Token Authentication Gone Phishing
I actually laughed out loud when I saw this link explaining how Citibank’s second factor authentication got phished. I’ve been saying this for years. You cannot stop people from entering in anything they know into any site that asks for it. Strong authentication isn’t really that strong. It’s got tons of usability issues (what happens if I’m blind, or just lent my keys to my girlfriend to go shopping for that matter?) and it’s still vulnerable to man in the middle, just like plaintext passwords are.
What’s the difference? Only the amount of time you have to initiate the phishing attack. And that’s only true if it’s a time based token and not an event (keypress) type token. Frankly, I’m pretty tired of big companies touting this as the answer to security. Here’s a quote from an ex-AOL employee about when they used tokens internally. And for those of you who aren’t aware, they were heavily phished before and after deploying it to their employees:
RSnake: back to the drawing board
Ex-AOL-Employee: Nice. I told them the first 2FA meeting I went that AOL phishers sent phishing email with the token fields to AOL employees who had sign in to AOL with a RSA token
RSnake: No kidding
Ex-AOL-Employee: _____________ brushed it off saying it shouldn’t be a problem…
RSnake: It shouldn’t, but yet, it is.
Ex-AOL-Employee: of course it is. At AOL, many lowly CS reps to VP got their account hijacked this way, and then the phishers sent out more phishing email and IM messages from those VP asking for sensitive info. It worked very well
My point is, the barrier to phishing is not a very high one. The cost to users is high, the cost to businesses is also high and in the case of the companies who are unfortunate enough to be heavily targeted, this hasn’t stopped the phishers from attacking. How do you sell second factor authentication? You say, “It’ll keep you safe!” And then the user is thinking, “But I thought I already was safe, you’re a bank, right?” “Well, even MORE safe… this time, you’ll be SUPER safe.” And then guess what, all you have done is raised the bar slightly. Anecdotally I talked with a token user and I asked her, “What would you say, if I told you I could hack into any account you had regardless of wether you had a token or not?” She responded with, “I’d still use it.” And I clarified, “Let’s assume for a second it’s zero difference in security.” She responded with, “I’d still use it because it makes it harder for the bad guys.” She couldn’t get it through her head that there is a possibility it might not be any more secure even when I asked her to theorize that it might be possible - boy has the security industry got her hoodwinked!
Okay, so maybe there is some value from a user perception, but if the whole world adopts it, and the whole world keeps getting phished, I don’t think that perception will last. It feels like snake oil to me and now I’ll have to carry even more crap on my keychain, and hope that I don’t accidentally break it or have the batteries die or I won’t be able to use my account - great.
August 17th, 2006 at 11:21 am
You make a couple of really good points in this blog post. I disagree with you on one issue. I think that a time-limited second factor does make the phisher’s job harder.
With single-factor auth, the phisher can use the info they’ve harvested at leisure. They send out their e-mails, they get a few user ids and passwords dropped into their web app, and they can go ahead and use a browser to do the dirty work. None of this is rocket science.
With time-limited 2FA, the phisher either has to sit and watch their drop point constantly, so they can use the token as soon as it arrives, or they have to automate the entire attack. Depending on the target, the automation could be anywhere from easy to impossible. Automating a funds transfer on a well known banking web site is probably doable. Automating a search through a company’s internal web apps that you’ve never seen before would be much, much harder.
It’s really a question of what you are trying to protect, what level of compromise you are willing to accept as a cost of doing business, and how much authentication cost and hassle you are willing to put up with.
It does seem to me that sometimes people tend to make purchase decisions on 2FA solutions before they’ve really thought through those questions.
August 17th, 2006 at 12:02 pm
Harder? Yes. Hacker proof? No. Yes, time based makes it harder, and I think it’s a good solution for IT departments as a result. For consumers? Horrible. Absolutely terrible. I’m kind of a consumer advocate and there are a half dozen reasons this gets in the way of consumer spending. In my mind the best ways to solve security are without involving the user at all. Once you involve the user it makes their life harder, their frustrations rize and you are very unlikely to see a major change in the overall security. Like ultra strong passwords.
People can’t remember them so they write them down. Bruce Schneier’s book Secret and Lies goes into that problem a lot. There are mitigating factors but thus far 2nd factor authentication has only a forgot my token at home/I dropped my token under a train flow, and you better hope that that flow is secure or the phishers will ask the same questions that flow does and use it to gain access. Anyway, maybe it’s just a personal thing but I hate tokens. I like to have two keys. One to my car and one to my house. I’m not a big fan of bulky fobs. It makes people think I’m getting excited.
August 17th, 2006 at 3:14 pm
In every security system the weakest factor is always the human. You may have a super-duper algorithm or communication protocol that cannot be cracked or sniffed or sth but as long as you require the user to login in some way you have one vulnerable system.
Phishing is part of Social Engineering that is talking people to reveal their secrets (aka letting you in themselves) instead of hitting your head against the wall trying to crack it.
