Can strong authentication sort out phishing and fraud? presented at Virus Bulletin 2006

by Paul Ducklin (Sophos),

Tags: Security


Summary : Authentication, especially two-factor authentication, is seen as an important step against on-line crime,
especially for on-line banking and Internet shopping. But authentication alone is not enough
to protect computer users against the efforts of organised crime to thieve their credentials,
their data and even their identity.In fact, strong authentication in only one part of a system may even make things worse
if users expect to rely entirely on technology to protect them from phishing and related attacks.Organised criminals have realised (precisely because they are organised) that phishing
and identity theft can be carried out over an extended period, by piecing together snippets
of information from separate attacks for a final sting. For example, logging on using an
authentication token will neutralise password stealers, but the very presence of a token
authentication request can make an ideal trigger for spyware - especially if its goal is
to build up a pattern of your on-line behaviour by monitoring your financial transactions.This paper traces the recent - and rapid - evolution of malware techniques in response to
technological changes in our security regimes, and proves once again the old cliche that
the price of freedom is eternal vigilance. The Bad Guys are out to get us, and if they can
turn our defences against us, even in the slightest way, then they surely will.