[Dave Birch] A couple of years ago, Steve Pannifer and I wrote a paper about two-factor ("token") authentication pointing out that token authentication wasn’t the solution to the general Internet authentication problem but just a first step on one potential roadmap to a solution.  One of the reasons we gave was that token authentication is vulnerable to a "man-in-the-middle" (MITM) attack.  Now this attack "in the wild" has been reported in the Washington Post.

Technorati Tags: , ,

Citibank are the target of this particular attack.  The phishing site asks Citibank customers for a user name and password, as well as the token-generated key.  But the site is a MITM: it uses the customers details and the key to log in to the real Citibusiness site.
Authentication is a critical element in digital identity infrastructure, but it needs to work end-to-end.  PKI is one way of doing this (see, for example, the newly-rebranded IdenTrust).  I hate to harp on about smart cards, but if your private key never leaves your smart card (or smart thingy of some description), then the messages from the bank can be encrypted and signed all the way to that smart card.  A MITM can’t use them.
An interesting example of this architecture is the use of Bluetooth smart card readers to provide authentication to other personal devices.  This is now being used by the DoD to provide authentication for Crackberrys using CAC cards.  We looked at this solution for a client back in 2003 (not for CAC cards but for a commercial solution), but at that time the readers were too expensive for the particular application: so either the costs have come down or the DoD is less price-sensitive than our client was!
The 2004 paper, which provides a useful introduction to EMV-based token authentication, is here…
Phishandchips V4

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights