On Sun, 2005-01-16 at 17:38 +1100, Lyal Collins wrote:
To eapnd on this, there is nothing the stop the phisher capturing the entire
session (i.e MITM tunneling), even using a valid OTP token to logon, and
even a second OTP token to 'authenticate' a transaciton.
With tunneling the entire session, the attacker can easily present the user
with screens saying "transfer $200 to mum" while telling the banking site to
'transfer $1000 to joe@hacking.site.somewhere"
Not quite correct. Obviously you haven't used these token schemes.
Most transactions that are authenticated/confirmed by tokens do include
the values themselves. For example:
Src Acct: 123-456
Dst Acct: 333-222
Amount: $1,000,000
AuthCode: (to be entered by user from token)
The user receives/enters the values above, enters these into his token
which will present a unique value (auth code) tied to his token, but
also to the values. That means if a MITM hacker changes an account
number or other value, the authentication code would different. Since
the attacker does not have access to the users token, he can not
generate a correct authentication code, and thus the transaction is
invalid.
Vasco's tokens are widely used amongst the financial industry (perhaps
more so in Europe then the US). Back in the mid-late nineties when I
worked with these tokens, they had a nice demo on their website that
would explain/test the process. It could be used with their physical
demo tokens, or the virtual token online. If you like further info on
this process and a demo, see their web page. Maybe the demo is still
online.
In summary: Tokens don't just authenticate the user or the session, they
are also used to authenticate *transactions*, which is exactly how MITM
attacks are defeated. An attacker intercepting the transaction can not
change values without invalidating the authentication code.
Regards,
Frank
signature.asc
Description: This is a digitally signed message part
