According to an article on cnet.com by Robert Vamosi multifactor authentication is not a silver bullet solution. (link). In 2005, the Federal Financial Institutions Examination Council (FFIEC) released a guidance encouraging financial institutions that engage in high risk transactions – those that allow customers to access personal information or move funds to other accounts – to utilize multi-factor authentication because it was considered to be more difficult to breach. A multi-factor authentication would typically require the customer to enter, in various combinations, something he or she knows (e.g. a password), something he or she has (e.g. an ATM card), and something he or she is (e.g. fingerprinting).
However, according to the article cited above, multi-factor authentication is not necessarily so secure after all. For example, if the authentication is based on something you know, such as “What is your favorite city?” and a customer’s user ID is “CubsFan123,” then chances are that the customer’s favorite city is Chicago. For those banks that use security images to confirm to users that they are on the bank’s real site, phishers may be able to set up fake bank sites using the same security images because many of the major banks are using the same images in the same pattern consistently. For banks that use device fingerprinting authentication by looking for unique information about a customer’s machine, researchers say that most machines have the same fingerprint, so a phisher could cut the fingerprint from a machine that has lawfully used the bank website and then paste that fingerprint, which the bank has already recognized, onto another machine to unlawfully access a customer’s account.
The article recommends that customers remain vigilant in scrutinizing a website’s certification, for example by ensuring that a bank’s internet address starts with “https” (which indicates an added security) rather than simply “http.” As for banks, however, it appears that the FFIEC’s solution of using multi-factor authentication may need further assessment – but at least the FFIEC is making the phishers work harder.
For more information contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen, P.C.