Here's a great example of an attack focused on Citibank a few months ago, where a Man in the Middle exploit was used to defeat a One Time Password implementation of 2-factor authentication.
http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
If it's just data that you type in, it can be stolen, spoofed, or passed through, leaving you no better off than before.
Tuesday, May 15, 2007
Paypal's getting the message
Paypal recently rolled out a 2-factor authentication option:
https://www.paypal.com/securitykey
The trouble here - and with any One Time Password (OTP) device - is that these systems are quite vulnerable to Man in the Middle (MITM) attacks. If a thief can get in between your browser and the server, they can pass through your OTP along with your other credentials without your knowledge, and hijack your session at that point, once the server believes a valid session has been established.
What's really needed here is a second channel of authentication and security, relying on a physical hardware device (Something You Have) that can only be checked dynamically by the software system itself, and that is completely independent of the actual systems you're trying to access (i.e. banking website).
https://www.paypal.com/securitykey
The trouble here - and with any One Time Password (OTP) device - is that these systems are quite vulnerable to Man in the Middle (MITM) attacks. If a thief can get in between your browser and the server, they can pass through your OTP along with your other credentials without your knowledge, and hijack your session at that point, once the server believes a valid session has been established.
What's really needed here is a second channel of authentication and security, relying on a physical hardware device (Something You Have) that can only be checked dynamically by the software system itself, and that is completely independent of the actual systems you're trying to access (i.e. banking website).
Wikipedia entry for our topic
The Wikipedia entry for 2-factor authentication is not bad. We hope to participate in enhancing it further.
For reference, here's the URL:
http://en.wikipedia.org/wiki/Two_Factor_Authentication
For reference, here's the URL:
http://en.wikipedia.org/wiki/Two_Factor_Authentication
Online Banking
Similar to the previous post regarding online commerce, every time you log into your bank you're conducting a 1-factor authenticated transaction. Sure, Bank of America has "SiteKey" which asks you for additional knowledge-based credentials (Something You Know) but other than a clever image-oriented system to help you avoid entering those credentials into a fake version of their website, this system, and systems like it, don't help protect you. They help prevent your credentials from being stolen, sure, but as we saw in the Dateline piece, those credentials are fairly easy to obtain or guess - and once obtained, you're in big trouble.
What's needed is a true 2-factor authentication system to validate your identity before you log into the bank website.
The Financial Services Technology Consortium issued recommendations on this subject, available at the following URL:
http://www.fstc.org/projects/docs/Recommendations_and_Requirements_for_BMA_v1.0.pdf
We wholeheartedly agree with this document, especially their statement that “no authentication system should rely solely on passwords or other knowledge-based queries or shared secrets. If a password should be compromised, it must not be feasible for an impostor to defeat authentication with just knowledge of a password and an associated claim—e.g., userid, account number, name, SSN.”
What's needed is a true 2-factor authentication system to validate your identity before you log into the bank website.
The Financial Services Technology Consortium issued recommendations on this subject, available at the following URL:
http://www.fstc.org/projects/docs/Recommendations_and_Requirements_for_BMA_v1.0.pdf
We wholeheartedly agree with this document, especially their statement that “no authentication system should rely solely on passwords or other knowledge-based queries or shared secrets. If a password should be compromised, it must not be feasible for an impostor to defeat authentication with just knowledge of a password and an associated claim—e.g., userid, account number, name, SSN.”
Online Commerce
http://www.msnbc.msn.com/id/17822386/
This Dateline piece makes it abundantly clear just how easily a thief can obtain credentials - like a credit card number, password, user ID, etc - and wreak havoc on a victim in a matter of minutes. Some scams are more elaborate than others, but the bottom line is always the same - if you can type in a few pieces of information, the computer on the other end of the line doesn't know the difference between you and the real owner of those credentials.
That's what 2-factor authentication is for. If the merchants in this story required a physical authentication device (Something You Have) in addition to the knowledge-based authentication (Something You Know) the thieves would have no way to use the data they've collected to do any damage.
This Dateline piece makes it abundantly clear just how easily a thief can obtain credentials - like a credit card number, password, user ID, etc - and wreak havoc on a victim in a matter of minutes. Some scams are more elaborate than others, but the bottom line is always the same - if you can type in a few pieces of information, the computer on the other end of the line doesn't know the difference between you and the real owner of those credentials.
That's what 2-factor authentication is for. If the merchants in this story required a physical authentication device (Something You Have) in addition to the knowledge-based authentication (Something You Know) the thieves would have no way to use the data they've collected to do any damage.
Wednesday, May 2, 2007
Introduction
This blog is dedicated to the discussion of 2-factor authentication. What is 2-factor authentication, you ask? Well, think of an ATM - to log in and get cash, you need to present your card and a PIN. The card is something you have - a physical token. The PIN is something you know - an information token. Each one is a "factor" of authentication, contributing to the ATM network's ability to verify your identity. This premise is critical to effective security in any online transaction - whether you're logging into your PC remotely, accessing your bank account, or working on a corporate application. Without true 2-factor authentication - a physical token and an information token - it's just too easy for an attacker to gain unauthorized access to private information. That's because passwords are so simple to steal, buy, or guess. The physical token, an item that only you have in your possession, is the crucial piece of the puzzle. In this blog, we'll endeavor to discuss the latest advances in 2-factor (and 3- or more factor) authentication, as well as talk about security incidents that could have been avoided by using 2-factor authentication to verify the identities of the individuals involved.
In the interests of full disclosure, my colleagues and I on this blog are also part of the team at Plethora Technology, producers of the 2-factor authenticated information access and sharing system Enterprise-in-a-Flash. More information at www.enterpriseinaflash.com. From time to time we may post about our own product, but in general, this blog is intended to foster discussion about 2-factor authentication as an important idea for security in today's world, no matter whose product is implementing it.
In the interests of full disclosure, my colleagues and I on this blog are also part of the team at Plethora Technology, producers of the 2-factor authenticated information access and sharing system Enterprise-in-a-Flash. More information at www.enterpriseinaflash.com. From time to time we may post about our own product, but in general, this blog is intended to foster discussion about 2-factor authentication as an important idea for security in today's world, no matter whose product is implementing it.
Subscribe to:
Posts (Atom)