In the fight against online crime, banks and other financial institutions have steadily been rolling out new technologies to counter the threat from cybercriminals. Unfortunately the technologies employed by many financial institutions have failed to keep pace with the evolution of the criminal threat.

Online banking in the US still tends to rely on simple user name and password combinations. This is called "single factor authentication", based purely on "something you know" in this case, your password. In the rare cases where a confirmation number is required, this is often sent to the customer's email account, which is also easy for a criminal to compromise.

In Europe, two-factor authentication has been common for years - Germany and France were using two-factor authentication even in the days before the internet, for BTX and Minitel banking respectively. Two-factor authentication involves a user name and password, the "something you know"; as well as an additional piece of information, often based on "something you have". A third method is based on "something that you are", the biometric factor. Obviously rolling out biometrics in a financial institution is atypical because you need to make sure that every customer has access to some kind of biometric reader. So we're relying more on things like tokens and one-time passwords. This relies on methods such as a Transaction Authentication Number (TAN), a sheet of one-time use numbers sent regularly to each customer. Some banks will use a mobile TAN sent by SMS to the customer's mobile phone, some banks will send hardware tokens to all customers, which generate random codes and some offer card reading devices which require a PIN and then generate a confirmation code.  In most instances these codes are required whenever a customer is moving money around or making a payment.

Multifactor authentication is perceived by many as being the panacea, the thing that will resolves all the issues. The problem is that we're not authenticating the right thing. When using two-factor, or even a hundred factor authentication, the person demonstrates that they are who they say they are; by receiving an SMS, by using a password from a sheet of paper or some other means.  But it doesn't go any way towards ensuring the validity of any single transaction. We sit in front of our computers; we open a browser and connect to our banking website. We enter our user name, certain digits from our password and then our one-time code, and at that point we establish a secure tunnel between the client and the financial institution to carry out transactions in a privileged environment. 

Is the user the right thing to authenticate?

Criminal malware has already developed to the point where it can sit inside the browser of the infected computer and intervene with any transactions that we make, even if it's in a secure tunnel. You may be telling your browser to tell your bank to transfer £500 to pay your bills, and you have to rely that your browser is going to relay that information intact to the bank. Of course, if a criminal controls the browser, he can modify that transaction and change it from £500 to £5,000, and designate the recipient to be a money-mule of his choice. When the bank sends the reply, the first person to see the reply is the criminal in the browser and again he can modify it so you see only what you expect. This is called a Man-in-the-browser attack. The majority of current banking malware is not engineered to overcome user authentication tokens, *yet*. Critically though some is such as Bebloh:

As criminals begin to adopt this technology more widely then banks will have to update their risk assessment results and may have to reconsider their investments. 

Technology which successfully defends against this threat does exist but its commercial deployment is unfortunately not widespread. Banks have been over the last few years, completing their roll-out of multi-factor authentication technologies. For the most part these technologies have been aimed at authenticating the user, ensuring that they are an authorised account holder by proving ownership of the token and knowledge of the password. A minority of banks have taken this further and issued all their holders with a chip and PIN card reader aimed not only at authenticating the user but at verifying each individual transaction. Systems of transaction verification ensure that man-in-the-browser attacks cannot succeed. If any critical details relating to the payment (such as amount or beneficiary) are modified by a third party, then the verification code, generated by the chip & PIN device is longer valid and the transaction will fail. Simple user authentication systems do not have the same logical relationship to the transaction in question and as such cannot act as an effective digital signature, as they cannot certify the integrity of the information being transmitted.
No current malware is capable of overcoming transaction verification technology properly implemented, and any stolen account details from a customer of a bank using such a system would also be worthless to criminals as they could not initiate any new transactions without the reader. 

The message to CIOs and security officers of financial institutions is clear: Implement transaction verification technology in order to protect against fraud, instead of relying on simple user authentication, however numerous the factors. Banking and financial transactions in general, are increasingly mobile, increasingly moving to the cloud and criminal ingenuity is relentless in its pursuit of the money. Man-in-the-browser attacks and even banking malware for smartphones are already established realities, an effective layered defence, including mobile device protection, browser lockdown technologies, whitelisting, anti-malware and effective authentication and verification all have their place.