Skip to main content

debunking-two-factor-authentication-debunked-by

(0 comments)

I'm always explaining what my company does to laymen and to some technical peoptle who look confused when I say that that WiKID does two-factor authentication. However, I am surprised that a security researcher and Trend Micro would not know what two-factor authentication is.

In Two-Factor Authentication Debunked by TSB Phish Fatima Bancod states:

The phishing Web site asks the user for his/her Open24 Number and Internet Password. Open24 is the online banking service established by the said bank to allow clients to access his/her records and transact via the Internet. It is usually printed on account-holders’ ATM or LASER cards, along with the Internet Password.

After keying in his/her credentials and clicking the CONTINUE button, the user is redirected to another phishing Web page that asks for the user’s 6-digit access number. The 6-digit Personal Access Number is a password previously created by the user. This password is a second layer of authentication that banks use to test whether the user is really who he/she claims to be.

At first I wondered if the "Open24 number" was a pre-printed list of one-time use numbers. But apparently not. So, this is equivalent to saying "write down your username and password on a sheet of paper and this will be your 'something you have' factor". This is not two-factor authentication. Not even close.

Of course, there are attacks against one-time password systems, as mentioned on this blog and there easily could be real-time phish attacks against time-based one-time password systems - and strong mutual authentication will protect against them. This attack just isn't one of them.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom