Two-Factor Authentication = F

Our well respected peer Bruce Schneier as an interesting post about an article on the failure of two factor authentication. 

According to the article, phishers are using some new techniques to bypass the two factor authentication that some banks are using for account access.  The phishers are spoofing the bank sites elsewhere (as ususal), and are including the fields for the token entry for login.  When the unsuspecting user enters the token into the ohisher’s site, the site then contacts the real bank and presents the credentials as provided bu the user – so if the token is wron, they can modify the spoofed error page
until they get a correct one.

Pretty slick.

The article refers to this as a “man in the middle attack”, and while I don’t agree with that description (in the traditional sense), I think that it sums it up for the end user. 

Now, I certainly don’t think that two factor authentication is dead, but at least take a good look at how the whole system works.  And now it appears that we need to account for these type of issues when designing two facto authentication systems.

– Larry

Failure of Two-Factor Authentication

Here’s a report of phishers defeating two-factor authentication using a man-in-the-middle attack.

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

I predicted this last year.

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.