Paul Ducklin Sophos
Authentication, especially two-factor authentication, is seen as an important step against on-line crime, especially for on-line banking and Internet shopping. But authentication alone is not enough to protect computer users against the efforts of organised crime to thieve their credentials, their data and even their identity.
In fact, strong authentication in only one part of a system may even make things worse if users expect to rely entirely on technology to protect them from phishing and related attacks.
Organised criminals have realised (precisely because they are organised) that phishing and identity theft can be carried out over an extended period, by piecing together snippets of information from separate attacks for a final sting. For example, logging on using an authentication token will neutralise password stealers, but the very presence of a token authentication request can make an ideal trigger for spyware - especially if its goal is to build up a pattern of your on-line behaviour by monitoring your financial transactions.
This paper traces the recent - and rapid - evolution of malware techniques in response to technological changes in our security regimes, and proves once again the old cliche that the price of freedom is eternal vigilance. The Bad Guys are out to get us, and if they can turn our defences against us, even in the slightest way, then they surely will.