Sophisticated cyber-criminals can get around even two-factor
authentication techniques with man-in-the-middle attacks. MITM works
like the normal spoof but submits a user's just-typed password to the
real site, which sends the PIN to that user's smartphone. When the user
types the PIN into the spoofer's phony log-in screen, the criminal can
then pass it to the real web site thus gaining entry into the user's
To thwart man-in-the-middle attacks, a third factor is needed,
traditionally something-you-are, like a retina scan or a fingerprint
swipe. The Fast IDentity Online (FIDO) Alliance, which Google recently
joined, supports all sorts of multifactor authentication techniques
using hardware keys, PINs and fingerprint scans. And the newest
third-factor biometrics come from unique "signature" gestures that are
virtually impossible to duplicate. For instance, Lockheed Martin and
Fixmo recently teamed on an authentication solution that accepts
gestures made right on the user's existing touchscreen.
Click on image to enlarge.
two-factor authentication scheme uses the MobiKEY as its second factor,
plus is integrated with MobiNET's virtual desktop infrastructure (VDI)
that only communicates encrypted keystrokes and screenshots with the
mobile device so that secure data stays behind firewalls.
The bottom line is that security solutions exist that make password
theft moot. Of course, no matter how secure we make our systems,
sophisticated bad guys will adapt and find new ways to steal data from
us. Nevertheless, we should at least make it as hard as possible for
them by adopting the cyber-security technologies that we already know
can prevent most breaches.