« Identity Chickens Coming Home to 8 Figure Roost | Main | Two States »


Iang (publically reported one year ago)

The reason that SMS authentication is now in vogue is for a very simple reason: it addresses MITB. When MITB was first spotted as a trial about a year ago (I called it Meccano then), and investigated, it sent shivers of fear through the banking sector.

The analysis pretty much coalesced around the mobile phone as the device for the user to authorise the transaction. In one attack model, we saw them move from authentication to authorisation.

Is this good? I guess. No amount of theory or risk analysis helped up front. We've all known since the year dot that the final frontier - the windows PC and the browser itself - were as insubstantial as swiss cheese in a fondue. But it took a believable threat of sweeping attacks to move the morass of security thought to that end.

(And, still no evidence that the response went further than Europe....)


Here you are missing a basic point that if at all we use sms based authentication in the end we are not securing the channel from MITM (active attacks )


Sorry, my mistake: SMS *authorisation* for the transaction, not the _authentication_.

That is, the entire transaction is authorised over the SMS. So it bypasses the ability of the phisher MITM or browser MITB to control the presentation to the user, because it is an entire second channel.

In general, expecting an attacker to "own" your PC and your phone at the same time is still considered a reasonable risk to take on.

The comments to this entry are closed.