Blog article
See all stories »

Hacking, OTPs and next generation of Authentication Methods

 

The following authentication scenarios discussed here apply to a simple connection between a client and his online banking website. After reviewing the most dangerous hacking techniques, we will see what solutions can be implemented.

 

What is a Man-in-the-middle (MITM) attack?

A MITM attack is an active eavesdropping in which the attacker combines several techniques to make the two legitimate entities think that they are interacting directly in a secure connection when in fact the attacker controls the data being exchanged. An example of simple MITM is a combination of sniffing and spoofing. Sniffing is used to ‘see’ the data packets that are sent to the end user by the bank. Spoofing is the act of forging the user’s IP address in messages sent to the bank’s website.

 

What is a Man-in-the-browser (MITB) attack?

A MITB is one of the most advanced attacks used by hackers. The malware (often a worm) does not reside in the usual locations (storage hard drive, etc.) but installs itself inside the browser application, this is why it is so hard to detect and remove. Most of MITBs were specific to one browser and one bank’s website. Newer versions extend to different browsers and various banks’ websites. In simple terms, a browser is usually composed of a GUI (Graphic User Interface) and an engine (among other components). The MITB consists in controlling data exchanges between the GUI and the engine, displaying whatever the hacker wants to the user and sending exactly what he wants to the bank.

 

Why are One Time Passwords (OTP) sensitive to these hacking attacks?

All 1-way authentication methods (with or without OTPs) are sensitive to MITM and MITB.

To make things pretty clear, showing an OTP (or biometrics, smart cards…) during a simple 1-way authentication with the presence of a MITM or MITB is like showing your ID (passport, fingerprints…) to a fake police officer. In fact, the user is “strongly authenticated” but to the wrong person.

Hacking a classical 1-way authentication is like a walk in the park even for a junior hacker. Indeed, many techniques are available to the attacker in order to impersonate the legitimate end-user.

The incoming and outgoing data channels can be controlled by the hacker.

The hacker can spoof the IP address of the end-user to fool the bank, he can perform sniffing to know whatever is sent to the end-user, he can redirect the traffic of the user to fake sites that he controls (via the host file or DNS hack).

Ultimate hacking technique is performed by setting up a Man-in-the-browser attack, where the malware resides inside the browser of the end-user. This type of technique is most of time not detected by anti-viruses, IPS or other security software as they are specific to the environment.

 

What is the point in using OTP then?

The main interesting feature about OTPs is that they cannot be replayed.

“Time based” OTPs are the best (compared to “event based” OTPs). Time based OTPs are based on the time they were generated, where event based OTPs are triggered by the event itself, meaning the OTP chain does not change and you jump from one OTP to the other.

OTPs though not perfect, are still way more secure than a simple static password or token.

 

How can I protect a connection between 2 entities from MITM?

The only way to realize a secure connection between 2 entities is to… involve a 3rd entity. The goal is to perform strong MUTUAL authentication. The point is to use the same approach as the hackers with the difference of providing positive security effects.

In this model, the 3rd party acts like a “good man in the middle”. The 3rd party’s purpose is to validate the legitimate identity of the two parties who want to engage each other in a secure connection and to prompt the 1st party to enter an OTP only after validating the second party.

A trusted 3-party model makes it harder than ever for hackers. They have to take control of 6 channels of communication (+ 1 out-of-band channel) which includes 4 channels between business entities instead of 2 channels between 1 business entity and 1 weak link which is the user in a 1-way authentication.

The integration of an out-of-band channel to send the OTP to the first entity makes it impossible for hackers to control the overall scheme.

 

How can this process be insensitive to MITB?

A 3-party scheme (including an out-of-band channel) in which communication between 1st and 3rd party does not involve communication via a browser application makes the process insensitive to MITM and MITB.

 

Additional features considerations

Such a model combines the strengths of different techniques.

