Just when you thought second-factor tokens from banks meant it was safe to go back in the (online) water, a new phishing spoof targets Citibank's two-factor token system.
http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
This is something I've been nervous about since the very first of these random-number-rotation tokens came on the market. While certainly better than nothing, they remain vulnerable for the time that the current random number is valid. Even if that's only 60 seconds, it's still a viable window for attack.
The problem remains that it's just another password that is entered into a box and submitted across the wire to a server. That means it can be captured / stolen / spoofed, and during the 60-second window, it's the same as any other password.
The only solution is a device that has unique physical properties that are read and incorporated by the software directly into the authentication process in real time, rather than numbers that are transmitted across the connection.
This is the driving consideration behind the patented SecureChannel system at the core of the Enterprise-in-a-Flash secure remote access service.
Friday, November 14, 2008
Friday, October 17, 2008
Phones as second factors of authentication
I've been noticing a trend in the market towards acceptance of phones, particularly cell phones, as a mechanism for enforcing multi-factor authentication. While I applaud the attempt to make multi-factor authentication more ubiquitous by tying it to an already-prevalent device, I am worried.
Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.
It seems to me that there are several opportunities for trouble here.
First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?
How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?
In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?
In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.
Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.
It seems to me that there are several opportunities for trouble here.
First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?
How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?
In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?
In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.
Thursday, October 16, 2008
Implanted RFID Chip
I came across this item recently, regarding implanted RFID chips acting as a 2nd factor of authentication.
http://connectid.blogspot.com/2008/10/is-this-2-factor-authentication.html
I don't think there's any doubt that this is a form of multifactor authentication, as disturbing as it may be... The interesting, though academic, question is this: is the RFID chip then something that you have or something that you are?
http://connectid.blogspot.com/2008/10/is-this-2-factor-authentication.html
I don't think there's any doubt that this is a form of multifactor authentication, as disturbing as it may be... The interesting, though academic, question is this: is the RFID chip then something that you have or something that you are?
Wednesday, April 2, 2008
Passwords For All To See
While doing some market research the other day, Google presented us with several documents containing login information for GoToMyPC and LogMeIn user accounts. Usernames, passwords, access codes - the works. Just posted to the web for anyone to find. Plus a bunch of people's logins for e-commerce, online banking, and travel sites, among other things. It's really quite amazing how much security-sensitive information is just floating around cyberspace. And of course, the easy availability of passwords speaks directly to the need for people to be using 2-factor authentication as much as they can, so they're not vulnerable to password theft or inadvertent disclosure.
Shameless plug - here's the marketing slick we put together to help our prospects understand why this is important:
http://www.enterpriseinaflash.com/security/Password Security Breach 4-2-08.pdf
Shameless plug - here's the marketing slick we put together to help our prospects understand why this is important:
http://www.enterpriseinaflash.com/security/Password Security Breach 4-2-08.pdf
Subscribe to:
Posts (Atom)