SOFTWARE INDUSTRY NEWS

Gartner suggests layered approach to prevent fraud and thwart malicious attacks
14 December 2009 , Written by Dhruv Tanwar
Bookmark and Share


While fraudsters have started to raid user accounts by beating strong two-factor authentication methods, according to Gartner analysts say that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled through one-time password (OTP) tokens. Other strong authentication factors such as those using chip cards and biometric technology that rely on browser communications can be similarly defeated.

Two-factor authentication based on telephony is also being circumvented, using call forwarding so that the fraudsters, rather than the legitimate user, is called by the service provider performing the authentication, says Gartner.

"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009," said Avivah Litan, vice president and distinguished analyst at Gartner. "However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data."

For example, Gartner says, malware overwrites transactions sent by users to online banking websites, which happens behind the scenes so that the user does not see the revised transaction values. Numerous online banks then communicate back to the user's browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware typically changes the values seen by the user back to the original values. This way, neither the user nor the bank realizes that data sent to the bank has been altered.  Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudsters asks the phone carrier to forward the legitimate user's phone calls to their phone.

"A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats," advised  Litan. "Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions."

Litan recommended that more than one measure be used to achieve optimal fraud prevention results and outlined some proven measures that can prevent attacks from succeeding:

  • Fraud detection that monitors user access behavior.
  • Fraud detection that monitors suspect transaction values.
  • Out-of-band user transaction verification.

"Fraudsters have definitely proven that strong two-factor authentication processes can be defeated," said Litan. "Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction."
 

LISTS AND RESEARCH

  • list Global Software Top 100 - Edition 2011
    • The Global Software Top 100 is a list of the world's largest software companies, ranked by annual software revenues. The list is based upon revenue information of 10,000+ IT companies worldwide.
  • Software industry trends (2011)
    • This research article (accompanying the Global Software Top 100) describes changes in the software industry playing field. It analyses trends and key players and forecasts future developments.
  • Top hardware companies
    • A list of the world's largest hardware companies.
  • What happens in the hardware industry?
    • Trends and analysis of the hardware industry and its key players.
  • Top IT services companies
    • A list of the world's largest IT services companies, ranked by annual services revenues. This link will take you to www.servicestop100.org.
  • IT services companies: healthy growth
    • What is happening in the IT services industry? Read this research publication to find out about trends and key players in the IT services industry.
  • Top gaming companies (2010)
    • Entertainment is good business, and gaming software companies are growing faster than the rest of the software industry. This research article discusses trends and key players in the gaming business.
  • Top ERP companies
    • A research publication about the world's leading players in enterprise software.
  • Top security software companies
    • A research publication discussing the world's leading publishers of security software: antivirus-, spamfiltering-, intrusion detection- and firewall software.
  • The fastest growing software companies
    • This research publication reveals the fastest growing software companies in the world.
  • CRM companies: a short list
    • A short list of the leading software companies selling Customer Relationship Management software; aimed at IT managers looking to purchase CRM software.
  • Top software companies in the US (2010)
    • A list of the largest software companies in the United States, ranked by annual software revenues. 2010 Edition, posted 15 December 2010.
  • U.S. software industry trends (2010)
    • A research publication discussing the trends and the key players in the software industry in the United States. Posted 15 December 2010.
  • Top companies in the world (not just software)
    • A general list of the largest companies in the world, ranked by revenues. Not just software companies; in fact, there are no software companies in it...
  • Top IT companies
    • A list of the largest IT companies in the world, ranked by annual revenues. Includes hardware, software and services.
More lists and research >

POPULAR NEWS

Go to news overview >

RECENT NEWS

Go to news overview >