Posted by Jonathan Penn on April 4, 2007
It recently came to light that ABN AMRO banking customers were targeted with a virus. Nothing new there, as malware activity these days is all about financial gain. But ABN AMRO isn't your ordinary bank: it has two-factor authentication in place where customers need to use a One-Time Password (OTP) token to access the site. However, this also wasn't your ordinary attack. The malware, installed when unsuspecting users opened up an email attachment, redirected victims to a fraudulent ABN AMRO site where it conducted a man-in-the-middle attack. While the damage was contained to just four victims (that we know of), it does serve as a warning sign that threats are evolving to counter the simple defense of consumer strong authentication at login, here combining Trojans, pharming, and man-in-the-middle into one targeted attack.
This is why it's important to authenticate/authorize at the transaction level -- login itself is all but irrelevant.
Activity monitoring and risk analysis in combination with authorization in the context of the activity (often referred to as risk-based authentication) is the only defense robust enough to counter attacks of any kind that attempt to compromise customers' accounts. We've written about such an approach here.