The financial industry has been hit hard by the increasing sophistication of web-based threats, including online phishing and identity theft attacks. According to Gartner, these attacks caused losses upwards of $2.8 billion in 2006 and the numbers don't seem to be abating in 2007.
The more simple versions of these attacks can be prevented effectively by the deployment of a two-factor authentication solution, such as random number generators or challenge and response mechanisms. Unfortunately, the application of today's two-factor authentication solutions is totally misplaced when used as a preventative measure against the threats of online phishing and identity theft. The result is that the industry is still vulnerable to the same attacks, and the attacks themselves are becoming much more sophisticated and destructive than ever before.
Missing the point
Two-factor authentication was originally designed for use on local machines, closed networks, or VPNs. In these environments the method of communication via a trusted client on an equally trusted terminal was not at risk of attack. The security of the terminal and the client was never in question; the integrity of the user was. It was for the purpose of authenticating the user that two-factor authentication was created. The problem with the use of two-factor solutions in online applications lies not with the two-factor itself but with both the inherent flaws within the browser and also the way in which two-factor solutions are currently applied over the web.
When the first two-factor solutions were introduced, connectivity was permitted based on an implied trust that existed between the client and server. The two-factor process simply authenticated the identity of the user and not the terminal used to connect to the network. Physical security allowed only restricted individuals to sit down at the chosen terminal within the VPN or closed network, but a further authentication process was introduced to fully verify the user.
However two-factor is no longer being applied to authenticate the users on a closed network where the threat of attack on the network through the terminal was impossible, or at least highly improbable. It is now being applied to authenticate a user on the World Wide Web, a network of such immense size that the threat of attack in one form or another exists with almost every connection.
Don't expect much
None of the implied trust that exists on a VPN can possibly exist in a web-based network. Anyone can connect to a server or online bank before their identity has been established to any degree. This leaves web-based applications with architectural vulnerabilities open to attack before the two-factor authentication solution can even do its job. However, the primary attack vector of most identity theft attacks is through the user's browser itself.
These are the types of attacks that focus on web-browser vulnerabilities, rending almost all current two-factor authentication solutions useless:A Factor Too Far
• Cross-Site scripting attacks – This type of attack exists because of poor programming within web applications. These allow an attacker to place malicious script in a webpage they do not control. The browser interprets this script in a way that allows for the stealing of cookies, session data, user input (usernames, passwords, random numbers, etc...), while at the same time making it possible to send data on the user's behalf (i.e. clicking links or changing data). As many applications are becoming web-based, these attacks will only increase in frequency.
• Man-in-the-Middle attacks – This style is more commonly used in phishing attacks. In order to execute such an attack, the user views an identical version of the legitimate web page that they are trying to access. The page that they are actually on is an attacker's page which is simultaneously logged onto the legitimate site disguised as the user. The attacker then passes back to the user only the information that they request. Even after the user has logged off, the attacker can still navigate the legitimate site disguised as the user and can perform malicious tasks on their own behalf.
• Trojan attacks – Trojans are not as new as the other attacks, but the way they can be used certainly are. A trojan sits on the user's computer and can infect an application, such as a browser, or even access resources that the application is using. A new type of trojan was recently discovered that hooked into the rendering engine of the web browser and allowed for the reading of all content that passed through that browser. The trojan then "phoned home" to find out what actions it should make on the user's behalf while the information was harvested for malicious use in the future.
These attacks did not emerge because of the overall ineffectiveness of two-factor authentication but rather due to it being misapplied to the web rather than a closed network, i.e. a VPN. In a web environment, the main vulnerability is actually the user's PC. A computer simply does what it is told with the information it has. The computer receives and sends data, complex or not, and expects a certain protocol to be followed. When a computer accesses the web, it lacks the ability to understand that there is no difference between the data that comes from a two-factor token and normal input, such as a username or password; they are simply the means by which a user communicates.
If the data that the user sends is vulnerable to interception, then the computer inherently does not know when it has been intercepted and compromised, and carries on delivering and receiving the data as normal. A hacker can attack the computer by taking advantage of this fact; in other words, intercepting the data and delivering data back to the computer in a form that it expects to see. In an attempt to combat this, some companies have tried to branch by using multiple channels.
Using multiple channels means that rather than receiving the pass-phrase, the user sends a challenge via their cell phone and receives a response back via MMS. The user then takes the response that was sent and enters that into the application that requires their authentication. This is a circuitous way of acquiring a temporary pass-phrase that only serves as an inconvenience to the user.
Ultimately, the user must still input that pass-phrase into an insecure browser, thus leaving them exposed to identity theft attacks.
Most two-factor authentication solutions use a variety of methods and devices including one-time pads, smart cards and USB keys. Some of these solutions supply a number or temporary pass-phrase. Other solutions require software installation that increases the complexity and, in most cases, reduces the effectiveness of the security. These solutions fall short in one way or another in the areas of portability, usability, data integrity, access control and security. David Harley, senior manager of fraud prevention and control for Bendigo Bank, recently said, "We recognize that regardless of the level at which we put the tokens, the crooks will simply go to the next level down [in security], and they will try and execute broader attacks."
The right stuff
Two-factor authentication, misapplied in the first place, is still being incorrectly offered as protection from attacks against which they ultimately have no effect. There is a strong need for a product that has been designed specifically to protect a web-user from the vulnerabilities on both the web application and their computer. It is the use of the local browser on the user's computer which has proved to be the most vulnerable point of the connection, and therefore the primary attack vector for identity theft attacks. In order for two-factor authentication to exist as a reliable method of protection against increasingly sophisticated identity theft attacks, the user's computer must be protected correctly and in a way that would allow the server to recognize the user by direct authentication rather than just regurgitated data.
A correctly and simply applied two-factor solution would involve the use of a dedicated client embedded on a storage device that cannot be altered. By using a dedicated and secure client that runs completely from read-only media, the user would be insulated against third party manipulation, as well as being protected against infection from spyware, viruses, trojans or other malware that could be dormant on the user's computer.
Furthermore, a dedicated and secure client would prevent phishing, man in the middle attacks, and cross-site scripting vulnerabilities, creating a totally trusted environment for customers to navigate their banking sites.
The evolution of methods used to propagate identity theft has not slowed by any means.
The future will only bring more sophisticated attacks designed to circumvent even the most fortified security solutions. The secret to creating a solution that raises the bar far above existing threats is not to increase its complexity.
The key is, and always has been, to keep it simple.r Too Far
John Terrill is the CTO and co-founder of Enterprise Management Technology LLC.
