Token-based Authentication Vulnerable to Phishers
Looks like phishers are really being more and more creative these days. Previously, I wrote a number of blog entries about phishing. One particular entry was about a way to use XSS vulnerabilities to beat SSL security which was previously used on Paypal. The scary part is that phisher’s already have started exploiting these XSS vulnerabilies and integrating them into phishing schemes. Here is an article from NetworkWorld describing the increased use of phishing to beat token-based authentication systems. These systems are primarily used for e-banking and other secure online transactions!
Scammers have found a way around new token-based authentication systems that have been adopted by some banks.
Over the past few weeks, approximately 35 phishing Web sites have been set up that use the new attack. They attempt to trick users into divulging the temporary passwords created by the security token devices used by banks such as Citigroup, said Rich Miller, an analyst with Internet research company Netcraft.
Phishers have only recently begun looking for ways around token authentication, using what is known as a “man-in-the-middle” attack, Miller said. “These attacks are worrisome because they took advantage, fairly early on, of a system that’s seen as enhancing security for banking customers,” he said.
This is also known as a “replay” attack. That is because the site in the middle, who pretends to be the vulenerable secure website, shuttles requests and responses back and forth while collecting information in the middle. In this particular case, the one-time-password (OTP) from token authentication systems is also used to create extra transactions.
This only works because end-users in an SSL-compromised system ignore the “digital certificate invalid warning” message which normally comes with system with a fake or spoofed digital certificate. Which in this case is the spoofing site. This is generally a really bad idea. Fortunately, as the article mentions, this type of user is getting rarer and rarer. So now the problem is when SSL is actually compromised with methods such as XSS. In this rare case, it is possible for end users to not know that the site is compromised because the “digital certificate invalid warning” message does not come out. This is the scary case. The solution to this is for secure authentication sites to ensure that their sites are not prone to XSS. Very strict audits must be made on these secure websites.
Another strategy is to use digital certificate-based token authentication in lieu of OTP-based authentication. This way we have two-way SSL and non-repudiation which OTP does not provide. The most important solution to any security problem is vigilance. Once we let our guard down, that is when the black hats prevail.
