I was talking with Andre Durand yesterday, we agreed that when you look at the security market, it is not very strategically oriented, instead vendors have aggregated a large number of tactical solutions under one roof, but there is no real cohesive strategy. The problem is, of course, that security of the system is of strategic concern to the enterprise, but the marketplace simply does not reflect this. A perfect example of what happens when security groups *do* think strategically instead of blindly adopting what the vendors are selling is from OWASP jefe de jefes Andrew van der Stock contributed this comment to an earlier post on using SMS (or other communication band to authorize a transaction), and it raises a very important point. IT Security groups so often end up in drilling down one particular rabbit hole that they lose sight of the big picture. Sometimes some basic authN schemes from multiple communication bands will add more strength than increasing the strength of a single component.
The SMS is a form of transaction signing. Weak transaction signing for sure, but it's better than 2FA authC, as the MITM scenario proposes.The attacker has to
a) conduct a DNS or other infrastructure level attack (such as install a Banking trojan) against the victim
b) take over the active session, either by navigating the user to a perfect copy of the site (hard) or just interceding with some added Ajax background music, such as a forceful CSRF to which the user is unaware
c) Convince the user that they must give up a sound credential. With a 2FA fob with no transaction signing, this is easy and many will fall victim. This is why 2FA fob only does not work and is a waste of money. If the user sees a message on their phone for no reason, saying:
"The token code to transfer $2900 to account "blah" is 437485. If you did not make this transaction, do not enter the code and call 1800 EXAMPLE immediately. This token expires in 30 seconds."
A user will hesitate to enter that unless they're already in the process of entering a transfer. If it's the wrong value, and the wrong destination, they will not enter it.
SMS 2FA is extremely cheap, and extremely effective. For customers without a mobile phone, transaction signing calculators from Vasco et al cost $20 on up to a couple of hundred for the EMV capable fancy ones. I like the intermediate EMV calculators - they force the user to put their corporate credit card into the device thus ensuring they have a mental picture as to the value of leaving the token around. All too often, I find tokens in desk drawers and such. Making the user aware of the exact value by hooking a real monetary instrument to a disconnected calculator is so close to three factor authentication: something you know, something you have, and something you are, as to not count. I doubt the attackers will work out a suitable attack path for these devices unless *we* make mistakes.
And sure enough, we will make mistakes. But the cost will be a lot less than it is today. The day of the password ended a long time ago. It's time to move on to a world where devices are *always* assumed to be trojaned, and the network is *always* assumed to be tainted (DNS pinning attacks, etc), and so on. SSL no longer cuts the mustard alone.
This illustrates very well that heretofore goal of most IT security initiatives of ivory tower security, wherein a benign subject uses very strong "unbreakable" authN mechanisms, to a "Secure" destop, to a "secure" network is not only flawed, but overly compelx and expensive compares the subtle and powerful change in the approach Andrew describes. This is also reminiscent of a comment post by Bob Blakley from awhile back on dealing with identity theft in a similar manner regarding communication bands:
I define "Identity theft" as the theft of a "breeder document" which enables ME to generate NEW identities which people attribute to you. If I learn your Social Security Number and your address (and maybe your mother's birthdate and maiden name, or some other such highly esoteric piece of information), then I can write off to EnormousGlobalBank and take out a NEW credit card in your name. And when you cancel that card (assuming you can), then I can do it AGAIN.If you accept that this is the problem, I think there's an easier solution than one which relies on demonstrating a "proof" to a third party. It goes like this. Imagine that your Social Security card is the sole "breeder document" for accounts. Now imagine that you (and everyone else is issued a new Social Security card - the actual physical card, not the number.
Imagine that this card has four new features. The first is an LCD window which can scroll text. The second is a "yes" button. The third is a "no" button. And the fourth is a vibrate mode.
Finally, imagine that EVERY TIME you try to open an account using your SSN, the institution trying to create the account sends out a signal. The signal causes your card to vibrate. When you take the card out of your pocket, the screen displays a message on its LCD screen saying "EnormousGlobalBank creating new VasterCard Account for you. OK?" If you believe that the account is being created because of some process you initiated, you press the "yes" button. Otherwise, you press the "no" button.
The key here is NOT authentication. It's awareness (creating the opportunity for the "real" "owner" of the "identity" to know what's being done on his behalf), and, most importantly, TIMELINESS. A big part of the identity theft problem comes from the fact that the average person checks her credit report every time she buys a house - i.e. not often enough to realize that something shady is going on and stop it before a lot of damage is done.
IT security needs to fixate less on individual mechanisms and more on the system as a whole.
**************************************************
Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
--- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).
The reason that SMS authentication is now in vogue is for a very simple reason: it addresses MITB. When MITB was first spotted as a trial about a year ago (I called it Meccano then), and investigated, it sent shivers of fear through the banking sector.
The analysis pretty much coalesced around the mobile phone as the device for the user to authorise the transaction. In one attack model, we saw them move from authentication to authorisation.
Is this good? I guess. No amount of theory or risk analysis helped up front. We've all known since the year dot that the final frontier - the windows PC and the browser itself - were as insubstantial as swiss cheese in a fondue. But it took a believable threat of sweeping attacks to move the morass of security thought to that end.
(And, still no evidence that the response went further than Europe....)
Posted by: Iang (publically reported one year ago) | April 06, 2007 at 05:13 PM
Here you are missing a basic point that if at all we use sms based authentication in the end we are not securing the channel from MITM (active attacks )
Posted by: akphoenixgen | April 12, 2007 at 01:19 PM
Sorry, my mistake: SMS *authorisation* for the transaction, not the _authentication_.
That is, the entire transaction is authorised over the SMS. So it bypasses the ability of the phisher MITM or browser MITB to control the presentation to the user, because it is an entire second channel.
In general, expecting an attacker to "own" your PC and your phone at the same time is still considered a reasonable risk to take on.
Posted by: Iang | April 12, 2007 at 01:47 PM