Sections

Personal tools

You are here: Home → wikidblog → Two-factor phish against Citibank demonstrates the need for mutual authentication

Recent entries: Two-factor for the cloud admin Aug 15, 2008; Debunking "Two-Factor Authentication Debunked by TSB Phish" admin Jul 02, 2008; New Howtoforge article - Postgresql admin Jul 02, 2008; World of Warcraft gets two-factor authentication - your bank won't follow admin Jul 01, 2008; Podwójne uwierzytelnianie admin Jun 10, 2008

Recent comments: Re:Security and Oil admin Apr 25, 2008; Re:Security and Oil Paul feet Apr 24, 2008; Re:100% open source admin Apr 22, 2008; Re:100% open source Adam Apr 22, 2008; Re:Capital Gains Tax Rates and Entrepreneurs Lance Oct 23, 2007

2006/07/10

Two-factor phish against Citibank demonstrates the need for mutual authentication

Start the hysteria!

Lance James at Secure Science has screen shots of the phish attack against CitiBank's business site that uses a hardware token one-time password system. You can see them on WaPo's Security Fix Blog.

Before everyone gets all up in arms about this in the blogosphere. Let's talk about authentication types:

Session Authentication - authenticating the user to the host to create a session

Mutual Authentication - The host is authenticated to the user, as well as vice-versa

Transaction Authentication - A transaction is authenticated in a manner cryptographically distinct from the session authentication mechanism

This type of attack was predicted and expected. If Citibank was doing just transaction authentication with their tokens, this attack would be a lot tougher. The MITM would have to generate a fake transaction at a time when the customer was planning on making a transaction. Still, it could be done, they would just have to wait for the user to make a transaction and be ready to the old switch-a-roo.

Much has been written about how SSL isn't effective against MITM attacks because nobody actually verifies the SSL certificate (this is way WiKID's mutual authentication method checks the cert for the user before showing the OTP).

Transaction authentication could be done via transaction analysis as it is for credit cards, but, while that might be effective for consumer accounts with regular payments, commercial and brokerage accounts would be much tougher. I don't think we need "digital signing", in a strict sense of the term, but I do think you need something that is distinct from the session authentication method or the attacker will fake a session time-out to get the user to give them another passcode. WiKID's ability to handle multiple 'domains' with separate public/private key pairs provides a cryptographically distinct method that uses the same token client.

Category(s): Two Factor Authentication; Authentication Attacks; Phishing and Fraud; Mutual Authentication; Transaction Authentication

The URL to Trackback this entry is:: http://www.wikidsystems.com/WiKIDBlog/two-factor-phish-against-citibank-demonstrates-the-need-for-mutual-authentication/tbping