Monday, July 9, 2007

News Flash: Two Factor Authentication Hacked

Sometimes it takes a long time for news to reach people.

Technology vendors know this and some go to great lengths to try and get rich in between the release of the news of a hack and their customer's realization of it. The hacking of two-factor authentication is one such example.

Two-factor authentication was supposed to save online banking and e-commerce. It arrived on the scene over twenty five years ago, was finally productized into marketable form a decade ago, and finally found its market at the turn of the century: online banks.

Despite the massive costs involved with procuring, customizing, configuring, distributing and supporting two factor authentication, several banks signed up - along with the monetary authorities of several leading high-tech countries.

The first cracks appeared in two-factor authentication were whispered about several years ago, but they showed up in force last year (2006) when two scions of the industry, Mikko Hypponen of F-Secure, and Zulfikar Ramzen of Symantec, both weighed in and essentially called it "game over" for 2FA when asked to comment on a hack targeting Citibank customers.

The reason? It turns out that two-factor authentication *does not* protect online banking customers against a real-time man-in-the-middle phishing attack. In fact, Ramzen went on to say to say, essentially, that two-factor works well against dummies, but is not nearly so great in real time - especially when it comes to an attacker that's serious about getting your money:

"...if an attack is more sophisticated and the phisher can use the credentials in real time, we are the ones out of luck. I believe that two-factor authentication security will be almost futile when we tackle the next generation of phishing attacks."

Ross Andersen of Cambridge University's Computer Lab goes even further. In an address to the e-Crime Congress in London in May 2007, he outlined the vulnerabilities involving two-factor authentication and further warned:

"Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten."

Of course, cost is an issue: It can cost more than $50 per customer to procure, customize, configure and distribute a physical token. But the real issue here is trustworthiness, ROI and real risk reduction.

Two factor or single factor, it doesn't matter. Client-side security is not sufficient when it comes to thwarting a man-in-the-middle hack. A comprehensive, end to end, client-to-server security solution (such as Authentium VirtualATM) is the only kind of solution capable of protecting banking customers against fast-evolving forms of malware involving non-trusted downstream devices and the compromise of a branded, trusted channel of communications.

Used in combination with two-factor client-side authentication, or without additional forms of authentication, Authentium VirtualATM could radically reduce the kinds of crimes now being planned by sophisticated online criminals by eliminating man-in-the-middle attacks and forcing criminals towards softer, or less-valuable, targets.

Note: sometimes "two factor" ain't exactly "two factor". For a great article on this, check out Bruce Schneier's comment here.

No comments: