Why most security fails and LiveEnsure® does not ?


Mary Meeker informs us that there are now 1.1bn  Smartphones  (17% of all mobile phones) and these are driving Internet growth with a total of 2.4bn people now connected to the Internet.

Mary Meeker Internet trends

The universe for hackers just grows and grows.    One of the most lethal of these attacks is Zeus (ZITMO) – which is aimed squarely at Smartphones.

The Zeus attack is an example of several attacks now being launched that are based wholly on anticipated behavior, especially as it relates to social media, single-sign-on and BYOD.

A sophisticated Zeus campaign stole an estimated €36 million, or $47 million, from over 30,000 customers across more than 30 banks in Europe this summer.

The Eurograbber campaign, as it has been named, used custom versions of Zeus and Zeus in the mobile (ZITMO) Trojans to bypass the two-factor authentication measures to compromise customer bank accounts, Darrell Burkey, director of IPS products at Check Point Software Technologies, told SecurityWeek.  The attack intercepted SMS messages sent to customers to confirm financial transactions.      Zeus campaign


The attack is successful on Android, since that is an open platform.   Not successful on iOS, since it is not.

The main approach is to triangulate something happening on a computer (PC/laptop tablet)  with something happening on the phone.  A One Time Password (OTP) is sent to the phone via SMS.    An API exists on the phone that allows interaction with SMS -  and so this data can be forwarded to the hackers own device where he can log-in ‘as the user’  - even though he may be thousands of miles away.  

This attack is merely a capture and replay attack, just focusing on grabbing the disparate OOB elements and marrying them "out of context".    The site knows no better because it is expecting the correct OTP to be presented – and it is.  The site has no idea where it is coming from.   (This is true of all such OTP solutions relying on ‘secrets’ being sent back to the site.)

This attack is not trivial but it is preventable.  By LiveEnsure®– here is why:

a) The LiveEnsure® flow is reversed.  Hackers cannot initiate a login and then snag an SMS from the phone when sent and apply it themselves.
b) LiveEnsure® doesn’t use SMS at all – LiveEnsure® relies on email and then only for registration - which this attack (by design) must happen after registration to work.
c) The LiveEnsure® agent is impervious to Trojans - on any platform - since it is a dynamic event in a separate memory space from the browser or calling application  (or  Trojan for that matter)
d) With LiveEnsure® nothing is sent from the app or phone to the site, which means anything the hacker steals cannot be used back at the site, it has to be used on the phone which they don't have.
e) What is used on the phone is not sent back to the site for verification, it is sent to LiveEnsure® - which only expects what it expects, and cannot be fooled by captured information (from a fragile channel)

f) That is why LiveEnsure® measures ‘location’ - if the hacker and the real user are not standing side by side in front of the screen…... then whatever they might steal (but cannot anyway) would be contextually invalid.

LiveEnsure® is about context, not credentials.   This attack is merely a capture and replay attack, focusing on grabbing the disparate OOB elements and marrying them "out of context".

It's exactly what LiveEnsure® is designed to thwart.

Comments

  1. Nick11 December 2012 at 03:53

    Hi Ross

    I'd also like to add an option to this as well...

    With spoken OTP this would also negate the "grab".

    The user would receive the authentication call and the OTP given verbally.

    There are also similar reverse spoken authentication options as well which require PIN spoken back (biometrically matched) then the OTP issued verbally as well.

    ReplyDelete

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

CAPITALISM – no longer fit for purpose ?

Image
The vast majority of humanity survive on a few dollars a day.    The economic boom of the last fifty years has benefited a relatively small elite. The fossil fuel driven economy has devastated the planet. Capitalism is the most efficient creator of wealth but it has been derailed and it has led to inequality and environmental degradation on a global scale. Global warming and capitalism’s favourite progeny – globalisation – has triggered social movements,   political discontent and massive migration.    There are more economic and political migrants seeking greener pastures than at any time in history. Increased Government participation in the economy both directly and through regulation is required to temper the excesses of laissez-faire capitalism. Degrowth means uncoupling the link between growth and prosperity.        Adam Smith’s ‘invisible hand’ has been the single biggest driver of the phenomenal economic growth enjoyed globally over the last two hundred years
Read more