New attacks leave online transactions vulnerable even after sign-on authentication

Computerworld - Companies are trying to demonstrate that they're getting better at securing online transactions by adding multiple forms of authentication at sign-on, such as site keys. But experts say they could do 10 types of authentication at the start of the session and users would still be subject to attacks.

"Once that user is authenticated, they think they're OK. But instead companies have given them a false sense of security to merrily transact business," says David Burns, CEO of 2factor Inc. in Maumee, Ohio.

Burns, who leads one of several start-ups that are trying to tackle this problem, says the real threat for online transactions these days comes from intrasession attacks, where a secure session is hijacked without the user's knowledge. These usually occur in two ways -- during a piggyback attack or a spoof server attack.

According to security expert Joel Snyder, a senior partner at Opus One in Tucson, Ariz., a piggyback attack is one where a hacker "attacks by trying to use someone else's credentials" via malicious code. The hacker targets the user when the user visits an infected public Web page or reads an infected blog, downloading JavaScript to the user's computer that sends the hacker his cookies. Then, during a "live" session with a bank or other Web site, the hacker can access the cookies and use them to transfer money or change the user's password before the session ends.

In a spoof server attack, the hacker pretends to be someone the user trusts, such as his bank, and gets him to visit the spoof site instead of the real site via an e-mail message, a link on a Web site or some other method. "Then the hacker puts up the screen where you log in and he grabs the user name and password," Snyder says. The fake log-in process appears legitimate to the user, who then gets a site error message or is handed off to the real site via a proxy connection. Once the hacker has the log-in information, he can transfer funds or alter the user's account settings. "Both have complexities that make them difficult to carry out ... but they are not uncommon," Snyder says.

Burns says one problem that makes users vulnerable to these attacks is that many transactions go through multiple hops across multiple networks. Users might log onto one system but carry out transactions with another. For example, a health care company could be dependent upon a third party to fill prescriptions online, and users would never know. He says this leaves them incredibly vulnerable.

"The user needs to know that from the front end to the back end, every part of that transaction is secure -- no matter how many hops or how many business partners are included," he says.

Burns says 2factor achieves this level of security by guarding every transaction between the client and the browser using SecureWeb, which uses the company's Real Privacy Management technology to continuously and mutually authenticate and encrypt transactions. "Every time a transaction occurs, an encryption key is exchanged between the browser and the server -- that way no one can hijack the session," he says.

Watch out for the man in the browser

Gartner Inc. analyst Avivah Litan agrees that more has to be done beyond sign-on authentication, but she says that even the newer security methods have trouble easily addressing emerging problems like "man-in-the-browser" attacks.

In a man-in-the-browser attack, malicious code is placed on a user's computer to manipulate Web transactions in real time. As a user enters a URL for his bank or some other site, hijackers intervene and begin manipulating information. "To avoid browser takeover, you have to authenticate the user's machine and the bank's machine, not just the piece of software," she says.