will spend millions fitting their users with two-factor authentication tokens.
"Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."
He lists two attacks, man-in-the-middle and Trojans, which would not be stopped by the use of tokens. In the first case a hacker sets up a fraudulent phishing website such as a bank log-in page where the victim inputs their log in details anyway, and with Trojans the hacker would log in with the user, token or no token.
Last year online fraudsters stole $1.2bn in the US and there are fears that fraud is harming confidence in e-commerce.
Representatives of the British banking industry, police and the security industry met in January to discuss ways of fighting online fraud, including the introduction of tokens. Last year AOL launched a premium service for customers using the devices.
Microsoft announced yesterday that it is dropping passwords in favour of two-factor authentication.
Reproduced from an article published by vnunet.com
© vnunet.com
The original article can be viewed here:
http://www.vnunet.com/news/1161940
Permalink Bookmark Digg this story
