two factor risks highlighted

E-gold attacks highlight two factor fears

Attacks on an electronic currency web site have highlighted the potential security risks for the banking industry in its use of two-factor authentication.

The E-gold online payment portal uses a one-time password system to maintain security but has suffered recent attacks where transactions are intercepted by criminals as the password and is momentarily active.

Mark Sunner, chief technology officer at security vendor MessageLabs, says the attacks should cause concerns for banks looking to implement two-factor authentication.

'There have only been a handful of attacks but this proves there is the capability to defeat two-factor authentication which has been touted as a magic bullet solution for online banking,' said Sunner.

A spokesman for UK payments industry association Apacs, says banks are aware of the problem.

'It's something that we are taking steps to make sure this isn't a problem in the UK,' he said.

Forrester Research analyst Benjamin Ensor says banks will not be overly concerned by the attacks because it is a complicated, time-consuming process.

'No security system is perfect, the point about any kind of security system is that what you're trying to achieve is to make the cost of breaking it greater than the benefits,' he said.

'What would worry the banks is if someone proved that it was a straightforward and easily repeatable thing to do. '

Several UK banks have been experimenting with two-factor authentication systems to protect online customers.

Paul Wood, senior analyst at MessageLabs, says criminals will become increasingly attracted to breaking two-factor authentication if the end result is deemed worthwhile enough.

He believes banks need to think about bolstering two-factor systems.

'If a criminal gang is involved, the switching from one target to another is not too much of a problem,' he said. 'However banks could solve the problem by using multi-factor authentication or using portable devices.'

Lloyds TSB has been trialing a two-factor authentication device amongst 23,500 customers using its online banking service for the last five months and has reported no problems, according to Matthew Timms, Internet banking director.

'The response from customers has been fantastic and the fact that nobody taking part in the trial has had any fraud on their account since using this device is testament to the fact that this technology is the way forward,' Timms said.

What do you think? Email us at [email protected]