Researchers find flaw in two-factor authentication system

Posted on: March 06th, 2013 by Art Barger

The idea behind two-factor authentication is to provide a multi-layered security defense that allows good users to safely access their accounts while preventing criminals from illegally accessing other peoples’ accounts. In theory, this is a sound method that many of today’s financial institutions use to authenticate their customers over various banking channels.

Implementing more effective security initiatives is also the byproduct of stronger federal regulations like the FFIEC (Federal Financial Institutions Examination Council), which recommends banks deploy at least two-factors of authentication as defined by its 2011 Supplement to the Authentication.

Sometimes, however, even effective security measures can fall short of their goal.

This was widely illustrated last week when researchers announced they found a loophole in Google’s two-factor authentication system. In the article, “Google Two-Factor Authentication Bug Allowed Account Hijacking,” Duo Security reported that the search engine giant’s two-step verification system for authenticating users had a flaw that could allow accounts to be hijacked — the vary thing the security platform was designed to prevent.

This is yet another case where a company that has done their due diligence to implement a multi-layered security strategy still had vulnerabilities within its system that could allow criminals to sneak past their authentication processes.

This is why financial institutions need to understand the importance of having at least two-factors of authentication, which still may not be enough to secure online account. Shortcomings like those revealed last week could apply to other customer channels, as well.

Take, for example, the telephone. Today, banks still use knowledge-based authentication (KBA) solutions to identify their customers over the phone. For many, KBA (“something you know”) is a critical piece to their verification strategy. It’s also part of the FFIEC’s two-factor authentication criteria, along with “something you are” (fingerprint, DNA, retinal pattern) and “something you have” (ID card, security token, telephone). Unfortunately, KBA has become a solution that thieves have proven to beat time and time again.

Designed to ask callers security questions that only the customer would know, crooks can now slip past KBA methods by combining identity theft with social engineering. By correctly answering challenge questions, criminals can ironically break down a security barrier that’s precisely designed to prevent criminals from getting through in the first place.

I’m not saying that using passwords, personally identifiable information (PII) or PIN numbers are worthless for customer authentication, but exposure to social engineering schemes over the telephone can pose a weakness in two-factor authentication systems. It’s vulnerabilities like these that the FFIEC recommends at least two factors of authentication for defending banking networks and their customers from today’s criminal threats.