Ask CNET Asia

Find Products

  • Brand
  • Price
  • Processor
  • Filter »

Highlights

DIY Projects

CNET Features

Explains Series

Downloads

Newsletters

 
advertisement
 Print    Email     Bookmark     Share

When security fails

By Robert Vamosi
Jul 19, 2006

Online security is only as secure as its weakest link. Most Web sites require only a user ID and password for access. This is secure unless someone else gets a hold of this information. That's why some financial institutions have started issuing hardware tokens with randomly generated numbers synced up to a server at the bank; in addition to providing a username and ID, the customer must also provide the numbers currently displayed on the token. This too is secure--unless someone gets in the middle.

Two factor
A password is commonly known within the security field as "something you know". With the advent of keystroke loggers and phishing attacks, it's possible that someone else might know your password as well, so two-factor authentication means you have a second way to prove your identity. Often this is "something you have", like a fingerprint or a debit card. When you go to a point of sale or a bank ATM, you offer your debit card (something you have) and your PIN (something you know). In the real world, this is basically secure.

But online is a different story. Several financial institutions are starting to offer hardware tokens, little key fobs that generate a seemingly random number every so many seconds or minutes. This number generation is synced with servers on the financial service's side. The idea is that if a keylogger or other malware on your computer shares your password, there's no way someone remotely could know the number currently being displayed on the key fob.

Man in the middle
Except if we're talking about a man-in-the-middle attack. As the name states, the attackers manage to put themselves between you and your destination. In wireless, a man-in-the-middle attacker can fake an access point and route all your wireless traffic through his or her computer, sniffing the latter and later figuring out passwords and login information.

"Phishing, not spyware, is the most serious threat to home users these days. Phishers are poking holes in traditional Internet security and undermining our faith in the Internet itself."


Another man-in-the-middle attack involves phishers, senders of email with links to fraudulent sites. Phishing, not spyware, is the most serious threat to home users these days. Phishers are poking holes in traditional Internet security and undermining our faith in the Internet itself. Phishers typically send out e-mail that looks like correspondence from established companies, such as PayPal or Citibank. The email often includes a link to a Web site that looks very much like the real McCoy but is actually hosted in a foreign location. In a man-in-the-middle attack, the phishers entice you to link to their bogus site, then complete the transaction--so you think you're conducting a secure transaction, all while the attackers are recording your personal information for later use.

In theory
With the introduction of two-factor authentication, many financial institutions feel they have stopped the phishers. But as early as last year, security expert Bruce Schneier wrote that two-factor authentication on the Internet can be compromised. In April, Network Security posted a report on the pitfalls of two-factor authentication. Also in April, someone presented a demonstration of a two-factor man-in-the-middle attack to the Anti-Phishing Coalition. So we know it was possible.

No one, however, thought the phishers would be capable of pulling it off.

Citicorp
The Washington Post recently reported that customers of Citibank were potential victims of two-factor authentication phishing. The attack had to be carried out in real time, not days later, so the phishers in this case have grown in sophistication.
"Real-world two-factor authentication is secure, for the moment. But two-factor authentication on the Internet should be held as suspect."


Like in a traditional attack, the phishers sent out a Citibank email, and the Citibank customer then had to click that link to access the bogus Citibank site. Because the Citibank customers used a hardware token, they were prompted on the bogus phisher site (as on the legitimate site) to enter their current password and token number. What they didn't know was that the information was actually going to a site in Russia.

The site in Russia then completed the transaction by contacting Citibank. In doing so, they were able to piggyback on a legitimate banking session; only after the customer signed off did the Russians have the opportunity to stay connected--and do their own banking at someone else's expense. Oddly, I haven't found evidence that the phishers did anything, only reports that the two-factor authentication had been hijacked.

What can be done?
For point-of-sale transactions, where you swipe a card and enter a password, it seems unlikely that a man-in-the-middle attack should be of concern, unless you think the debit card reader is fraudulent. Real-world two-factor authentication is secure, for the moment. But two-factor authentication on the Internet should be held as suspect.

The fraudulent Citibank site in Russia is down, but it would have been interesting to see whether the new antiphishing technology in Internet Explorer 7 (for XP systems) or Internet Explorer 7+ (said to be more robust for Vista systems) would have stopped it. Microsoft claims it's using mostly heuristic algorithms to stop phishing. Other antiphishing choices include the new Firefox 2 Beta 1 and McAfee SiteAdvisor. But really the best protection is behavioral: Do not click phishing email links. Banks do not email critical information to their customers. Got it?

 

 

    Talkback
There are currently no comments for this story.
To post comments, you need to become a member. It's FREE.
advertisement