Yesterday, 20 September 2009 another case got reported (click for linked article) where RSA SecureID time based One Time Password Token, provided to customer (account manager at Ferma - a construction firm), Mountain View, CA. But there was trojan on the computer initiated 27 transactions to various bank accounts, siphoning off $447,000 in a matter of minutes.
These RSA SecureID token were generating OTP based on 30s intervals still the trojan got to bypass it. OTP did what it wass suppose to do but the attack was beyond the protection level provided by the RSA token. In simply words - It was unable to protect in this form of Script in the Middle OR Trojan Attack where the transaction is intercepted and changed. Token is no protection to this form of attacks.
What all is missing -
The transaction did not have any integrity enforced. The transaction did not have "sign what you see" authentication layer.
There is no end to end encryption to protection the OTP or transaction details.
There was no risk based engine monitoring the change in behavior of users pattern. There was no alert or threshold check to tell the user that there is money getting drained out.
To address to above, authentication platform have to provide -
what you know? - userid and password
what you have? - Time Password (strong will be Challenge based OTP)
sign what you see? - Transaction Signing using Token Or Out of band
what is user's behavior? - Risk Based Authentication
with whom I am communicating? - End to End Encryption make sure only right parties can communicate.
To give a complete authentication platform that will compliment "what you know? - userid and password" comes from EZMCOM in form of EzIdentity platform -
