Security Watch

Beware the Man in the Middle

Two-factor authentication solutions such as those that use one-time token values can still be subverted by clever phishing methods.

• By Russ Cooper
• 07/19/2006

However, this method has an inherent problem. If the communication between the client and the authentication server can be intercepted -- as was the case recently with phishing attempts targeting Citibank business account users -- the man in the middle obtains valid credentials to log onto the requested server. All the phishing site has to do is convince someone with such a token to visit their site. Once there, they simply request the victim's credentials, including the one-time value, and then send it on to the official Citibank server before the one-time value changes. In fact, if it turns out the value has changed, they can simply indicate that to the victim and the victim will happily provide the next one-time value...something they likely had to do before.

On the upside, the theft of such credentials can only be used for a limited time, until the official server times out the session. On the downside, however, one compromise is enough to be costly to the victim.

One-time token values are not the only method used to conduct two-factor authentication. Other sites present the visitor with a graphic with some word on it, and ask the visitor to indicate what's written. This too can be subverted via the man-in-the-middle attack. The criminal site merely has to establish a valid session with the official site and scrape the graphic presented. They then present the same graphic in their spoofed page to the victim, who happily provides the translation, which in turn is replayed back to the official site.

Electronically, there's no way for the official site to determine the difference between a legitimate individual and a spoofed criminal site replaying the information, short of mutual verification. If the site is going to go to the trouble of providing a token device, then it should also issue a digital certificate the client can use to verify they are who they claim to be. The site can then be sure the client isn't being duped by some criminal. Equally, the client should be validating the site's certificate and ensuring it is what they expect.

In the Citibank case, as it was described, it would seem the victims didn't notice the site's certificate wasn't what it should have been, or wasn't present at all. An easy enough mistake to make I suppose, but if the client also expected to have a certificate to verify who they were, the official site could have provided protection even when the clients don't notice their mistake.

Two-factor authentication using one-time token devices has been highly touted as a much better solution to the age old password problem. While it is better, it isn't perfect, and like everything to do with security shouldn't be seen as the silver bullet solution. While more user education is important, sites accepting logins to access sensitive information need to do more to ensure their customers are protected from phishing attempts.

Tokens are more, but they're simply not enough.