Recent Two factor authentication attacks

Published: 2006-07-12
Last Updated: 2006-07-12 23:04:15 UTC
by Jason Lam (Version: 1)
0 comment(s)
There has been recent report of two factor authentication protected websites getting attacked by the man-in-the-middle type of setup where the victim enter information (include the token code) into a look-alike website, this look-alike website immediate uses those credential to login to the actual financial site. Obviously, upon success login by the user, the attacker can immediately execute the fraudalent transaction.

While this might sound shocking to the financial industry since we haven't seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community. (I have written an article on this back in April)

Overall, two factor authentication will reduce the risk of attacks by raising the effort of the attacker to compromise the accounts, but it might not have the level of security enhancement that some people believed. In the man-in-the-middle attack, the flaw happens due to the lack of verification of the bank's website by the victim, the victim are simply tricked into yielding credentials to a web site without authentication. This is really outside of the protection zone of the extra authentication factor.

To futher extend this, two factor authentication also does NOT protect the end host security, a malware (such as keylogger, BHO) could be installed on the client's machine and effectively gather the credential and login on behalf of the victim instead of letting the victim login.

This is a classic problem of "you are only as secure as the weakest link". Two factor authentication is good for secure authentication but does not take care of mutual authentication or endpoint security. From the financial organization perspective, maybe further investment into mutual authentication and ensuring client's computer being free of malware would be necessary to protect the client's online transactions.


Keywords:
0 comment(s)

Comments


Diary Archives