Comments: Threatwatch - 2-factor tokens attacked by phishers - another "must-have" security tool shown to be fighting the last war

a couple old posts from more than a year ago mentioning that it appears vulnerable to MITM-attacks
http://www.garlic.com/~lynn/aadsm19.html#20 Citibank discloses private information to improve security
http://www.garlic.com/~lynn/aadsm19.html#21 Citibank discloses private information to improve security

and

http://www.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses private information to improve security
http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security

... for some drift

http://www.garlic.com/~lynn/aadsm19.htm#25 Digital signatures have a big problem with meaning

and some discussion of browser/ssl operation
http://www.garlic.com/~lynn/aadsm19.htm#27 Citibank discloses private information to improve security

and

http://www.garlic.com/~lynn/aadsm19.htm#28 "SSL stops credit card sniffing" is a correlation/causality myth

and even this

http://www.garlic.com/~lynn/aadsm19.htm#33 Digital signatures have a big problem with meaning

somewhat coincident ... but I had just appended some comments about multi-factor authentication
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK Chip&Pin woes

in this thread
https://financialcryptography.com/mt/archives/000776.html

Posted by Lynn Wheeler at July 10, 2006 07:05 PM

Not to pick nits, but I thought the FFIEC made this "recommendation". (http://www.ffiec.gov/pdf/authentication_guidance.pdf)

Posted by Chris Walsh at July 10, 2006 08:13 PM

Bank's don't have to make the system perfect, they just have to raise the bar enough that the attackers go elsewhere.

Perhaps dynamic passwords are not enough. But, they do accomplish something. Consider:

1) Dynamic passwords take away the possibility of phishers selling authenticators. The value chain of phisher (obtains authenticators) -- middlemen -- fraudsters (uses authenticators) is broken. Also, the attacks can no longer be performed in stages -- monetization has to be in near proximity to the time of authenticator theft. Any phisher that can't monetize immediately is out of business.

2) The skills of the phisher and the fraudster now must be combined in time. Until phishers or fraudsters become cross-trained, fewer attacks will take place.

3) Automated attacks are more difficult because the steps from authentication to money transfer are different for different banks' web sites. That will create a need for attackers to apply more resources and better target their attacks. Each requirement reduces their return.


Posted by Squirrel at July 11, 2006 12:04 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x56318726bc40) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.