Gartner Says a Layered Fraud Prevention Approach Can Thwart Malicious Attacks

New Approaches Are Needed to Counter Attacks on Strong Authentication Factors

STAMFORD, Conn. - Fraudsters have started to raid user accounts by beating strong two-factor authentication methods, according to Gartner Inc.

Gartner analysts said that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled through one-time password (OTP) tokens. Other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.

Two-factor authentication based on telephony is also being circumvented, using call forwarding so that the fraudster, rather than the legitimate user, is called by the service provider performing the authentication.

“These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009,” said Avivah Litan, vice president and distinguished analyst at Gartner. “However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data.”

Examples of attacks that have worked to date include:

1. Malware overwrites transactions sent by a user to the online banking website. This happens behind the scenes, so that the user does not see the revised transaction values. Many online banks will then communicate back to the user’s browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.
2. Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudster asks the phone carrier to forward the legitimate user’s phone calls to the fraudster’s phone.

“A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats,” advised Ms. Litan. “Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions.”

Ms. Litan recommended that more than one measure be used to achieve optimal fraud prevention results and outlined some proven measures that can prevent attacks from succeeding:

1. Fraud detection that monitors user access behavior. This method captures and analyzes all of the user’s Web traffic (assuming the targeted application is Web-based), including login, navigation and transactions, and can spot abnormal access patterns that indicate that an automated program is accessing the application, rather than a human being.
2. Fraud detection that monitors suspect transaction values. This function looks at a particular transaction and compares it to a profile of what constitutes “normal”behaviorfor that user and/or group of users.
3. Out-of-band user transaction verification. This type of verification does not use the same primary communication channel (for example, the user’s PC browser) and uses a different communication channel to verify a transaction request. It is a valuable fraud prevention tool — as long as only the specific transaction verified or signed by the requesting user is executed (as opposed to a transaction that a criminal has overwritten with his or her own values).

“Fraudsters have definitely proven that strong two-factor authentication processes can be defeated,” said Ms. Litan. “Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction.”

Additional information is available in the Gartner report “Where Strong Authentication Fails.” The report is available on Gartner’s website at http://www.gartner.com/resId=1245013.

About Gartner:
Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 4,000 associates, including 1,200 research analysts and consultants in 80 countries. For more information, visit www.gartner.com.