Assault on Authentication

 While doing some research as we head towards the end of ‘CyberSecurity Month’  I came across two very interesting developments. 

The rather melodramatic – Assault on Authentication -  is one of the 8 top threats of 2010 as cited by the Information Security Media Group, Corp. (ISMG) in a recently published report called 10 Faces of Fraud  ( Old and New Schemes Target Banking Institutions and Their Customers ) 

In addition in a very new development in a recent article (http://www.theregister.co.uk/2010/09/27/zeus_mobile_malware/) David Barroso of S21sec highlights the vulnerability of mobiles to Zeus ( MITMO ) (Man-in-the-Mobile ) attacks.   The out of band password delivered via SMS in many 2FA solutions has now been found to be vulnerable to attack by the Zeus variant. 

So while “ banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites” .   “ Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. “   

Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecurID), and call- forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. “This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts,” Litan says.

Uri Rivner, head of New Technologies, RSA’s Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. “In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0,” Rivner says.

So the “ Attack on Authentication” is in full swing.     These are attacks taking place against full blown sophisticated solutions provided by some of the biggest names in the business including RSA.   These solutions don’t come cheap -  affordable only by the largest banks and enterprises.  So if they are vulnerable – what about smaller enterprises offering e-commerce solutions, gaming, online entertainment, subscriptions – just about anything that requires  user identification or authentication. 

As I have said in previous blogs there are two critical requirements for authentication – triangulation and disposability.     It was only a matter of time before the SMS out of band solution was hacked.   Why ?  Because as long as a solution relies on a 3rd party’s network, ergo,  out of ones control then its reliability cannot be vouched for.   I have personal experience of a PayPal OTP failing to be delivered via SMS to my phone timeously and hence causing me to cancel the transaction. 

That is why we (http://www.liveensure.com/) have created a unique solution which triangulates out of channel (out of the browser) but not out of band (we stay within the band of the Internet) and hence are able to manage the solution end to end.    Why not try it for yourself - you can do so for free. !!

http://www.liveensure.com/

Comments

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. ) A lot of money has been thrown at this campaign – I would guess millions.  ( http://www.youtube.com/watch?v=Jx0Z5CiQMIw )   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! ( http://www.bankingtech.com/bankingtech/article.do?articleid=200002
Read more