|
In 2006, a new type of sophisticated phishing attack appeared on the Internet targeting a bank’s business customers. These attacks, called “Man-in-the-Middle”, used a fraudulent email to fool the bank’s customers into divulging their credentials on a site that appeared legitimate. What was unusual about these Man-in-the-Middle (MITM) attacks is that they succeeded in spite of the customers using one-time password (OTP) tokens that generated a unique password every minute.
The fraudulent email stated that someone had tried to log into the customer’s account and that the customer needed to "confirm" the account information. When the customer followed the link, he opened a web site that looked identical to the bank’s business portal. When the user entered his credentials, including the token-generated one-time password, the fraudulent site used them to authenticate with the legitimate banking portal immediately (See diagram 1) The fraudster displayed an “I am unable to log you in” message once users had entered their credentials, making legitimate customers think the system was unavailable. Meanwhile, the fraudster used the credentials to gain access and initiate unauthorized transfers of funds.
By intercepting the traffic between the customer and the portal, an attacker has the freedom to:
- Capture the user’s credentials and use them to repeatedly gain access to the portal posing as the genuine user (when the credential is a fixed password)
- Log into the system while presenting a “System temporarily down” or “I am unable to log you in” message to make the user think the portal is not available (when the credential is dynamic, such as with an OTP token)
- Log into the system and simply relay all activity between user and the portal until the user tries to end his session. Then provide a “You are now logged off” message while remaining logged into the user’s account (when the credential is dynamic, such as with an OTP token)
False Sense of Security
This success of the MITM attack highlighted the false sense of security that many types of authentication can give IT/ Security teams within organizations. In the case of the OTP token, the real-time relay of the legitimate credentials by the MITM to the legitimate bank site defeated the security of the OTP token. The validity of a password generated by an OTP token is between 30 and 60 seconds, which enabled the fraudulent user to capture the temporary password and forward it on to the portal, while the password was still alive. The root problem in an MITM attack is that a user has no way of verifying who is asking for his authentication information. Consequently, most two-factor credentials, including OTP tokens, risk analysis engines, personal assurance messages or pictures, virtual keyboards, out-of-band authentication, or knowledge-based questions and answers, are vulnerable to this type of attack. (See Table 1).
The Arcot Solution Protects Against Man-in-the-Middle Attacks
Only Arcot can provide a solution that solves the challenge posed by Man-in-the-Middle attacks. The Arcot strong authentication solution, employing the ArcotID® and the Arcot WebFort® authentication server, is able to automatically verify that the site requesting the authentication credentials is in fact the site that issued them. If the site requesting the credentials did not issue them, the ArcotID will not respond to requests for username or password, automatically preventing identity theft and fraud.
The Arcot solution is unique in its built-in ability to defeat MITM attacks through its use of Public Key Infrastructure (PKI) technology. PKI uses a challenge/response protocol to ensure a secure, authenticated communication session between the client and the application or portal.
Each ArcotID contains information on the web domain that issued that ArcotID. The ArcotID client checks the Arcot certificate to confirm that it is connected to the correct web domain before signing the challenge string. Even if a phishing site replicates the challenge from the domain server, the ArcotID client will not sign the challenge because the fraudulent site does not have valid domain information. Therefore, the attacker is unable to complete the authentication.
The Arcot multi-factor approach to protecting and verifying user identities is invisible to end-users. The Flash client provides an opportunity for IT/Security teams to upgrade users to strong authentication without requiring any change to the familiar username/password login interface. Users log in with their familiar credentials, and ‘behind the scenes’ the strength of PKI-based multi-factor authentication verifies and protects their identity.
|
