Phishers go after two-factor authentication systems
By Eric Bangeman| Published: July 11, 2006 – 01:49PM CT
One of the problems with passwords is that they can be compromised relatively easily. While brute-force cracks are possible, it is much easier to convince users to willingly part with their passwords using social engineering. That’s how phishers operate, by tricking users into entering their passwords—along with other personal information—on convincing-looking but spoofed web pages. Once they have that information, bank balances shrink while credit card balances grow.
Two-factor authentication has been touted as a solution to the problem of users giving up their passwords too easily. One group of phishers is determined to prove otherwise, as a recent attack demonstrates.
On the surface, two-factor authentication is a relatively simple solution. In order to log in to a protected site, users must enter a password as well as a second bit of information. In the case of Citibank and a handful of other financial institutions, users are given a USB dongle which displays a passphrase or string of numbers that updates every 60 seconds. It is only when the correct password is paired with a valid passphrase generated by the token that the user is granted access to their account information.
A group of phishers operating out of a Russian website attempted to trick Citibank customers in the customary manner, by directing them to a lookalike website and asking for the usual personal information. As an added bonus, the phishers also asked for the passphrase generated by the token. Once they had both pieces of the authentication information, they would presumably then transmit it onto Citibank within a 60-second time period and go about their nefarious business. It’s a simple adaptation of existing methods: just add an additional field to existing forms and they are all set.
The phishing attacks demonstrates one of the weaknesses of two-factor authentication: it’s still quite vulnerable to “middleman” attacks. If a malicious site is able to pose as the genuine article, collect the necessary authentication from the unsuspecting user, and act on it quickly enough, it is not much safer than traditional password-only attacks.
Some banks and other institutions have already made substantial investments in developing and deploying two-factor authentication systems. The central theme in marketing the systems to customers is added security. Microsoft had even planned to natively support it in Vista, although that ultimately met the same fate as other features originally planned for its new OS. However, as the latest bit of phishing demonstrates, it’s not a cure-all. When used in conjunction with other antiphishing tools, it can be more effective. But as long as there are gullible users, no combination of security measures will be completely foolproof.
As we know, password abuse in the NHS is endemic. Gullible or simply exhausted users will be tricked into revealing their passwords and token numbers, and then ‘Russian Hackers’ (the media’s latest bogeyman) will get in and start to copy ContactPoint entries, i.e. the private and sensitive details of children. This will be automated, so they will have a system to harvest accounts in place that will allow them to quickly create a working copy of the live ContactPoint database.