Can strong authentication sort out phishing and fraud?

Paul Ducklin Sophos

Authentication, especially two-factor authentication, is seen as an important step against on-line crime, especially for on-line banking and Internet shopping. But authentication alone is not enough to protect computer users against the efforts of organised crime to thieve their credentials, their data and even their identity.

In fact, strong authentication in only one part of a system may even make things worse if users expect to rely entirely on technology to protect them from phishing and related attacks.

Organised criminals have realised (precisely because they are organised) that phishing and identity theft can be carried out over an extended period, by piecing together snippets of information from separate attacks for a final sting. For example, logging on using an authentication token will neutralise password stealers, but the very presence of a token authentication request can make an ideal trigger for spyware - especially if its goal is to build up a pattern of your on-line behaviour by monitoring your financial transactions.

This paper traces the recent - and rapid - evolution of malware techniques in response to technological changes in our security regimes, and proves once again the old cliche that the price of freedom is eternal vigilance. The Bad Guys are out to get us, and if they can turn our defences against us, even in the slightest way, then they surely will.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.