The system also has to include tamper resistant features such as the ones provided by sandbox architecture (multi-process with controlled inter-process communications) and include its own self-defense modules. This delivers another hurdle for hackers who try to test the security on the end-user’s computer. Even if a hacker finds a way to force the application to execute code at the process level, the hacker would not be able to execute it out-of-the-box, meaning this hack would be useless and could not harm the user’s computer or compromise the authentication or transaction validation process.

For obvious cost efficiency reasons it should also be compatible with the authentication devices and methods already in place and those to come.

 

 

A solution like this exists. It is just up to the banks or business entities to care enough about their customers to implement it. Now that revenues are impacted but rampant online fraud, businesses should consider implementing an efficient solution that would benefit everyone but hackers.

 

3-Party Mutual Authentication Scheme
16165

Comments: (3)

A Finextra member
A Finextra member 18 April, 2009, 18:54Be the first to give this comment the thumbs up 0 likes

While the OTP you describe may seem a good idea on the surface, it does do little to provide real security and is really another Titanic headng for an iceberg. The approach isn't reallly flexible enough to be useful in enough situations to make it a practical solution worthy of any consideration.

I wonder whether 'generation' is the appropriate word, unless I perhaps we mean like bacteria have generations every second, as it seems the last generation usually fails before it gets out of the cradle. These new security methods which all rely on similar and generally poorly thought out methodologies probably are more aptly described as 'incantations'. They generally prove to be of as much use as an incantation. Placebo's.

The right approach will address many needs in a simple way for the vast majority of people, is mindful of apprehension as well as prevention, and is capable of absorbing new technologies into the method. While the perfect solution will never be absolutely perfect, certain imperfections can be managed, especially if you already know what they are.

The OTP you described isn't up to the job and I'd conclude it is a waste of money.

The right trusted third party approach can have a great deal more complexity or factors than those you describe and still remain a simple process for users, in signup, during use, and when something goes wrong.

We coined the term multi-vector, mutli-factor for what we do, with double digit factors, while the rage was two. 'Out-of-band' and out of the ballpark for hackers because it comes down to actual physical possession and cooperation, beyond the realm of hackers.

I can hear a few snickers from the shadows, but the only opportunity we've allowed hackers in our solution is the opportunity for them to pay for your purchase, so we'll see who pays for the Snickers.

There's certainly a lot more to it than the diagram, if it was that easy, everyone would be doing it already.

Cedric Pariente
Cedric Pariente - EFFI Consultants - Paris 18 April, 2009, 23:27Be the first to give this comment the thumbs up 0 likes

Hi Dean,

Thank you for your comments.

As you were foreseeing it, there's a lot more in such as solution than what I've shown in this blog. But going too technical on this blog would not be interesting for all the readers.

The main message of this blog is simple:

1-WAY AUTHENTICATION IS DEAD.

It is useless, a real waste of time and money used alone as is.

I do not share your point of view regarding the mutual authentication, it really is the next generation of authentication methods. Actually I consider it more as a process in which we can use more than what I've described in my diagram.

I'm showing a scheme with a mobile phone, but this scheme is compatible with any kind of existing authentication tool, thus easing the transfer to the new generation of protocols.

Cedric Pariente
Cedric Pariente - EFFI Consultants - Paris 18 April, 2009, 23:36Be the first to give this comment the thumbs up 0 likes

I wanted to add a comment on the 1-way authentication.

I was provocative on purpose but I should stay humble regarding the pioneers of the 1-way authentication who did a really good job. We have to remember that the solutions we are using today were created 'yesterday' and were perfectly answering the 'known problems' at that time.

Moreover the type of approach I'm proposing is 100% compatible with any existing 1-way authentication system, device or tool existing on the market.

It would be a waste not to use these tools as most of them perfectly answer the problematics of 1-way authentication.

Cedric Pariente

Cedric Pariente

Stanford Certified Project Manager

EFFI Consultants

Member since

20 Dec 2008

Location

Paris

Blog posts

23

Comments

45

More from Cedric

This post is from a series of posts in the group:

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.


See all