Posted by:
admin
15 years, 10 months ago
I'm always explaining what my company does to laymen and to some technical peoptle who look confused when I say that that WiKID does two-factor authentication. However, I am surprised that a security researcher and Trend Micro would not know what two-factor authentication is.
In Two-Factor Authentication Debunked by TSB Phish Fatima Bancod states:
The phishing Web site asks the user for his/her Open24 Number and Internet Password. Open24 is the online banking service established by the said bank to allow clients to access his/her records and transact via the Internet. It is usually printed on account-holders’ ATM or LASER cards, along with the Internet Password.
After keying in his/her credentials and clicking the CONTINUE button, the user is redirected to another phishing Web page that asks for the user’s 6-digit access number. The 6-digit Personal Access Number is a password previously created by the user. This password is a second layer of authentication that banks use to test whether the user is really who he/she claims to be.
At first I wondered if the "Open24 number" was a pre-printed list of one-time use numbers. But apparently not. So, this is equivalent to saying "write down your username and password on a sheet of paper and this will be your 'something you have' factor". This is not two-factor authentication. Not even close.
Of course, there are attacks against one-time password systems, as mentioned on this blog and there easily could be real-time phish attacks against time-based one-time password systems - and strong mutual authentication will protect against them. This attack just isn't one of them.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)