Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on August 9, 2007 9:53 AM.

The previous post in this blog was Hacks against banks up 81%!.

The next post in this blog is Hacking a biometric authentication system.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Hacks against banks up 81%! | Main | Hacking a biometric authentication system »

Why more authentication may be harmful to banks

A very interesting article appeared yesterday in Dark Reading "New Bank Practices Make Hacking Easier". The article quotes Brendan O'Connor, an independent researcher on his research into the recent increase in use of stronger authentication by US Financial institutions as a result of FFIEC requirements.

The article states as follows:
"To prove his point, O'Connor signed up for a number of online banking services, then installed an inline proxy so that he could monitor the exchange between his computer and the bank's. "I just watched the HTTP requests and responses for these sessions, and immediately knew how to break them," he says.

"The methods [banks] are using for device 'fingerprinting' are effectively Javascript and, in some cases, a flash object," O'Connor explains. "If you think about it logically, they are sending code to my computer, and asking it to be honest about its characteristics. Because I can see the code they are using, I can see exactly what questions they are asking my computer, and what a proper response needs to look like.

"I'd hate to call this a 'hack,' because they did the hacking for me," O'Connor says.

The banks believe that by adding a second question or image -- or by requiring the user to send an email -- they are increasing the odds against an attacker guessing his way into a user's account, O'Connor says. But most savvy phishers and thieves don't break in by guessing, but by stealing information through different means, such as keyloggers or social engineering, O'Connor observes.

The banks' new "second" factors of authentication actually improve the attackers' chances of a break-in by making the penetration path more clear, he explains.

"Effectively, I just downloaded the authentication scripts from the target Website -- it happens before you are authenticated, so you just go to the login page and copy and paste," O'Connor says. In his DefCon presentation, O'Connor demonstrated an exploit against one of his own accounts, "to show the audience how ridiculously easy this stuff is to bypass or impersonate," he says.

"At the end of it, I delivered my security image and phrase via my 'phishing' Website to show how an attacker can impersonate the real bank," O'Connor says. "I also did a standard man-in-the-middle attack for challenge questions, to illustrate that [one-time passwords] and challenge questions are just as easy to get past."

O'Connor believes that the efforts of banks and the FFIEC to add additional factors of authentication are a misuse of resources. "

This article merely confirms something I have been writing about for the last two years i.e the need for transaction authentication. The other forms of stronger authentication are prone to man in the middle attacks and, as the article points out, often better attacks by traditional phishing and keyboard logging coupled with social engineering attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on August 9, 2007 9:53 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/261

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)