Why most security fails and LiveEnsure® does not ?


Mary Meeker informs us that there are now 1.1bn  Smartphones  (17% of all mobile phones) and these are driving Internet growth with a total of 2.4bn people now connected to the Internet.

Mary Meeker Internet trends

The universe for hackers just grows and grows.    One of the most lethal of these attacks is Zeus (ZITMO) – which is aimed squarely at Smartphones.

The Zeus attack is an example of several attacks now being launched that are based wholly on anticipated behavior, especially as it relates to social media, single-sign-on and BYOD.

A sophisticated Zeus campaign stole an estimated €36 million, or $47 million, from over 30,000 customers across more than 30 banks in Europe this summer.

The Eurograbber campaign, as it has been named, used custom versions of Zeus and Zeus in the mobile (ZITMO) Trojans to bypass the two-factor authentication measures to compromise customer bank accounts, Darrell Burkey, director of IPS products at Check Point Software Technologies, told SecurityWeek.  The attack intercepted SMS messages sent to customers to confirm financial transactions.      Zeus campaign


The attack is successful on Android, since that is an open platform.   Not successful on iOS, since it is not.

The main approach is to triangulate something happening on a computer (PC/laptop tablet)  with something happening on the phone.  A One Time Password (OTP) is sent to the phone via SMS.    An API exists on the phone that allows interaction with SMS -  and so this data can be forwarded to the hackers own device where he can log-in ‘as the user’  - even though he may be thousands of miles away.  

This attack is merely a capture and replay attack, just focusing on grabbing the disparate OOB elements and marrying them "out of context".    The site knows no better because it is expecting the correct OTP to be presented – and it is.  The site has no idea where it is coming from.   (This is true of all such OTP solutions relying on ‘secrets’ being sent back to the site.)

This attack is not trivial but it is preventable.  By LiveEnsure®– here is why:

a) The LiveEnsure® flow is reversed.  Hackers cannot initiate a login and then snag an SMS from the phone when sent and apply it themselves.
b) LiveEnsure® doesn’t use SMS at all – LiveEnsure® relies on email and then only for registration - which this attack (by design) must happen after registration to work.
c) The LiveEnsure® agent is impervious to Trojans - on any platform - since it is a dynamic event in a separate memory space from the browser or calling application  (or  Trojan for that matter)
d) With LiveEnsure® nothing is sent from the app or phone to the site, which means anything the hacker steals cannot be used back at the site, it has to be used on the phone which they don't have.
e) What is used on the phone is not sent back to the site for verification, it is sent to LiveEnsure® - which only expects what it expects, and cannot be fooled by captured information (from a fragile channel)

f) That is why LiveEnsure® measures ‘location’ - if the hacker and the real user are not standing side by side in front of the screen…... then whatever they might steal (but cannot anyway) would be contextually invalid.

LiveEnsure® is about context, not credentials.   This attack is merely a capture and replay attack, focusing on grabbing the disparate OOB elements and marrying them "out of context".

It's exactly what LiveEnsure® is designed to thwart.

Comments

  1. Hi Ross

    I'd also like to add an option to this as well...

    With spoken OTP this would also negate the "grab".

    The user would receive the authentication call and the OTP given verbally.

    There are also similar reverse spoken authentication options as well which require PIN spoken back (biometrically matched) then the OTP issued verbally as well.

    ReplyDelete

Post a Comment

Popular posts from this blog

The End of Passwords

WIKILEAKS - the fuss?

SPOOKS - CYBER ATTACK