Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on October 25, 2006 4:05 PM.

The previous post in this blog was Voice Authentication Used in Telephone Banking.

The next post in this blog is A great read - "anti-virus is ineffective".

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Voice Authentication Used in Telephone Banking | Main | A great read - "anti-virus is ineffective" »

How phishing can adjust to multi-factor authentication

In an earlier blog about two factor authentication, I discussed how phishing attacks would adjust for this and that two factor authentication would not prevent identity theft. This blog will give one example of this.

Last month, Mitre, A US government funded institution said the number one security threat was cross-site scripting (XSS). This is some client side scripting where the website accepts some form of content from the user such as a search box or email form. The problem arises when the websites don't propelry strip out malicious code in the script.

Here's how a phisihing attack might work in the future using this vulnerability. The user clicks on a link in their email. The link directs them to the legitimate website of the company. The user then logs in with their multi-authentication (like a id and a secureID token for instance). When the user is successfully logged on, unbeknownst to the user is the fact that the cross-site script kicks in and then offers control of the user's session to a criminal. The criminal proceeds to make a withdrawl from the bank account or use the user's credit card to make a purchase or whatever.

Therefore the strong authentication has not prevented identity theft. The best defence is for the enterprise to use transaction authentication software to mitigate the risk from these types of attacks. Using transaction authentication, it would note that the withdrawl amount is much larger than usual, or the purchase too large compared to historical purchases, or the destination of the money or product not in keeping with the customer's history, or their IP address is different than normal, etc. It would therefore stop the ttransaction or, flag a manger in real time or ask the user a lot more personal questions to vaildate their identity.

More references and blogs on cross-site scripting:
Brian Krebs Washington Post - Flaws in Financial Sites Aids Scammers
Brian Krebs Washington Post - Cross site scripting flaws abound
ComputerworldHow to defeat the new No. 1 security threat: cross-site scripting
Security Lab's XSS list

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on October 25, 2006 4:05 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/18

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)