Beware the Man in the Middle
Two-factor authentication solutions such as those that use one-time token values can still be subverted by clever phishing methods.
Various companies employ automatically generated one-time-passwords as part
of their online authentication mechanisms in order to ensure that the person
logging in has the physical device which generates the password. Typically,
these tokens automatically change the password every 60 seconds, on both the
authentication server as well as the physical token in the possession of the
end user. Such mechanisms also ensure that the authentication attempt cannot
be replayed because the value generated is only valid for that small window
However, this method has an inherent problem. If the communication between
the client and the authentication server can be intercepted -- as was the case
recently with phishing attempts targeting Citibank business account users --
the man in the middle obtains valid credentials to log onto the requested server.
All the phishing site has to do is convince someone with such a token to visit
their site. Once there, they simply request the victim's credentials,
including the one-time value, and then send it on to the official Citibank server
before the one-time value changes. In fact, if it turns out the value has changed,
they can simply indicate that to the victim and the victim will happily provide
the next one-time value...something they likely had to do before.
On the upside, the theft of such credentials can only be used for a limited
time, until the official server times out the session. On the downside, however,
one compromise is enough to be costly to the victim.
One-time token values are not the only method used to conduct two-factor authentication.
Other sites present the visitor with a graphic with some word on it, and ask
the visitor to indicate what's written. This too can be subverted via
the man-in-the-middle attack. The criminal site merely has to establish a valid
session with the official site and scrape the graphic presented. They then present
the same graphic in their spoofed page to the victim, who happily provides the
translation, which in turn is replayed back to the official site.
Electronically, there's no way for the official site to determine the
difference between a legitimate individual and a spoofed criminal site replaying
the information, short of mutual verification. If the site is going to go to
the trouble of providing a token device, then it should also issue a digital
certificate the client can use to verify they are who they claim to be. The
site can then be sure the client isn't being duped by some criminal. Equally,
the client should be validating the site's certificate and ensuring it
is what they expect.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
In the Citibank case, as it was described, it would seem the victims didn't
notice the site's certificate wasn't what it should have been, or wasn't present
at all. An easy enough mistake to make I suppose, but if the client also expected
to have a certificate to verify who they were, the official site could have
provided protection even when the clients don't notice their mistake.
Two-factor authentication using one-time token devices has been highly touted
as a much better solution to the age old password problem. While it is better,
it isn't perfect, and like everything to do with security shouldn't
be seen as the silver bullet solution. While more user education is important,
sites accepting logins to access sensitive information need to do more to ensure
their customers are protected from phishing attempts.
Tokens are more, but they're simply not enough.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.