A Letter From Hackers: Thanks for Multifactor Authentication PDF Print E-mail
Banking Articles - Bank Security Articles
Written by Aiden Michaels   
Wednesday, 19 September 2007 14:56

hacker.jpg

The FFIEC requirement for Multifactor Authentication was designed to make online banking more secure, one analyst says it's making things worse.

At DefCon (an annual gathering of security professionals and hackers) security researcher Brendan O'Connor presented several scenarios in which online banking security has gotten worse.  As of last year banks were required to comply with the FFIEC guidelines to provide multi-factor authentication.


Designed to help combat phishing attacks, O'Connor shraed some insight as to why, with all these new safeguards in place, phishing sites are still operational today.

"The guidance specifically says that transaction fraud and identity theft are a problem, and it places the blame squarely on authentication," said O'Connor. "I disagree with that entire premise." He pointed to the "three strikes--you're out" rule with most Web applications. Guess the wrong password and you're locked out until you get on the phone to someone. "Attackers aren't getting in by guessing, they're getting in by stealing the credentials or tricking the end-user into giving away the credentials." So adding more credentials won't make sites more secure.

{mosmodule module=Aiden}
One example given by O'Connor is that Paris Hilton chose the question of  "What is the name of your favorite pet?" - A simple google search can reveal that to anyone attempting to access her online information, and did.  Does this process introduce a false sense of security?  Another example cited by O'Connor - "What is your favorite city?" - a user ID of cubfan98 probably chose Chicago.  Also the answer to publicly available records such as mortgage ammounts or the year that you graduated high school are also poor choices for security questions.


Personal images provide no better security. Many online banking systems say that if you can see the correct image, then you are on an authentic site or that you are not on a phishing scam site.  A quick look at the code of the page reveals the ALT tag problem.
"The language they are using is so strong and the system is so simple to bypass, I was just amazed when I saw it." O'Connor said several very large banking sites are currently using one commercial image file system. They're disguising the actual user request to get a particular image, which is good, but they're also leaving the HTML Alt-tag in plain text, which is bad."
"I looked at about a dozen different institutions. In every one I looked at, the Alt-tag for one image had a 100 percent correlation across all intuitions that it was the same picture. So Nature & Animals picture #123 on Bank A was the same as Nature & Animals picture #123 on Bank B, C, D, E, and F." O'Connor said as a phisher, "I can not only impersonate the bank, now I know that this user ID uses this image, so there's obvious ways for misuse there."
Computers are not individual. Another factor used by many multifactor companies is device "fingerprinting".  This factor assumes that all computers are different, like snowflakes.  If the provider has fingerprinted your machine, then you can bypass the image and question authenticaions automatically.
"Every Dell, or HP, or IBM that comes off the line comes with the OS preload and the software preconfigured; every one has the same fingerprint."
In a simulated phishing attack, O'Connor was able to capture the so-called unique information from one computer and paste it into the Javascript request on another system.  This allowed him to receive a persistant cookie, a file that would allow his return at a later time and bypass multi factor authentication and enable them to conduct any transaction on behalf of an internet banking user.

O'Connor used the analogy of placing more security guards at the front door, stating that managers don't just want to know who is coming into the business, but what they are doing while they are in there.

Coming up on Bankwide - What you can do to strengthen your online banking security....

Inspiring Article: http://reviews.cnet.com/4520-3513_7-6762995-1.html
Security Bites Podcast: http://www.news.com/
Trackback(0)
Comments (3)add comment

Piscean Chap said:

When we speak about Multi-Factor authentication, it is not about "Images" or "Device Fingerprinting". Device fingerprinting is one of the component, but the auther assumed that its OS fingerprinting, which is incorrect.

There are vendors who has pitched in without realising that what they claim is incorrect, and bank's security people are bought into it may be because of pressure from top. Multi-Factor has many facets and it has definitely made the window of exposure to minimum for a well thought and implemented Multifactor Products.
 
report abuse
vote down
vote up
December 24, 2007
Votes: +0

Aiden Michaels said:

I think the point that the analyst is trying to make is that the best security is the end user. That the MFA requirements are creating a false sense of security - yes it is a great leap forward adding MFA's, but there is still much work to be done. The biggest, educating consumers.
Thanks for the comment!
 
report abuse
vote down
vote up
December 27, 2007
Votes: +0

Piscean Chap said:

Here, exactly what I feel is the point where most of the vendors miss. User education component is not dependable. The purpose of MFA is to protect what user cannot by himself, despite being howsoever knowledgable, can prevent from happening. For example, user cannot prevent himself if he is attacked by using trojans, keyloggers, vishing or pharming or MITM techniques. MFA cannot depend on antiviruses to detect something wrong happening in background. MFA is multi factor, and these multi factors should be selected in such a manner, that all these are countered even if the user is not educated enough.

The point I had tried to convey is, MFA solution that are not implemented properly have caused this situation. And the institutions which adapted these either under influence or miscommunication or without understanding the threats has resulted in a situation of "false sense of security" when there is no security.

Cheers!!
 
report abuse
vote down
vote up
December 27, 2007
Votes: +0

Write comment

busy
 

Show Other Articles Of This Author