When two-factor fails

Robert Vamosi CNET

Published: 17 Jul 2006

• 
• 
• 
• 
• 

Online security is only as secure as its weakest link. Most Web sites require only a user ID and password for access. This is secure unless someone else gets hold of this information. That's why some financial institutions have started issuing hardware tokens with randomly generated numbers synced up to a server at the bank; in addition to providing a username and ID, the customer must also provide the numbers currently displayed on the token. This too is secure -- unless someone gets in the middle.

Two factor
A password is commonly known within the security field as 'something you know'. With the advent of keystroke loggers and phishing attacks, it's possible that someone else might know your password as well, so two-factor authentication means that you have a second way to prove your identity. Often this is 'something you have', like a fingerprint or a debit card. When you go to a point of sale or a bank ATM, you offer your debit card (something you have) and your PIN (something you know). In the real world, this is basically secure.

But online is a different story. Several financial institutions are starting to offer hardware tokens, little key fobs that generate a seemingly random number every so many seconds or minutes. This number generation is synced with servers on the financial service's side. The idea is that if a keylogger or other malware on your computer shares your password, there's no way someone remotely could know the number currently being displayed on the key fob.

Man in the middle
Except if we're talking about a 'man-in-the-middle' attack. As the name states, the attackers manage to put themselves between you and your destination. In wireless, a man-in-the-middle attacker can fake an access point and route all your wireless traffic through his or her computer, sniffing the latter and later working out passwords and login information.

Another man-in-the-middle attack involves phishers -- senders of email with links to fraudulent sites. Phishing, not spyware, is the most serious threat to individual users these days. Phishers are poking holes in traditional Internet security and undermining our faith in the Internet itself. Phishers typically send out email that looks like correspondence from established companies, such as PayPal or Citibank. The email often includes a link to a Web site that looks very much like the real thing, but is actually hosted in a foreign location. In a man-in-the-middle attack, the phishers entice you to link to their bogus site, and then complete the transaction -- so you think you're conducting a secure transaction; all while the attackers are recording your personal information for later use.

In theory
With the introduction of two-factor authentication, many financial institutions feel they have stopped the phishers. But as early as last year, security expert Bruce Schneier wrote that two-factor authentication on the Internet can be compromised. In April, Network Security posted a report on the pitfalls of two-factor authentication. Also in April, a demonstration of a two-factor man-in-the-middle attack was presented to the Anti-Phishing Coalition. So we know it was possible.

No one, however, thought that the phishers would be capable of pulling it off.

Citicorp
The Washington Post recently reported that customers of Citibank were potential victims of two-factor authentication phishing. The attack had to be carried out in real time, not days later, so the phishers in this case have grown in sophistication.

As in a traditional attack, the phishers sent out a Citibank email, and the Citibank customer then had to click that link to access the bogus Citibank site. Because the Citibank customers used a hardware token, they were prompted on the bogus phisher site (as on the legitimate site) to enter their current password and token number. What they didn't know was that the information was actually going to a site in Russia.

The site in Russia then completed the transaction by contacting Citibank. In doing so, they were able to piggyback on a legitimate banking session; only after the customer signed off did the Russians have the opportunity to stay connected -- and do their own banking at someone else's expense. Oddly, I haven't found evidence that the phishers did anything, only reports that the two-factor authentication had been hijacked.

What can be done?
For point-of-sale transactions, where you swipe a card and enter a password, it seems unlikely that a man-in-the-middle attack should be of concern, unless you think the debit card reader is fraudulent. Real-world two-factor authentication is secure, for the moment. But two-factor authentication on the Internet should be held as suspect.

The fraudulent Citibank site in Russia is down, but it would have been interesting to see whether the new anti-phishing technology in Internet Explorer 7 (for XP systems) or Internet Explorer 7+ (said to be more robust for Vista systems) would have stopped it. Microsoft claims it's using mostly heuristic algorithms to stop phishing. Other anti-phishing choices include the new Firefox 2 Beta 1 and McAfee SiteAdvisor. But really the best protection is behavioural: do not click phishing email links. Banks do not email critical information to their customers. Got it?

Related articles

• 
• 
• 
•