Skip to main content

A world without static passwords

I wanted to quickly clarify my brief twitter rant about SMS authentication.  This was all started by Chris Wysopal's tweet about Zeus's new mobile MiTM attacks and that "phones are not secure enough for 2 factor".  Zeus is now targeting the text messages that banks are using for authenticating transactions.

I view this as a 'baby with the bathwater' statement.  The banks have implemented an SMS-based one-time passcode system for transaction authentication when they should be (and eventually will be) doing some type of asymmetric transaction signing.

Some thoughts:

1.  SMS-based authentication is still better than static passwords.  That being said, it's pretty lame. SMS is the equivalent of sending an e-mail through a slightly obfuscated path.  It shouldn't be used for corporate remote access or corporate banking applications, in my opinion.  For consumer applications, however, it might be the lowest common denominator.

2.  The banks should be using asymmetric encryption to validate transactions, not an OTP.  A bad implementation should not be cause to throw out a solid concept.

3.  Computers are not secure enough for online banking.  Are we going to stop using computers for online banking or are we going to make them more secure?  Let's focus on making phones more secure.  Also, it's not enough any more to say "phones".  What if it were Blackberries locked down with white-listing on BES? Is that different than say an Android device?

4.  Hardware tokens don't solve the issue any better.  You can't do asymmetric transaction authentication on a hardware OTP device, nor can you do mutual https authentication. 

As I've stated in the past, the best bet for securing online banking given the current state of affairs is a combination of stronger mechanisms for session, mutual and transaction authentication.  Instead of dismissing with a broad swipe, information security professionals (especially thought leaders) should take a risk analysis approach and consider the damage that might be done when a generality is applied across the board. 

Our mission at WiKID is to reduce the use of static passwords.  We offer a PC token for example.  These tokens are good solution for enterprises that trust their anti-malware solutions and are more worried about MiTM attacks on the SSL-VPNs (the PC tokens support mutual https authentication) or for organizations that need a free/open-source solution.

Here's a thought exercise:

Imagine an Internet that has no static passwords for networked applications.  What does it look like?  Clearly it has a mix of authentication systems combined with single-sign on solutions.  The strong authentication system you use for your corporate life is different than the one you use for your personal banking. Your login system to your personal email, social networks and/or gaming systems may be another one.  Not all these systems require the same level of security, but the reduction in static passwords has greatly increased the security of the Internet. Some of these systems are quite simple to use and some require some extra steps. Think about the trade-offs in cost, ease-of-use and security it will take to get to this world.

Current rating: 1

Recent Posts







RSS / Atom