Is traditional strong authentication dead with the new Man-in-the-Browser attacks?
I wrote last week (see: ‘Old school’ fraud detection not making the grade in the new world of online attacks) about the importance of behavioral fraud detection in the fight against Man-in-the-Browser attacks. Does this mean that strong authentication is out of the picture? Nope! Like all good security strategies, it’s important to take a multi-layered approach to protecting the online channel. Using the lock analogy, you can’t just put a bigger lock on the door and hope it keeps the bad guys out; at the same time you don’t want to just leave the door wide open. Not all online transactions and users are created equal and the way to protect them can take a multi-faceted approach, ideally based on risk.
For a typical user doing every day transactions like checking a balance, using techniques like IP-Geolocation and device authentication in combination with splitting the login screen between entry of username and password are non-intrusive yet much more effective than simply leaving the door wide open (aka simple username & password).
For more sensitive transactions, like a money transfer or adding a destination payee, using stronger authentication just makes sense. There are a wide range of capabilities available on the market today, including traditional physical options like OTP tokens, grid cards, and smart cards, which can more strongly validate a user’s identity. While these are not 100% effective on their own against attacks like Man-in-the-Browser, they do protect against many attacks AND when deployed in conjunction with fraud detection, can add increased protection for sensitive transactions. Options that go outside the online channel—or out-of-band—and also deliver transaction details to the user are very effective at strongly authenticating the user AND verifying that the transaction is valid. While traditionally delivered via SMS or sometime voice, a new generation of mobile application was recently announced that includes transaction verification inside a much more usable interface.
Regardless of what type of strong authentication is chosen, it’s important to remember that it will not be a silver bullet no matter what. Make it too strong, and it’s not usable or annoying for simple transactions. Make it too weak, and users will fall victim to modern attacks like Man-in-the-Browser. Layering is going to be the best way to achieve a balance and let strong authentication live on…