• E-mail
• Print
• Comment
• Font Size
• Digg
• del.icio.us
• Discuss article

Man-in-the-Middle Phishing Attack Successful Against Citibank's 2-Factor Token Authentication

Posted on: Wednesday, 12 July 2006, 09:00 CDT

SAN MATEO, Calif., July 12 /PRNewswire/ -- On July 10th, 2006, the first reports of a Man-in-the-Middle Phishing 2.0 attack against CitiBank's CitiBusiness(SM) service were reported by the Washington Post. The phishing scam, originating in Russia, shows that cyber criminals are integrating multiple attack methods to defeat the latest security measures such as One Time Password (OTP) Tokens implemented by banks.

"In my testimony to Congress in 2004, I warned that, as more people become aware of current "phishing" scams, the cyber criminals often get even more clever, and create new, more sophisticated techniques," said Howard Schmidt former White House cybersecurity advisor and former Chief Security Officer of eBay and Microsoft.

In 2004, the first wave of "Phishing 1.0" attacks tricked unsuspecting consumers into clicking on links to fake bank websites and giving up their usernames, passwords, and other personal information leading to financial fraud and identity theft. Phishing 2.0 has evolved to combine traditional Phishing 'hooks' with a Man-in-the-Middle attack (in the Citibank case involving a botnet), and URL spoofing. A Phishing 2.0 attack tricks the user into clicking on a link to login to their bank through the Man-in-the-Middle phishing proxy site. It is actually easier to launch than traditional Phishing 1.0 scams because the attacker does not need to create and maintain a copy of a fake site. The phisher merely passes through the actual pages from the real web site, then steals data or makes changes to transactions automatically using easy-to-write scripts.

"This is a common and predictable attack. As an industry, we need to accept that solutions not incorporating strong client and server authentication cannot survive the Internet. Ten years ago, this was evident with the advent of key SSL mechanisms. It's time to put them to work," said Eric Greenberg, Chief Master Architect for security firm KSR and former leader of Netscape's security group, which originally created SSL.

Since 2004, most banks have responded by implementing one or more security technologies designed to fight traditional Phishing 1.0. In many cases, these security measures have temporarily reduced fraud rates based on their ability to prevent basic Phishing 1.0 techniques. However, these security measures are vulnerable to Phishing 2.0 attacks (see table below):

Security How it Works Vulnerability to Measure Phishing 2.0 ________________________________________________________________________ One Time Users receive a The one time password Password Tokens hardware device, is passed through by (Including Hardware, paper scratch card the attacker and used Software, and or grid card that to login within Scratch Cards) changes their milliseconds, making passcode for every even the 30-60 second login (in some cases time period for time every 30-60 seconds) synchronous tokens irrelevant ________________________________________________________________________ IP Geolocation The website associates The man-in-the-middle the user's account proxy server is routed with the geographic to a local botnet location of the computer located in the IP address same geographic region or ISP as the user's computer. ________________________________________________________________________ Device Fingerprinting The website attempts The browser information to create a profile is passed through of the device based unchanged from the on information provided original user's by the web browser computer. This can also be easily spoofed by the phisher ________________________________________________________________________ Browser Cookie The website places a Due to frequent roaming browser cookie on the and cookie deletion, user's computer after users get accustomed to answering secret answering secret questions questions. The Man in the Middle can trick the user into answering the secret questions at the phisher site and then use those questions to log into the real bank. ________________________________________________________________________ Picture or Text The user select a After stealing the on Website personal picture or secret questions and (such as Bank text phrase that resetting the cookie of America's always appears on as described above, SiteKey(TM)) the login website the attacker now also to assure the customer has the picture and that they aren't text that is unique being phished to the user. ________________________________________________________________________ Virtual Keyboard The user inputs their The user's passcode is passcode through a stolen after it is web-based graphical entered through the keyboard web-based virtual keyboard. ________________________________________________________________________ Phone or Email The user enters a code Because the user is Out-of-Band sent to them over the online performing Authentication phone or through email transactions, when the phone rings with the passcode, the user answers and enters the code into the website. The attacker's proxy site passes the code through, and a script changes the transaction that the code is verifying without the user knowing. ________________________________________________________________________ Knowledge-Based The user answers a The attacker's man in Authentication series of personal the middle proxy questions automatically passes the questions to the user and returns the user's answers to the web site (after stealing the answers). ________________________________________________________________________ Why Are These Security Measures Vulnerable? -- These measures are vulnerable to Phishing 2.0 attacks for some combination of the following reasons: -- They rely on weak, easily spoofable information such as http header information or IP geolocation -- They rely on 'shared secrets' that must be sent over the Internet where an attacker can get them -- They use only one-way SSL security (only the website has an SSL certificate) instead of two-way, which is the way SSL was designed to be used

"This is a sad reminder that even the best intended security solution may not remain effective over time. This attack serves as a wakeup call for financial institutions and others who use the internet to interact with their clients -- it's time to put technically sound user authentication measures in place to prevent this sort of attack," said Rebecca Bace, CEO of Infidel, Inc.

The TriCipher Solution

The TriCipher Armored Credential System(TM) (TACS) would have prevented the CitiBusiness Services Phishing 2.0 attack by protecting their One Time Password Tokens. An attacker attempting to proxy traffic from a user with a TriCipher Armored Credential would cause the user's login to fail -- and the attacker would get no useful information, not even the one time password used.

TACS defeats Phishing 2.0 attacks by removing reliance on shared secrets sent over the Internet and making it possible to use 2-way SSL. With two-way SSL, the server knows who's on the other end of the session via a strong digital signature that an attacker can't use to log himself in and can't spoof. This prevents Phishing 2.0 -- no shared secret to intercept and no ability to read or change transactions. With TriCipher Armored Credentials, users are authenticated with proven digital signature techniques made easy by TriCipher's patented technology.

"When we deployed TriCipher's solution over a year ago, it was clear to us that such MITM attacks would start appearing," said Paul Darnell, Chief Operations and IT Director, Advanced Payment Solutions, a pre-eminent leader of general purpose pre-paid cards and payment solutions. "Using a combination of both the more economical PC2 Factor authentication credential, and TriCipher's Armored Token technology, we have protected our business from such attacks whilst preserving our investment in tokens."

The TriCipher Armored Credential System(TM) provides a variety of authentication types from a single system while also protecting security methods already deployed, including:

-- Passwords -- Browser Cookie -- Unique Picture & Text, -- Digital Certificates -- PC 2 Factor & Security Presence Check -- Hardware Device (USB Key, iPod) -- Hardware One-Time-Password Token (RSA Security, VeriSign, Vasco) -- Smart Cards

To login, the user simply enters their passcode into the bank's website. The TriCipher system performs the steps needed to create a digital signature to log in the user without changing the user experience. As attacks evolve, banks can move the user to stronger security based on risk, ensuring protection against the next wave of attacks with a single authentication infrastructure.

Note: In March of 2005, TriCipher issued a press release announcing the TriCipher Armored Credential System(TM) (TACS) and its ability to prevent Man-in-the-Middle phishing attacks.

http://www.tricipher.com/news/pr062.html About TriCipher, Inc.

TriCipher, Inc. provides Future Proof Risk Based Authentication. The TriCipher Armored Credential System(TM) (TACS) is the first authentication system that enables companies to deploy and manage multiple types of credentials from a single infrastructure. Through this flexible "Authentication Ladder," TriCipher delivers future proof security -- protecting your investment by enabling authentication strength to adjust in response to new threats and regulatory changes without the need to implement a new infrastructure. In addition, TriCipher delivers risk based authentication -- preventing online fraud through seamless integration with fraud detection systems, secondary authentication systems and the ability to enforce security software presence checks for malware protection. Founded in 2000, TriCipher is headquartered in San Mateo, California. The company was incubated as NSD Security before launching as a separate entity in 2005 with backing from ArrowPath Venture Capital, Intel Capital, Trident Capital, and Wasatch Venture Partners.

TriCipher, Inc.

CONTACT: Sally Sheward of TriCipher, Inc., +1-650-372-1312, orsally@tricipher.com; or Elizabeth Safran of Trainer Communications,+1-408-920-0585, or tc@trainercomm.com, for TriCipher, Inc.

Web site: http://www.tricipher.com/

Source: PRNewswire

More News in this Category