A View from Christopher Mims
Why Bank Websites Are Suddenly Less Secure
So much for “two-factor authentication.”
Throwing another lock on seems like the most logical way to secure an apartment—or a website. But a new attack called “Man in the Browser” allows attackers who have infected a computer with malicious software to get around the bank website security systems that demand, for example, a pin in addition to a password.
A BBC investigation uncovered the vulnerability. Once an attacker has access to the browser, they can ask a user to enter their authentication code or password into an inappropriate field as part of an effort to “train a new security system.” If the user falls for it, the attacker gets full access to the bank’s website, and can even obscure withdrawals of funds.
This points to a larger issue, says security technology OG Bruce Schneier: All security solutions that consist of adding another password or pin to the process are attempts to authenticate that a person is who they say they are, when the only real solution is to authenticate the transaction itself.
That means what all bank and other secured websites need are elaborate fraud-detection algorithms akin to those used by the financial industry to secure credit cards. Credit cards are easily forged, but it doesn’t matter, in part because banks prevent fraud by examining activity rather than trying to directly verify that a credit card is being used by its rightful owner.