[LINK] Phishing past two-factor authentication
Craig Sanders
cas at taz.net.au
Fri Apr 20 13:52:59 AEST 2007
On Fri, Apr 20, 2007 at 01:14:45PM +1000, Marghanita da Cruz wrote:
> ....I don't quite understand what "2 factor authentication" means.
two-factor authentication means using any two different kinds of
authentication simultaneously - e.g. "login/password" (something you
know) and a keychain token (something you have).
or a login/password and a digital certificate signed by the bank
(although the latter is also vulnerable to snooping malware on insecure
machines. if a keystroke logger can steal your login/password then
there's no reason why it cant also steal any digital certificates
you have installed...waiting for you to type in your certificate's
passphrase if necessary).
the keychain token generally has a little LCD display. it generates a
6+ digit number when you press a button. you push the button and enter
the number into a field when the banking site asks you to. the bank site
verifies that the number you entered is the same as the one it generated
(using the same algorithm and input data - e.g. timestamp, user id, and
a secret). if it matches, then you have proved that you have the device
in your possesion.
fancier versions might have a USB connector and enter the number
directly when the button is pushed.
this is vulnerable to theft of the token device. it's also vulnerable
if the algorithm being used is easily cracked. but any attacker also
needs the login/password to make use of a stolen token. the advantage
over digital certificates is that they're physically isolated from the
computer so an attacker can't steal both auth. factors at the same time.
i.e. an attacker has to make both a physical theft AND a digital theft
(e.g. via virus or via social engineering) in order to gain access to the
account.
craig
--
craig sanders <cas at taz.net.au>
BOFH excuse #54: Evil dogs hypnotised the night shift
More information about the Link
mailing list