Monday, May 30, 2005

Two-Factor Authentication won't stop Phishing

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Association for Payment Clearing Services (APACS), a banking industry organization, is putting the final touches on its plan to make online transactions "secure". Their approach uses two-factor authentication.

Two-factor authentication (TFA) utilizes the principles of "something you know" and "something you have." The classic embodiment of TFA is a SecurID card that provides a random, time-sensitive password when a PIN is entered into it. The time-sensitive password is matched up to a central server's version. If the password is used later, it won't work.

What's driving the adoption of TFA? And, more importantly, will it work?

To answer the first question, one need only read this blurb from Finextra:

BoA is currently embroiled in a legal challenge from a Miami businessman over $90,000 he says was stolen from his online banking account by Latvian cybercriminals. He says the thieves authorised a wire transfer out of his account using access details acquired by a Trojan keylogging device on his infected PC.

Under some circumstances, TFA will help repel key-loggers that capture users' sign-in names and static passwords. The crooks won't be able to save the password for later use.

But the key-logger could easily notify the bad guy or open up a session for him. The bad guy just needs to man his computer, waiting for these time-sensitive notifications. Once he has hijacked a session, he's still free to perpetrate the same kinds of criminal acts that static passwords facilitated.

Will Two-Factor Authentication Help Fight Phishing?

BankOfAmerica has announced a system that they believe will, if not prevent, then dramatically reduce phishing:

The service will also provide customers with a way to confirm that the bank Web site they visit is legitimate. The PassMark is displayed during log in to a banking site and if the image is correct customers will know the site is genuine and that it is safe to enter passwords.

I'm not sure I see much of a benefit to these measures. In an earlier, more complete critique, I summarized some of its problems.

Basically, the new BofA measures appear susceptible to a simple man-in-the-middle attack. That is, a phishing site -- a false store-front, if you will -- can simply act as a proxy server to capture a victim's authentication data. If the BofA site presents a special image or a custom challenge, the "evil proxy" just relays that information to the victim.

The victim can't tell the difference between the proxy and the real site (after all, it looks correct!). Therefore, the victim provides the evil proxy with suitable sign-in data, the proxy relays it to the BofA site, and the phisher has now hijacked the session.

The only benefit I can deduce in BofA's new approach is time-sensitivity. That is, the hijacked session is only valid for a relatively short period of time. Thus, the phisher has to man a control computer, waiting for successful hijackings. The static sign-in ID and password is no longer quite as useful as it once was.

A longer-term approach? Customer education is paramount. I've also proposed an anti-fraud checklist that a financial institution could place on their website. This checklist would make it considerably tougher for a phisher to construct a false store-front.

That said, I don't think there are any silver bullets that can rid us of the phishing problem once and for all. The BofA approach is a baby step in the right direction, but many vulnerabilities remain.

No comments: