|
Passwords are convenient for the end user, but it’s too easy to lose control of them. People share them with other people. People write them down, where they can be read. People send them in email, and that email is easily intercepted. People’s web browsers store the passwords, so they can log in automatically. Worst of all, perhaps, people tend to use the same username and password at many different websites. If just one of those websites is compromised (or even run as a password collecting scam) then those passwords can be used to attack accounts at all of the others.
Two factor authentication that uses an uncopyable physical device (such as a cellphone or a security token) as a second factor mitigates most of these threats very effectively. Weaker two factor authentication using digital certificates is a little easier to misuse (as the user can share the certificate with others, or have it copied without them noticing) but still a lot better than a password.
Security problems solved, then?
“Two-factor authentication isn’t our savior. It won’t defend against phishing. It’s not going to prevent identity theft. It’s not going to secure online accounts from fraudulent transactions. It solves the security problems we had 10 years ago, not the security problems we have today.” —Bruce Schneier, April 2005
Password stealing attacks are still a risk—especially use of the same password on different services—but they’re not the main thrust of modern attacks, and haven’t been for years. Rather we’re seeing man-in-the-middle attacks and trojan attacks—these can be used very effectively as part of a targeted attack initiated by phishing or social engineering.
One form of a man-in-the-middle attack is to create a fake website that looks like your real website, and then to entice one of your users to go to the fake website instead of the real one. Your user then enters their password and the second factor from their securid fob, and the attacker uses that to log in to your website. Done well, the user will never notice—the attacker either gives them a fake error message and redirects them to your real login page or tunnels their transactions through to your website while also piggybacking their own transactions at the same time.
A trojan attack is similar, but the man-in-the-middle is hostile code actually running on the users computer.
Not just a theoretical attack
This isn’t just a theoretical attack. It’s fairly widespread, and probably underreported. One example from a couple of years ago is use of a trojan to steal half a million dollars from a local company, despite their banks use of one-time-password, securid style two factor authentication. Here’s another.
The accounts an ESP is protecting likely aren’t worth half a million dollars, so maybe bank-grade two factor authentication is good enough for them?
Another heavy user of two factor authentication is the online game World of Warcraft. They use a physical security fob or a smartphone app to generate one time passwords.
As mentioned before there’s a black market in stolen World of Warcraft accounts. They’re typically worth $8-$10 in bulk. And they’re being targeted by a key-logging trojan that intercepts the authentication data and passes it to the attacker, who then can take control of the account until they log out.
That means it can be cost-effective for an attacker to use a reasonably sophisticated keylogger trojan to take control of an account worth $10 for a couple of hours, which is bad news if you’re relying on your customers accounts not being that high value a target.
What value does 2FA have, then?
”t won’t work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft.”—Bruce Schneier, 2005
2FA is a decent way to improve password security. It’s easier and cheaper to require some form of 2FA than it is to train your users to use good passwords, and not to reuse passwords. And they can be part of a decent security approach—though the inconvenience and support overhead might exceed their value. But focusing on 2FA as a security solution won’t protect you from most current attack vectors, and can distract you and consume resources you could better spend on more effective approaches.
“By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.”—Bruce Schneier, 2005
But two factor authentication is a great way to deal with some non-security related business problems, such as sharing of “flat fee” accounts by multiple users.
Two factor authentication is not a magic bullet for ESP security, and if it distracts you from implementing more effective (behaviour-based, rather than authentication based) security approaches then that narrow focus risks making your overall security worse.
Unless, that is, you’re defending solely against security threats from 1995.
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
There’s nothing in this article that I want to disagree with, as such, but one of my pet peeves is the amount of attention that man-in-the-middle (MITM) attacks get. MITM attacks are part of the security model that significantly pre-dates the Internet, or even computer networking as a whole. The main point of encryption at all is to keep secrets from a man in the middle—either a passive eavesdropper, or an active interceptor.
The problem is that the security model which includes MITM as a threat always tacitly assumed that the end-points in the system were secure. If those end-points are not secure, then a man in the middle is the least of your worries. This article acknowledges the fact that insecure end-points are a problem, but doesn’t give the threat the emphasis that it deserves.
By the time you have a Trojan inside one of the end-points, you’re not dealing with a man-in-the-middle attack any more. The traditional security model doesn’t even have a term to describe this kind of threat—except, perhaps, “an example of a system that falls outside the security model because the end-point is compromised beyond any hope of security,” and this isn’t as catchy as “man-in-the-middle attack”. The term “man-in-the-browser attack” has gained some currency (oblig. Wikipedia link) as a description of the threat, although the term is a little too specific: any low-level compromise of the end-node (whether it be the browser, the OS, or the hardware) is sufficient to bypass the kind of security offered by cryptographically securing the communications channel.
This article is correct, of course, in stating that two-factor authentication can not secure a system thus compromised. In order to be secure, communication between the parties must involve end-points which are not compromised. This doesn’t render compromised hosts completely useless, but it does render them insufficient. What’s needed is not “two factor authentication”, but “two system verification”, to coin a phrase—strictly, “n-system verification” for some n greater than one. You can initiate a transaction via an insecure system so long as all the details of the transaction are then verified independently via a second system—preferably one which calls the client back, rather than being client-initiated again. So long as both systems are not compromised by the same attacker at the same time, the transaction can be considered authenticated if it passes verification. The major strength of the system is then not in the secrecy of the user’s authentication credentials, but in the difficulty of compromising two independent end-nodes simultaneously, particularly the second system which operates in call-back mode.
This security technique is quite resilient against the broad and opportunistic malware-infecting attacks which have become commonplace of late, but care is still required to protect the system against the more sophisticated threats which invest significant effort into compromising specific users. The challenge for the attacker under these conditions is not to compromise the first system—a system which is considered a soft target from the outset—but to determine which second system to compromise, and then actually compromise it.