External devices can beef up an authentication system.

Technically speaking, an authentication factor is a piece of information used to discover the identity of a person. The rule of thumb in security circles is, the more factors used to authenticate an identity, the stronger the security. As authentication systems go, two-factor security schemes are considered strong systems.

Authentication factors can be divided into three categories:

• Something you are. This usually applies to bioimetric authentication systems–fingerprints, retina scans and such.
• Something you know. Passwords, security codes and answers to challenge questions fall into this category.
• Something you have. An ATM card or security pass are examples of this kind of factor.

As strong as two-factor authentication is, faith in its strength was shaken this summer when hackers managed to crack such a scheme in real time.

The exploit involved Ferma, a construction company in Mountain View, California. The firm uses a one-time password program to authenticate identities. The program generates a new password every 30 to 60 seconds, making it very difficult for hackers to get much mileage from stealing a single password. Yet the crackers managed to plant a Trojan on the computer running the program and perform transactions in real time during the short period of time that the operator of the unit conducted business online. As the Ferma employee paid bills from the business’s bank account, the Black Hats conducted 27 transactions and ripped off $447,000 from the firm.

Moreover, the bandits displayed an impressive level of sophistication in their escapade. Not only did they perform their nefarious activities rapidly and in bulk, but they knew the withdrawal limits on the accounts they compromised, so they could avoid the red flags that would be raised immediately when a limit is exceeded.

The Ferma affair has resurrected the issue of whether or not external devices should be incorporated into authentication schemes. Such devices, if operated offline, would be immune to the kind of attack mounted on Ferma. What’s more, as an additional security measure, they could use a proprietary operating system or one less prone to attack, like Linux, that would thwart any attempt to plant malware on them.

One barrier to the greater use of external devices is cost. Financial institutions played with the idea of external devices during the nascent days of online banking, but they shelved the idea because, among other things, their customers resisted spending money on the things.

A possible alternative to expensive single-purpose devices suggested by some security experts is the dedicated financial computer. With so many older PCs collecting dust in closets and storage rooms, they reason, it might make sense to recommission one of those dinosaurs, install a free copy of Linux on it and require all online financial activity be conducted from that machine. Since the majority of malevolent applications spread through the Internet are aimed at computers running Microsoft Windows, they reason, a Linux machine would be relatively safe to use for financial purposes.

Since the dedicated terminal approach could prove to be a cumbersome to IT departments and individual users alike, security firms have been working on creating secure silos on existing machines. Through software, a secure zone would be created on a computer. The zone could serve as a way to screen online activity from local activity. An area is created on the local hard drive–it might be a folder or partition–that acts as a sandbox for Web apps. When the apps reach a computer, they’re sent to the sandbox to run. The programs think they’re interacting with the local operating system, but actually their operations are confined to the sandbox. If they behave badly, their harm is confined to the security area, where they can be easily terminated and deleted from the system. One additional benefit to the approach is that it doesn’t have to depend on definition updates to provide protection. It can steal a computer from known and unknown threats equally. What’s more, it could be expanded to cope with threats from external media like USB drives.

A third and probably the most cumbersome authentication alternative is to require some type of offline verification of an event. For instance, before a financial transaction is approved, a financial institution might require the receipt of a phone call or SMS text message. Some credit card companies use such a system now. If a large transaction is posted to a card, the card owner will receive a phone call alerting them to the event and must approve the charge through an automated response system.

In many cases where authentication is required, the two-factor method is adequate. It isn’t likely that high powered hackers like those that victimized Ferma are going to expend the considerable resources it takes to cook up such a scheme to crack into a mail server. But where the reward for larcenous behavior can be converted into cash, some rethinking of the approach may be required.

In the past, financial institutions have been less than energetic in approaching these problems. In 2005, they had to be dragged to the two-factor table by the federal government. However, if Ferma’s response to its mishap is any indication of what might happen if banks don’t step up to the plate on this issue, the money handlers will certainly sit up and take notice because they’ll start losing the fat margins they make on electronic transactions. What did Ferma do? It went back to paying bills with paper checks.