The man-in-the-middle gets caught up in ID theft

The foundation for security and enterprise management

As I mentioned in the last issue, the Federal Financial Institutions Examination Council (FFIEC) has issued new guidance for how financial institutions should plan to authenticate customers' online identities by the end of next year. These guidelines, which actually carry the force of mandates, did not recommend specific methods of strong authentication but did review some possibilities. Those included digital certificates, smart cards, one-time passwords, USB plug-ins and biometric identification methods as being more in line with the guidelines than the simple username/password combinations currently in use. In particular, the FFIEC believes that stronger authentication is needed to combat so-called "phishing" attacks.

Security vendors such as RSA are quick to point to European financial institutions as being far ahead of their U.S. counterparts in using tools such as RSA's SecureID one-time password-generation device. But are these really as secure as we think they might be?

Rebecca Bace is the CEO of Infidel, a security consultancy. She's also a venture partner with Trident Capital, specializing in network security. She learned her trade on the front lines, during 16 years at the National Security Agency, where she became one of the world's leading experts on intrusion detection and prevention. She's also a neat lady with a droll sense of humor as I learned when we were panelists at the recent Thor Technology Advisory Council meeting. She's just updated a presentation she gave at the RSA Conference 2005 called "Phishing 2.0". You can read the short article where you'll quickly find out that so-called strong authentication can also be described as weak security in many instances.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

As I mentioned in the last issue, the Federal Financial Institutions Examination Council (FFIEC) has issued new guidance for how financial institutions should plan to authenticate customers' online identities by the end of next year. These guidelines, which actually carry the force of mandates, did not recommend specific methods of strong authentication but did review some possibilities. Those included digital certificates, smart cards, one-time passwords, USB plug-ins and biometric identification methods as being more in line with the guidelines than the simple username/password combinations currently in use. In particular, the FFIEC believes that stronger authentication is needed to combat so-called "phishing" attacks.

Security vendors such as RSA are quick to point to European financial institutions as being far ahead of their U.S. counterparts in using tools such as RSA's SecureID one-time password-generation device. But are these really as secure as we think they might be?

Rebecca Bace is the CEO of Infidel, a security consultancy. She's also a venture partner with Trident Capital, specializing in network security. She learned her trade on the front lines, during 16 years at the National Security Agency, where she became one of the world's leading experts on intrusion detection and prevention. She's also a neat lady with a droll sense of humor as I learned when we were panelists at the recent Thor Technology Advisory Council meeting. She's just updated a presentation she gave at the RSA Conference 2005 called "Phishing 2.0". You can read the short article where you'll quickly find out that so-called strong authentication can also be described as weak security in many instances.

The problem Bace outlines is the same problem that Dan Blum, Network World colleague and Burton Group senior vice president, highlighted in his Weblog: One-time password (OTP) solutions are very susceptible to a man-in-the-middle (MITM) attack. Simply put, someone intent on stealing the details of your financial transaction sets up as a proxy between the client and the financial Web site. By capturing and replaying the client's credentials and returning what appears to be legitimate responses the thief has, essentially, unlimited access to the client's account.

A recent news story points out that even low-tech OTP solutions can be thwarted. Some European banks issue booklets of one-time passwords that clients use in order. This latest phishing scheme might be called "Phishing 1.5" according to Bace's scale, as it directed bank clients to a fake Web site where the client was asked to enter the next OTP on their list, which was quickly used to login to the real bank!

I should point out that one of the vendors Bace advises is TriCipher, whose TriCipher Armored Credential System (which I wrote about last spring) is specifically touted as preventing MITM phishing attacks. I should also point out that she talked her venture capital firm into investing in TriCipher because it paid attention to MITM attacks.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.