Just when you thought second-factor tokens from banks meant it was safe to go back in the (online) water, a new phishing spoof targets Citibank's two-factor token system.
http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
This is something I've been nervous about since the very first of these random-number-rotation tokens came on the market. While certainly better than nothing, they remain vulnerable for the time that the current random number is valid. Even if that's only 60 seconds, it's still a viable window for attack.
The problem remains that it's just another password that is entered into a box and submitted across the wire to a server. That means it can be captured / stolen / spoofed, and during the 60-second window, it's the same as any other password.
The only solution is a device that has unique physical properties that are read and incorporated by the software directly into the authentication process in real time, rather than numbers that are transmitted across the connection.
This is the driving consideration behind the patented SecureChannel system at the core of the Enterprise-in-a-Flash secure remote access service.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment