Gartner reported that trojan based, `man-in-the-middle' browser attacks are circumventing strong two-factor authentication.
The report also said that other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.
"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009", said Avivah Litan, vice president and analyst at Gartner.
"However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data."
The report revealed that, although the account holders are playing by the rules when accessing their account using two-factor authentication, the latest trojans sit in the background and, when the IP session is live into the bank computers, the hackers stage an online session in the background.
Even if a pro-active two-factor authentication security token is used, the piggy-back technique effectively negates any security being used.
According to the report, a layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats.
"Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions", the study noted.
The good news, however, is that Gartner said that more than one measure be used to achieve optimal fraud prevention results and outlined technologies that can be used, including:
- Fraud detection that monitors user access behaviour.
- Fraud detection that monitors suspect transaction values.
- Out-of-band user transaction verification.
According to Gartner, fraudsters have definitely proven that strong two-factor authentication processes can be defeated.
"Organisations need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction", Gartner said.