[Embarrassed that I didn't know as much about this as I should, I
flicked David's RFI on to Steve Wilson. Steve's a security
consultant and sometime linker. I found his answer even more useful
than Steve Jenkin's pretty good one.]
>Date: Thu, 15 Nov 2007 07:23:12 +1100
>From: Stephen Wilson <swilson at lockstep.com.au>
>Organization: Lockstep
>
>G'Day Roger.
>
>> From: David Lochrin <dlochrin at d2.net.au>
>> Many banks are issuing tokens these days. I have seen two,
>>and both display a 6-digit number which must be entered on another
>>screen after logging in with the usual userid and password. There's
>>no challenge / response process, and the numbers are claimed to be
>>non-repeating.
>> Does the Link Institute know the Principles of Operation?
>If I may recommend my own paper, for a table that compares all major
>authentication methods, see
>http://www.lockstep.com.au/library/identity_authentication/towards_a_uniform_solution
>
>The six digit time based (30 sec rolling) OTP generates exactly
>1,000,000 combinations. All of the values are available to each
>customer (not a subset). The algorithm generates each pesudo random
>number as a function of the preceding number AND a seed that is
>unique to the token. The sequence is mirrored at the server, which
>knows the seed value for every device issued. This is why you need
>to provide user name & password (which maps to device serial number
>and allows the server to predict the sequence) before you enter the
>OTP value.
>
>Actually there are two varieties of OTP. One is time based and
>sequences every 30 sec or so; the other is event based, and
>sequences when you press a button. The latter is *precisely* the
>same as simply automating a paper based one time password scratchy
>card or "Transaction Authentication Number (TAN) card.
>
>So the probability of guessing a OTP value is really very small.
>
>But the real vulnerability of these devices is the Man In The Middle
>(MITM) attack. They do *nothing* to stop an interloper catching the
>OTP and replaying it.
>
>Here's a true story: When the event based OTP was attacked by MITM
>some years ago, a banking security manager told me that time based
>OTP would be safe as they only provide an attacker with a 30 sec
>window. I asked him "How much time does a computer need to rob a
>digital bank account?".
>
>[Actually, due to quartz clock skew drift, these devices have a lot
>of slack built into them. Someone once told me they might accept
>OTP values both one step ahead and one step behind, opening up a
>window of a minute and a half. I use a OTP myself with my bank
>(reluctantly); I've experimented and know I can enter a OTP value
>successfully at least 20 secs after the value has rolled over on the
>token.]
>
>Experience shows the devices are very seriously flawed. See:
>
>Oct 2005 Nordea Bank
>"TAN" Card attacked
>www.f-secure.com/weblog/archives/archive-102005.html#00000668
>
>July 2006 Citibank
>Event based OTP Card attacked
>http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
>
>April 2007 ABN AMRO
>Time synchronised OTP Card attacked
>http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication
>
>
>The legal issue in my mind might have to do with trade practices.
>The banks must know by now the reality of the MITM attack, and yet
>they still promote OTP devices as a huge improvement on username &
>password. They're better than nothing but nowhere near as secure as
>I think is implied.
>
>Hope that helps. Cheers,
>
>Steve.
>
>Stephen Wilson
>Managing Director
>Lockstep
>
>Phone +61 (0)414 488 851
>
>www.lockstep.com.au
>-------------------
>Lockstep Consulting provides independent specialist advice and analysis
>on identity management, PKI and smartcards. Lockstep Technologies
>develops unique new smartcard technologies to address transaction
>privacy and web fraud.
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW