New attacks leave online transactions vulnerable even after sign-on authentication
Even site keys aren't good enough if clever hackers take over a transaction via emerging techniques such as 'man-in-the-browser' attacks
Companies are trying to demonstrate that they're getting better at securing online transactions by adding multiple forms of authentication at sign-on, such as site keys. But experts say they could do 10 types of authentication at the start of the session and users would still be subject to attacks.
"Once that user is authenticated, they think they're OK. But instead companies have given them a false sense of security to merrily transact business," says David Burns, CEO of 2factor Inc. in Maumee, Ohio.
Burns, who leads one of several start-ups that are trying to tackle this problem, says the real threat for online transactions these days comes from intrasession attacks, where a secure session is hijacked without the user's
knowledge. These usually occur in two ways
According to security expert Joel Snyder, a senior partner at Opus One in Tucson, Ariz., a piggyback attack is one where a hacker "attacks by trying to use someone else's credentials" via malicious code. The hacker targets the user when the user visits an infected public Web page or reads an infected blog, downloading JavaScript to the user's computer that sends the hacker his cookies. Then, during a "live" session with a bank or other Web site, the hacker can access the cookies and use them to transfer money or change the user's password before the session ends.
Comments