The Guardian this past weekend ran a story "No phish with home-made chips". It documents the recent deployments of one-time passcodes by Barclay's, NatWest/Royal Bank of Scotland and Lloyds TSB. The article goes on to say "Once you put the debit card into the reader and type in your pin - the one you use in shops - you will be given a number. Your card's chip is encrypted with a tiny selection of the potential 99,999,999 numbers. The bank itself knows on its central computer which these are and the order they will come up in, but the chances of a fraudster working this out are infinitesimal."
The story's implication is that this will stop phishing attacks. What utter rubbish!
People writing these articles are getting confused over trojan keyboard logger attacks and phishing man in the middle attacks. While one-time passwords will address common keyboard logging attacks, it will not stop phishing! Why?
In a phishing attack, the consumer clicks on a link in an email. The website is run by criminals. The criminals act as the man in the middle.
You think you're at the bank's website and enter in your uid and then the one-time password. This is immediately passed by the criminal site to the real bank's website. It is successfully authenticated. The criminals are now logged on as you. You think you are logged on to your bank. At this point, the crminals are now able to eat the chips!
In a recent paper I authored "Myths about protecting your enterprise from phishing attacks", I document this as well as other myths when it comes to defending against phishing attacks. The paper concludes with recommendations on best practices to defend against phishing attacks:
1. Use transaction software.
2. Use phishing filtering software.
3. Train your customers.
Are the banks' efforts wasted? No. It will temporarily limit the success of trojan malware keyboard loggers. However, this benefit may soon erode quite quickly. Criminals will likely devise malware software that recognizes you're going to your bank's website. They may then use a combination of a pharming attack and a phishing attack. Here's how it might look in the near future:
You enter in your bank's url in the browser. Unbeknownst to you, the router you use at home is using the default password. The criminals malware, sitting on your computer, has already figured this out. It then redirects the browser to a fake bank website page by controlling the DNS on the router. So, even though you've entered the correct url in the browser, you end up at a phishing site. You then enter in your id and one-time password, which the criminals then pass on to the bank.
What are the chances of this happening? They're very good since analysts say that over 50% of routers used in the home use the default password setting.
So, in many cases, the introduction by the bank of one-time passwords is expensive publicity to reassure its customers that they are safe while doing online banking with them. However, in reality, this security will be bypassed. Just ask ABN Amro who only a few weeks ago had it's multi-factor authentication foiled by a man in the middle phishing attack.
Caveat emptor.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us