Man-in-the-Middle attacks can defeat most kinds of multi-factor authentication, including OTP tokens. Financial institutions, brokerages, and other likely targets of MITM attacks should consider the ability of their countermeasures to defeat MITM attacks, as these types of attacks will continue.
Protecting Online Customers from
Man-in-the-Middle AttacksWhitepaper
W H I T E P A P E R
MITM attacks can bypass THE EMERGENCE OF A NEW THREATmany security tools, includ- In 2006, a new type of sophisticated phishing attack appeared on the Internet targeting aing OTP tokens, device bank's business customers. These attacks, called "Man-in-the-Middle", used a fraudu-identification, and knowl-edge-based authentication. lent email to fool the bank's customers into divulging their credentials on a site thatappeared legitimate. What was unusual about these Man-in-the-Middle (MITM) attacks isArcot offers a way to defeat that they succeeded in spite of the customers using one-time password (OTP) tokensMITM automatically that is that generated a unique password every minute.invisible to users, easy todeploy, and low-cost. The fraudulent email stated that someone had tried By intercepting the traffic between the customer to log into the customer's account and that the cus- and the portal, an attacker has the freedom to:tomer needed to "confirm" the account information. . Capture the user's credentials and use them toWhen the customer followed the link, he opened a repeatedly gain access to the portal posing as web site that looked identical to the bank's business the genuine user (when the credential is a fixedportal. When the user entered his credentials, includ- password)ing the token-generated one-time password, the . Log into the system while presenting a "Systemfraudulent site used them to authenticate with the temporarily down" or "I am unable to log you in"legitimate banking portal immediately (See diagram 1) message to make the user think the portal is not available (when the credential is dynamic,The fraudster displayed an "I am unable to log you in" such as with an OTP token)message once users had entered their credentials, . Log into the system and simply relay all activitymaking legitimate customers think the system was between user and the portal until the user tries unavailable. Meanwhile, the fraudster used the to end his session. Then provide a "You are nowcredentials to gain access and initiate unauthorized logged off" message while remaining logged into transfers of funds. the user's account (when the credential is dynamic,such as with an OTP token)
FIGURE 1: MAN-IN-THE-MIDDLE ATTACKS
1. User clicks on link in a phishing email, goes to goes to MITM site and enterscredentials (including token-generated "I am unable to Verification one-time password)log you in" Dialog Real Bank 2. MITM site connects with Bank site and 4 3 Site impersonates legitimate user using phished credentials1 2 3. Bank site grants MITM account accessMan-In-The-MiddleUser Site User Credentials Credentials 4. MITM displays phony page stating systemis unavailable, or waits until user wants to log off, then displays phony page confirming log-off
1Protecting Online Customers from Man-in-the-Middle Attacks Whitepaper
False Sense of Security phishing site replicates the challenge from the domainThis success of the MITM attack highlighted the false sense server, the ArcotID client will not sign the challengeof security that many types of authentication can give IT/ because the fraudulent site does not have valid domainSecurity teams within organizations. In the case of the OTP information. Therefore, the attacker is unable to completetoken, the real-time relay of the legitimate credentials by the the authentication.MITM to the legitimate bank site defeated the security of theOTP token. The validity of a password generated by an OTP The Arcot multi-factor approach to protecting and verifyingtoken is between 30 and 60 seconds, which enabled the user identities is invisible to end-users. The Flash client pro-fraudulent user to capture the temporary password and for- vides an opportunity for IT/Security teams to upgrade users toward it on to the portal, while the password was still alive. strong authentication without requiring any change to thefamiliar username/password login interface. Users log in withThe root problem in an MITM attack is that a user has no way their familiar credentials, and 'behind the scenes' the strengthof verifying who is asking for his authentication information. of PKI-based multi-factor authentication verifies and protectsConsequently, most two-factor credentials, including OTP their identity. tokens, risk analysis engines, personal assurance messagesor pictur... [download for more]
