Two-factor authentication is vulnerable to so-called 'man in the middle' attacks
Experts rubbish two-factor authentication
/v3-uk/news/1992643/experts-rubbish-factor-authentication
27 Mar 2007, Iain Thomson , V3
Two-factor authentication will not help to reduce soaring phishing levels, experts at the e-Crime Congress in London warned today.
One UK bank is currently considering the introduction of two-factor authentication, where customers receive a key fob which displays a constantly changing password that allows them to access their online accounts.
But the technology received a resounding thumbs down from experts at the conference, despite being widely touted as the next generation of user security.
"There are a whole bunch of things that can go wrong with two-factor authentication," said Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory.
"Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten."
Anderson explained that two-factor authentication is vulnerable to so-called 'man in the middle' attacks in which a phishing site takes the pass code and uses it immediately.
Customers would also be vulnerable to muggings for their authentication tokens, and the technology would have no effect on other online crime.
Despite the technical failings of two-factor authentication consumer demand for the devices is high.
Joseph Sullivan, associate general council at PayPal, said: "We are looking at two-factor authentication.
"We were told that it would not be popular, but started a beta programme two months ago. Demand has far outstripped supply."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
"Experts" either misquoted or naive
Just because two factor authentication does not address every conceivable threat, it does not follow that it "will not help to reduce soaring phishing levels."
It is true that man-in-the-middle attacks will still be viable. Does that mean we should not take steps to eliminate attacks based on keyloggers?
And if we reject the security measures that do not address muggings, we may as well sell our firewalls on ebay...if we can find anyone who wants to buy them. I doubt any real security experts would advocate that.
Posted by alan, 28 Mar 2007
OTP (One Time Password) based 2 factor is broken
One time password based security is hopelessly broken for a variety of reasons not the least of which is the man in the middle attack. Certificate based (x.509) smart cards however do offer some hope. The reason for this is the fact that the SSL conversation is secured by both the server?s key and the client?s key. This type of configuration prevents the man in the middle attack because any attempt to break that security would break the connection. Since the attacker does not have the client?s private key it would be impossible for them to spoof the server into believing the attacker was a valid client. This would be true even if an attacker setup a malicious proxy server or web page. Smart cards will not help with local session hijacking such as from a compromised machine, but that is mitigated because once the card is removed the private key would no longer be available to the attacker. There are current exploits that can be used to compromise an OTP secured solution especially in the above circumstances. All an attacker would have to do is wait until the user attempts to log off and then send them a phony logoff notice but keep the session alive and start the malicious activity. The smart card solutions are also much cheaper as most bank customers have a credit card or ATM card with the bank a contact smart chip could be embedded onto the cards at low cost. Readers are also inexpensive as well. True this would restrict the customer to a machine that had a smart card reader but if properly educated as to the reason for the requirement they would likely comply. ATM cards are the same concept and people got used to them. I think the OTP lobby has done the security community a grave disservice in touting their solutions as a be all to end all solution to solve phishing and other exploits. The tokens are expensive and wear out, the batteries go dead, and are very prone to breakage.
Posted by Michael, 07 Apr 2007
OTP works most of the time
OTP works fine in Finland and most of the banks use it. Phony logoff message to user does not help malicious user since the one time password is asked every time you do different things, i.e. pay a bill, transfer money etc. So you cannot continue activity if the owner of the account logs off. Tokens are not expensive since you can print out a token paper/card and send that to a bank customer instead of a SecurID card or similar. So the only truthful thing in this is that man in the middle is possible without client-server mutual authentication.
Posted by Shannin, 10 Apr 2007
Technology not required
The best solution doesn't need any technology.
Get people to use bookmarks they create at an internal https page at the genuine bank site and they will not get phished if they only use that bookmark to access the site. I've read the phishing prevention instructions for at least 50-60 banks, and not one of them recommended this. I fail to understand why the so-called experts are not recommending bookmarks as a simple, practical solution instead of throwing a bunch of technobabble at users who don't know which way to turn.
Posted by Howard Mirkin, 17 Apr 2007
What a farce !!
New card reader arrives. Doesn't work... but Royal Bank of Scotland have applied the system to my online account whether I like it or not. Unable to be removed once applied...
The farce of this is that I now have to make a phone call to the bank to do the stuff I used to do online - using,,, guess what - the same password and pin numbers that have supposedly been replaced.
The enhanced security team didn't quite get the irony in that the new card reader is actually forcing people to revert to the lower forms of security...
The second point that I do a lot of travelling, having to carry this damn contraption around with me just to use the banking system - and save them call centre staff time into the bargain - also seemed to be lost on them.
Overall - a useless, expensive waste of time and money.
Posted by I.T., 26 Apr 2008
Passwindow authentication not vulnerable to MITM
Passwindow two-factor is not vulnerable to these MITM attacks because unlike most two factor solutions it can include deliberate transaction information into the visual challenge themselves (such as value, acc destination etc) where the electronic two-factor systems simply use generic confirmation digits which can be swapped around by trojans etc. The attacker or trojan is unable to swap or dissassemble the simple visual patterns without destroying the challenge and the user is made instantly aware of the deception despite how compromised their system is.
The method also costs next to nothing to print the visual patterns in comparison to the electronic tokens.
Posted by Matt, 14 Dec 2009