Wednesday, July 12, 2006

Schneier and two-factor authentication

Schneier posted in his blog a report about phishers being able to defeat two-factor authentication by using a Man in the Middle attack. They are basically proxying the user credentials to the original site.

What really impresses me is that almost everybody that is suggesting solutions for this are thinking about the problem as "how the original site can identify that the request is not coming directly from the real user?". THIS IS NOT THE RIGHT APPROACH!

Last year I presented a Proof of Concept code in a security conference. That code was created as a Browser Helper Object, but the main concept can be done by other means. The code was created to target a specific web application, an Internet Banking that uses two factor authentication. It doesn't try to steal authentication credentials, but it uses a valid established and authenticated session . In my PoC, whenever the user executes a wire-transfer transaction, the destination account number is replaced by another account. The confirmation sent by the server is also modified to show the original destination account. The user can't notice anything wrong in his experience, but his money has just been sent to another destination.

Why bother about stealing credentials when you can use the session that has been established by the user to perform what you need to do? If you chose to not steal credentials you have the additional benefit of not having to find a way to send them to you. No need to disable personal firewalls, NAT issues, etc.

The real problem (technically speaking) is the user actions (using bogus websites) and his environment (backdoors, trojans, DNS poisoning). Two-factor authentication will not solve any of them.

No comments:

Post a Comment