What the Analyst said ....Why LiveEnsure and SiteKey/SitePass are not the same.
So there I was on the phone to an Analyst today explaining (at a fairly high level ) some of the basic features of LiveEnsureTM when he says – “ ahh – I get it – this is identical to Bank of America’s SiteKey/Site Pass system.” Not having the details of said banks system at my fingertips – I was unable to correct the Analyst on his incorrect conclusion with any hard science. We were also running out of time, it was a bad line and…all I could say was – it is not the same – there is much, much more going on under the hood with LiveEnsureTM.
So why is BofA’s SiteKeyTM / Site PassTM authentication system NOT identical to LiveEnsureTM ?
· Device ID. Although both ostensibly have a ‘hardware device recognition’ component – the BofA solution relies upon the re-referencing of a cookie (downloaded at registration – a simple subset of browser-aware attributes) by the Banks’ site to determine the ‘identity’ of the device. This cookie resides on the users device and hence is stateful and hackable. Even if hardware recognition fails, users are pushed through to a pass phrase - which essentially renders the hardware step useless if so easily by-passed. LiveEnsureTM device recognition algorithm relies upon a patent pending approach of recognizing the digital fingerprint of the device through its unique “ accoustic “ signature. The device is ‘challenged’ uniquely every-time an authentication takes place. Nothing is seeded onto the device that could be re-referenced. The applet recognizes the Device’s fingerprint and if the correct one – it then renders a pop-up on the screen outside of the browsers control when the user is then asked a challenge question.
Credentials are presented serially ( in sequence ) in the BofA solution. This means that a hacker can brute force hack – (through “ trial and error’ ) the users’ credentials. In LiveEnsureTM if authentication fails there is no opportunity to re-try. The user has to go back to the beginning – the user does not know what credentials were wrong. (LE features a random rotation of challenges - not the same “phrase” each time). Also the visual Passmark is easy to shoulder surf; and all of the credentials are passed through the browser (web channel – even if SSL ) – which makes it vulnerable to MiTM and MiTB attacks. The LiveEnsureTM solution does not allow any literal information to be trafficked over the secondary (SmartTM ) channel let alone over the browser. The fundamental problem with this and all traditional 2FA solutions is that the second password/challenge question/OTP is entered into the browser – in sequence. Before the browser has even been confirmed to be secure. Doesn’t make sense does it ?
Article from CafeID “The SiteKeyTM system fails, according to IT Security Architect Doug Ross (http://directorblue.blogspot.com/2005/06/making-phishers- solve-captcha-problem.html), to address the fundamental problem of phishing because it leaves the customer susceptible to the classic "Man in the Middle" false- storefront attack. Since there's no way to distinguish the customer's virgin computer from a phisher-person's "malicious, zombie PC", according to Ross, "the zombie PC could present a false BofA store-front to the victim and proxy login in- formation from the user to the bank and any resulting pages and images from the bank to the victim." …” also the SiteKey approach still relies on the storage of images and so on in your personal records on the merchant's database. Compromise of this data would leave you just as vulnerable as you'd be if your login and password were obtained.”
Comments
Post a Comment