Assault on Authentication
The rather melodramatic – Assault on Authentication - is one of the 8 top threats of 2010 as cited by the Information Security Media Group, Corp. (ISMG) in a recently published report called 10 Faces of Fraud ( Old and New Schemes Target Banking Institutions and Their Customers )
In addition in a very new development in a recent article (http://www.theregister.co.uk/2010/09/27/zeus_mobile_malware/) David Barroso of S21sec highlights the vulnerability of mobiles to Zeus ( MITMO ) (Man-in-the-Mobile ) attacks. The out of band password delivered via SMS in many 2FA solutions has now been found to be vulnerable to attack by the Zeus variant.
So while “ banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites” . “ Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. “
Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecurID), and call- forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. “This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts,” Litan says.
Uri Rivner, head of New Technologies, RSA’s Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. “In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0,” Rivner says.
So the “ Attack on Authentication” is in full swing. These are attacks taking place against full blown sophisticated solutions provided by some of the biggest names in the business including RSA. These solutions don’t come cheap - affordable only by the largest banks and enterprises. So if they are vulnerable – what about smaller enterprises offering e-commerce solutions, gaming, online entertainment, subscriptions – just about anything that requires user identification or authentication.
As I have said in previous blogs there are two critical requirements for authentication – triangulation and disposability. It was only a matter of time before the SMS out of band solution was hacked. Why ? Because as long as a solution relies on a 3rd party’s network, ergo, out of ones control then its reliability cannot be vouched for. I have personal experience of a PayPal OTP failing to be delivered via SMS to my phone timeously and hence causing me to cancel the transaction.
That is why we (http://www.liveensure.com/) have created a unique solution which triangulates out of channel (out of the browser) but not out of band (we stay within the band of the Internet) and hence are able to manage the solution end to end. Why not try it for yourself - you can do so for free. !!
http://www.liveensure.com/
Comments
Post a Comment