I do agree with the author that hardening security should be on the server’s part. If the authentication method is too hard for the user he is twice a victim even compared to using simple (dictionary) passwords.
In the matter of protecting its interests a company should form solid communication protocols with its clients like including a land line in every original e-mail and urging its clients to call that number and verify the source. No taped messages and stuff because that can be easily spoofed. I’m talking about 24 hour real people answering official numbers, advertised in every official document. The company should run a campaign urging its clients to verify everyone and everything that approaches them in the name of the company.
To sum up, awareness of the danger is the key. Proper information is more valuable that the toughest password in the world.
August 17th, 2006 at 3:21 pm
Amen! I’ve always thought training users in security was a useless feat. We had a guy in one of the companies I used to work for who’s sole job it was to do consumer education on security issues. At the end of the day it changed nothing. It may have had some small impact, but at the end of the day, really the numbers just didn’t reflect any changes due to his millions spent on education.
All that happens is that people feel more educated about an issue they really know nothing about. Worse yet they feel empowered to combat the problem because they think they know the solution when in reality they aren’t given the proper tools to combat the issue themselves. I might believe you if you said people are willing to spend more as a result of feeling empowered, but they definitely are no safer having sat through your webinar. It’s up to us, the security community, to take the onus upon ourselves to fix the issues for our consumers.
August 17th, 2006 at 3:34 pm
I’m not talking about introducing users to SSL or PKA and stuff. I believe it is very important to “hard wire” in every user’s head a clear condition: if (verification()==doubtful) walk_away();
In other words treat them as illiterate people because that’s what they are when it comes to these matters. We should address them in a simple way providing merely execution routines and not expecting them to make decisions. They should come to our door every single time they have to sit and think what to do next (when facing doubts or the unknowns).
It’s like calling the police. When we feel threatened one though comes to mind: dial 911. Few people try to neutralize the thread. It should be the same with IT security. Don’t you think?
August 17th, 2006 at 3:57 pm
That’s a very interesting concept. I really don’t know how to answer that. I guess my first question is what’s the number? It’s not 911, and it’s not the Dude-you’re-getting-a-Dell Support number, so what is it? If it’s a “If you think this phishing site is illegitimate, call our 1-966-phishing hotline” type thing, obviously that has problems too. I like the concept, but to quote Ghostbusters, “who ya gonna call”?
August 17th, 2006 at 4:08 pm
To my understanding, the core of the problem is that the company does NOT clearly state the communication protocol with the clients. So when an attacker does communicate with a victim, he/she does NOT know how to react and falls for it.
Simple statements like “The company will NEVER ask for your username or password” printed on posters or leaflets (the word is “campaign”) will greatly reduce successful phishing.
If the company’s web site and official documents contain that number (1-966-phishing), you know who to call. Like I know who to call if my mobile phone gets stolen: my provider from whom I have documents and bills all providing a support line. I also know who to call if I see something going on with my credit card.
So why don’t I know who to call when in need to verify a message a company.com?
August 17th, 2006 at 4:26 pm
Good question. But you have to understand that phishers say the same thing, “We will never ask you for your username or password from an email. Now click here.” which of course takes you to their phishing site to collect that exact same data. Users don’t even think it’s odd. They really feel safe when they are doing it for the most part. I’ve only heard of one example where the person immediately realized they had been phished right after having given away their entire identity. For the most part people don’t even realize it’s bad. But to your point what should they do in those cases where they DO realize it’s bad.
Let’s take Amazon for instance. I have dealt with Amazon maybe a hundred times. I know and trust the brand. Amazon has had phishing sites in the past through no fault of their own. I would have no clue how to get a hold of Amazon if I were an average user sitting on a phishing site other than navigating away from the site. Phishers could even have something clever built into the site upon navigation away from the website saying, “Are you sure you want to leave this site? Your account will be locked out if you do.” scaring users into submitting all the relevant information. I think your idea is a good one, but the practicalities make it hard to implement successfully - otherwise phishing wouldn’t be so widespread.
August 17th, 2006 at 5:13 pm
OK maybe the above guideline what a non-example but how about “Always verify with us that you’ve been e-mailed”. You know… stuff that deals with the majority of attacks.
I am not saying people will become immune to them but the number of victims will decrease greatly.
It is this dictated guideline to contact the company, the hq, the real people (you name it) and second guess any approach that will save their asses.
After all how many times has the genuine amazon approached you? That’s right, in the majority of cases (I say 99%) legit companies do not approach their clients unless they owe them money
P.S.: As for the ways of contact like authentic phone numbers, they may be printed on the back of official documents like registration papers or bills and stuff.
August 18th, 2006 at 6:08 am
There are still always ways to get around this as no authentication protocol is fool proof. Its true that training addresses some of the issues but it comes down to things like evasion. Just think of it this way, training clients is like training an IPS. You might catch some suspicious stuff, but people will end up coming back with more clever methods to bypass your system.
Social engineering is a good tool also =]