If you’ve ever watched a late night spy movie on cable, you’re probably already familiar with the concept: Access to a highly secured area or object requires two separate keys each in the possession of a different individual. Some financial companies handling sensitive customer data over the Internet appear to be thinking along the same lines.
Employing out-of-band authentication, the use of two separate networks working simultaneously to authenticate a user, is emerging as a strong defense against sophisticated online criminals.
As recent data breeches at several of the top online brokerage firms illustrate, the days of simple password account protection are over. So, what security measures beyond passwords are available to protect customer data?
There is no shortage in the marketplace of more advanced solutions for securing commercial Web sites. Due to recent government regulations, namely FFIEC (Federal Financial Institutions Examination Council) Guidance FIL-103-2005 mandating stronger online security for financial services Web sites, financial institutions are suddenly faced with an onslaught of Web security tools from which to choose.
Some involve asking the user additional security questions such as, “What was the name of your childhood pet?” Other measures involve the user’s ability to pick out a pre-selected image from a series of images appearing on the Web screen.
Compared to password protected accounts, these solutions make it harder for an illegitimate user to guess account access credentials. Unfortunately, in an increasing number of cases, online criminals have taken the guesswork out of account hijacking.
Armed with keystroke logging software, or simply via a clever phishing e-mail, online criminals are often able to steal identity credentials necessary to take over financial accounts.
Once criminals gain access to personal identity data, systems that use “in band” authentication (where login information is delivered via a single Internet connection) are unable to differentiate between the real user and the criminal.
The bottom line: If a user is gaining access to online accounts using an in-band authentication method, they are vulnerable to many common attacks. Alternatively, out-of-band authentication requires the user to complete the login process using a second network separate from his or her Internet connection.
While any combination of separate networks to verify the identity of an online account user is considered out-of-band authentication, the phone network has emerged as the most familiar additional network available to the typical Internet user.
With an established secondary network that users already know how to operate, the use of the phone for out-of-band authentication does not require additional training or hardware to be installed on the user’s behalf. Also, with the popularity of mobile phones, online users are now likely to have a second, out-of-band network available to them no matter where they are logging into their financial accounts.
Army of Hackers
Just how does a secondary network such as a phone cooperate with a user’s Internet connection to achieve out-of-band authentication?
In a typical use case, a user logs onto their checking account to pay a few bills and everything seems to go smoothly. Unfortunately, behind the scenes, a hacker has tricked the user into downloading a keystroke logger the last time they navigated the Web.
The keystroke logger is recording the user’s keystrokes in a log file that is then transmitted to the hacker. Armed with the keystroke log, the hacker knows the account number, the user name, the password … all the information needed to gain unlimited access to the checking account.
The user is unaware anything is wrong until the next time they log on and notice the balance is US$5,000 lower than expected. The hacker, armed with the correct log on information was easily able to access the account and transfer $5,000 to an offshore account.
Had the fraudster stolen login credentials to an account protected by a typical out-of-band authentication process the attempt to transfer funds would have been thwarted.
Here’s how it works: During the attempt to transfer the funds out of the account, the online criminal would have been required to answer a telephone associated with the account in order to complete the transaction. The automated call consists of voice prompts directing the account owner to speak a confirmation number displayed in the Web browser.
Since completing the transaction depends on the user’s ability to answer the phone number the account owner has given the bank and to successfully speak the confirmation number displayed in the browser, a person attempting to make a transfer without access to the out-of-band network (the account holder’s phone) is denied.
Simply said, hackers can be armed with much, if not all, of a user’s personal information, but that does not allow them to answer the user’s phone or replicate the user’s voice.
The phone works particularly well as an out-of-band authentication network. Along with being easy to use, it has the ability to produce an audible record of the transaction. The transaction record can include a .wav file recording of the user speaking the confirmation number, the record of the number dialed and answered, time stamps from the telephone network or even real-time voice biometric comparison.
The telephone offers one of the few ways to verify the identity of the keyboard user trying to conduct a transaction on the anonymous network known as the Internet. The prospect of having to answer a working, traceable telephone and leave a voice recording deters most online criminals from even attempting to complete the transaction.
Also, if fraudulent account activity is attempted, the legitimate user’s phone will ring alerting the user that someone is attempting to hijack their account. This process enlists account owners in the protection of their accounts and notifies them of fraud attempts before funds can be misappropriated.
Businesses, Customers Benefit
Because financial institutions usually shoulder the costs associated with online theft of this type, they are eagerly searching for ways to avoid letting high dollar/high risk transactions be carried out anonymously over the Internet.
Associated Bank, headquartered in Green Bay, Wis., was an early adapter of out-of-band authentication for certain higher risk transactions available on its Web site. Using a phone-based, out-of-band network, it has seen a significant reduction in loss due to online fraud.
In addition, the bank has been able to offer its customers an expanded menu of online transactions because it is confident about the identity of the users accessing the site. More financial institutions are following suit, including the Navy Federal Credit Union, the largest credit union in the country.
As we have seen in recent years, the introduction of more complex security measures to protect online financial accounts has only resulted in more clever schemes to steal the personal credentials needed to commit fraud. Evidence indicates that the number of attempts to hack into financial accounts is not going to decrease.
As the schemers become more sophisticated, increasing numbers of financial institutions are beginning to “think out of the band” to implement online security solutions that make fraud too risky for criminals to attempt.
Andrew R. Rolfe is vice president, research & development for Internet security vendor Authentify.
Although this article was written two years ago it seems to be more important than ever. It’s unclear as to how many malware instances can highjack sessions that also include the random / temporary key – but it’s apparently happening. In my opinion this solution is scalable, relatively easy to deploy and extremely hard to beat. I would imagine the guys from Mission Impossible could come up with something but with the effort required I’m sure there are easier targets.
Data Center and Infrastructure Consulting