Weaknesses of 'Strong' Authentication
August 28, 2011 11:00 PM
One-Time Passwords
The passwords generated by keychain tokens change every minute, making them useless if stolen. So instead, fraudsters hijack the browser session after the user has logged in. (Image: ThinkStock)
Challenge Questions
Simple challenge questions, for which the user provides the answers, are often based on the sort of information users share with their friends on Facebook. (Image: ThinkStock)
Knowledge-Based Authentication
These questions are drawn from public databases. They ask about things like customers' home buying and auto buying history, which might not be obvious to strangers. But to roommates and relatives, that information is common knowledge. (Image: ThinkStock)
Out of Band
Sending a login code over another channel, such as a phone or email, is not foolproof. Email account passwords can be stolen as easily as bank passwords, and fraudsters have been known to hijack users' phone accounts to have calls and text messages redirected. (Image: ThinkStock)
Get a Mac!
Macs are not as frequently targeted by viruses as Windows computers are, but they are not airtight. Phishing attacks work on any operating system. (Image: ThinkStock)
Profiling Behavior
Banks can flag transfers as potentially fraudulent if they are made at odd hours or are otherwise out of character for that user. But if there is enough money to be had, fraudsters will study their targets and mimic their regular behavior to avoid detection. (Image: ThinkStock)
Dynamic Data
Contactless credit and debit cards use dynamic data to authenticate each payment, and are thus harder to counterfeit. But a stolen card will work just fine if the user doesn't report it missing. (Image: ThinkStock)
