Security Watch

Beware the Man in the Middle

Two-factor authentication solutions such as those that use one-time token values can still be subverted by clever phishing methods.

Various companies employ automatically generated one-time-passwords as part of their online authentication mechanisms in order to ensure that the person logging in has the physical device which generates the password. Typically, these tokens automatically change the password every 60 seconds, on both the authentication server as well as the physical token in the possession of the end user. Such mechanisms also ensure that the authentication attempt cannot be replayed because the value generated is only valid for that small window of time.

However, this method has an inherent problem. If the communication between the client and the authentication server can be intercepted -- as was the case recently with phishing attempts targeting Citibank business account users -- the man in the middle obtains valid credentials to log onto the requested server. All the phishing site has to do is convince someone with such a token to visit their site. Once there, they simply request the victim's credentials, including the one-time value, and then send it on to the official Citibank server before the one-time value changes. In fact, if it turns out the value has changed, they can simply indicate that to the victim and the victim will happily provide the next one-time value...something they likely had to do before.

On the upside, the theft of such credentials can only be used for a limited time, until the official server times out the session. On the downside, however, one compromise is enough to be costly to the victim.

One-time token values are not the only method used to conduct two-factor authentication. Other sites present the visitor with a graphic with some word on it, and ask the visitor to indicate what's written. This too can be subverted via the man-in-the-middle attack. The criminal site merely has to establish a valid session with the official site and scrape the graphic presented. They then present the same graphic in their spoofed page to the victim, who happily provides the translation, which in turn is replayed back to the official site.

Electronically, there's no way for the official site to determine the difference between a legitimate individual and a spoofed criminal site replaying the information, short of mutual verification. If the site is going to go to the trouble of providing a token device, then it should also issue a digital certificate the client can use to verify they are who they claim to be. The site can then be sure the client isn't being duped by some criminal. Equally, the client should be validating the site's certificate and ensuring it is what they expect.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

In the Citibank case, as it was described, it would seem the victims didn't notice the site's certificate wasn't what it should have been, or wasn't present at all. An easy enough mistake to make I suppose, but if the client also expected to have a certificate to verify who they were, the official site could have provided protection even when the clients don't notice their mistake.

Two-factor authentication using one-time token devices has been highly touted as a much better solution to the age old password problem. While it is better, it isn't perfect, and like everything to do with security shouldn't be seen as the silver bullet solution. While more user education is important, sites accepting logins to access sensitive information need to do more to ensure their customers are protected from phishing attempts.

Tokens are more, but they're simply not enough.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.