October 16th, 2010
It is with deep regret that we report the passing of Multi Factor Authentication, affectionately referred to as “MFA” by its friends and loved ones. MFA succumbed after a courageous battle with cyber cancer. After fighting off the dreadful phishing disease, and making strides against MITM (Man in the Middle), MFA was stricken with MITB, also known as Man in the Browser. This terrible disease quickly overcame all medical efforts to keep MFA alive.
MFA rose to prominence when its adoptive benefactors, the FFIEC, made it a household name in October of 2005 with the issuance of FIL 103-2005. Throughout the course of its life, MFA strived to protect the innocent against identity theft and cybercrime. MFA is survived by its brothers and sisters, Device Recognition, One Time Passwords, Tokens, and Biometrics – all of which are also suffering from the same disease in the online world. MFA also leaves behind a child, Transaction Authorization, who may someday mature to defeat the disease that has taken the life of its well-loved father.
Services will be held privately at most Financial Institutions and Authentication Vendors who so faithfully provided and cared for MFA up until its final days. In lieu of flowers, send money… offline.
Humorous perhaps, but true. Front door authentication and multi-factor authentication is dead. This doesn’t mean that we can remove the carcass from the doorstep, but we can stop feeding it. Even in death, MFA still provides capability in defeating the ever present phishing and many identity theft cyber-attacks. If nothing else, it leaves something out there for the bad guys to trip over.
If you are a financial or ecommerce organization and don’t have MFA, uh… you should. But it’s time to stop investing in it by vendors and consumers. “Man in the Browser” Trojans are spreading like an epidemic in the US, carried over from Europe, Australia and the Far East. As most US banks are learning, MFA does little to defend against Zeus, Gozi, Bugat, Carberp, SpyEye, and the swarm of evolving malware that has potentially led to more financial fraud attacks in 2010 than any other year. So what now? Banks are relying on Fraud Detection and intelligence more than ever. Customer Endpoint Security is marching as fast as it can, but won’t be able to catch up as long as consumers are not forced to download the products. Anti-Virus is playing the catch up game, and by definition and method, will never win.
The fight against this surge in malware is a 2-front battle:
(1) Consumers need help to defend against infection, and
(2) financial and ecommerce organizations need help defending against the attack.
How do we keep the customer device clean? How do we educate consumers to browse safely, keep their A/V, OS, Browsers and applications like Adobe up to date? And the biggest challenge – how do we educate and service them once they have been infected? This is the new face of fraud prevention and resolution, and I haven’t seen a consistent or effective method yet. There are several technologies, processes and policies that have promise and will make a difference – but the FI’s need to step up and standardize adoption.
To protect against attack, FI’s are looking at analytics and patterns, building strategies to detect, but the variants are evolving too quickly to keep up. This is a stop-gap measure at best. If this is the only solution, Fraud Detection and Resolution departments will have to staff almost as many FTE’s as the customer call centers, which is hardly cost effective. There needs to be a radical paradigm shift in the US banking industry approach to preventing the attack. MITB bypasses all customer authentication in-channel. Deal with it. Focus on the transaction phase. Take the weakness of the online channel out of the battle for the fraudsters. Go Out of Band (OOB), and off the internet for authorization. If you are asking customers to enter their OOB response into the web channel, that isn’t going to work. Expand the challenge, response and confirmation processes to integrate Out of Band and interact with the transaction engine, not the web browser. Instead of having your web application send the confirmation, have the money movement engine do it. Have the consumer confirm what REALLY happened, not what they saw on their browser. Force the customer response from that out of band environment before the transaction takes place.
Attack both fronts with smart technology choices, consumer education and tools. Until the US financial institutions shift to this type of thinking and consumers adopt it, MITB will continue to be a contagious and deadly disease.