July 10, 2006

Threatwatch - 2-factor tokens attacked by phishers - another "must-have" security tool shown to be fighting the last war

Lance James points out that Phishers have moved on to attacking 2-factor authentication tokens:

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

This news (Brian Krebs in a Washington Post blog) has been expected (#10.3) for a long time. It's a timeline point -- we've moved to that stage.

More bad news for suppliers of 2-factor tokens and also US Banks which got a quasi-recommendation to implement something like this. I say, quasi-something, because the FDIC carefully did not recommend any specific technology, choosing instead to recommend that banks carefully review their risk-based exposure (although I also called it wrongly, initially). The banks themselves may have assumed tokens or similar, for whatever reason.

It has been interesting to watch RSASecurity deal with this. I'd say they saw the writing on the wall maybe a year or two ago. They aggressively expanded from their older PKI roots and their staple SecureId 2-factor token by buying more modern companies such as Cyota in Britain. It was Cyota that pushed them into "defence in depth" which involved transaction monitoring and risk-graduated authentication mechanisms.

RSASecurity also purchased PassMark which had a big deal to provide Bank Of America with unique pictures for each account user, in what they call their "2-factor-2way" solution. Between the two of them, these two companies buried the older "2-way authentication" system known as SSL which RSASecurity had had so much to do with in the early days (the one the phishers showed to be a Maginot defence).

Now the phishers count coup again -- PassMark's technology is also vulnerable to the new phishing attack. Being bought out by EMC might have been a good move alround.

Now, the casual marketeer will take this as gloating. We've predicted this for so long, we must be overjoyed. No such. That would be their own lack of familiarity at open criticism, an essential tool in risk management, because attackers brook no marketing fools. Here's where we are at.

Firstly, the industry is in dire straights and the sooner we recognise it the better. RSASecurity, or Cyota as it happens, recognised the broken SSL system a while back.

Secondly, it is absolutely vital that this information be put out in to the wider community. European banks have been working like mad for 6 months. American banks are still fighting the last war, and while they are looking backwards, there are more enemies coming up. American banks, for lethargy and bad advice, and American security suppliers, for liability *1, 2) and overzealous histories, are especially vulnerable.

It is American account holders to whom this column is devoted, today.

Posted by iang at July 10, 2006 05:48 PM | TrackBack

a couple old posts from more than a year ago mentioning that it appears vulnerable to MITM-attacks
http://www.garlic.com/~lynn/aadsm19.html#20 Citibank discloses private information to improve security
http://www.garlic.com/~lynn/aadsm19.html#21 Citibank discloses private information to improve security


http://www.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses private information to improve security
http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security

... for some drift

http://www.garlic.com/~lynn/aadsm19.htm#25 Digital signatures have a big problem with meaning

and some discussion of browser/ssl operation
http://www.garlic.com/~lynn/aadsm19.htm#27 Citibank discloses private information to improve security


http://www.garlic.com/~lynn/aadsm19.htm#28 "SSL stops credit card sniffing" is a correlation/causality myth

and even this

http://www.garlic.com/~lynn/aadsm19.htm#33 Digital signatures have a big problem with meaning

somewhat coincident ... but I had just appended some comments about multi-factor authentication
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK Chip&Pin woes

in this thread

Posted by: Lynn Wheeler at July 10, 2006 07:05 PM

Not to pick nits, but I thought the FFIEC made this "recommendation". (http://www.ffiec.gov/pdf/authentication_guidance.pdf)

Posted by: Chris Walsh at July 10, 2006 08:13 PM

Bank's don't have to make the system perfect, they just have to raise the bar enough that the attackers go elsewhere.

Perhaps dynamic passwords are not enough. But, they do accomplish something. Consider:

1) Dynamic passwords take away the possibility of phishers selling authenticators. The value chain of phisher (obtains authenticators) -- middlemen -- fraudsters (uses authenticators) is broken. Also, the attacks can no longer be performed in stages -- monetization has to be in near proximity to the time of authenticator theft. Any phisher that can't monetize immediately is out of business.

2) The skills of the phisher and the fraudster now must be combined in time. Until phishers or fraudsters become cross-trained, fewer attacks will take place.

3) Automated attacks are more difficult because the steps from authentication to money transfer are different for different banks' web sites. That will create a need for attackers to apply more resources and better target their attacks. Each requirement reduces their return.

Posted by: Squirrel at July 11, 2006 12:04 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.