Why do you think authenticating the transaction will fix everything?

I think it's quite good, but way more expensive then other solutions, but better then sending TANs to a mobile phone, which doesn't prevents all mitm-attacks.

This infographic explains 17 reasons to avoids tress and how it can harm your body…

Any transactions to a NEW payee then have to be authenticated via a card reader that reads your chip and pin card, prompts for your pin and then issues a one time passcode.


b) use a client-certificate for a secure connection.

Back in 2005, I wrote about the  of two-factor authentication to mitigate banking fraud:

I know one bank that gives a device where you enter amount and account number of the other party in the transaction and the device gives you a checksum to confirm the online transaction.
It is not perfect (the device can be stolen), but it prevents man in the middle network attacks because the mitm has no checksum for his fraudulent transaction and changing the information of a valid transaction will cause a checksum failure. (Read up on MACs in a cryptography text.)


But how would a bank work that?

The SMS backchannel seems to be a fairly strong compromise, but there have been cases of identity theft where the attacker could use the mark's credentials to transfer their telephone number.

Will two factor authentication fix every authentication issue?

We do have the ability to defend against these attacks...and it's not through a single solution! But strong authentication definitely has a role to play!

(2011-05-19) - ISBN-13: 978-613-6-00851-6

I am not sure I understand your question. The SSL server certificate is what tells the client they are connected to the real bank web server. If a MITM forces the client to a bogus web server (with a bogus look-a-like domain) which provides a bogus SSL server cert, then the client would easily be able to detect this to know they are not connected to the real bank website when they verify the SSL server certificate. This is the server authentication part of SSL that specifically prevents MITM attacks.

(2010-07-04) - ISBN-13: 978-613-0-59733-7

Considering these points, organizations should consider a layered strategy to address these attacks include deploying security capabilities like:
1) EV SSL, which provides a higher level of confidence to end users that they are on the right web site
2) Strong authentication, including tokens, out-of-band OTPs, digital certificates on smart cards, and others. This can include transaction authentication as well, but I would submit that usability will be key here...having users entering a lot of numbers/text in a small device is destined for failure!
3) Fraud detection to transparently monitor online activities and help block fraudulent transactions. Examples: being able to detect that transactions are happening in rapid succession or having traits in the communication to the site that indicate a trojan.

(2011-05-13) - ISBN-13: 978-613-5-27127-0

The concept of layered security provides a tremendous opportunity to address a wide range of attacks, including MITM and trojans (sometimes referred to these days as Man-in-the-browser attacks). I believe organizations need to look at the problem more holistically though, considering the following:
1) Defense in depth--a single solution will not solve the problem
2) Impact on the customer experience--you can't make things too difficult for end users or they will simply take other (more expensive!) paths
3) Ability to react to future attacks--you need to be able to evolve...fraudsters are not standing still, that's for sure
4) Flexibility of solutions chosen--it's important that you can deal with multiple user communities
5) Affordability...it does come down to this at some point!