Phishing and Two-Factor Authentication
In many cases we use passwords toauthenticate ourselves on Web sites where we make transactions, andpasswords represent only one mechanism for authentication. Passwordsare “something we know” (and something that, hopefully, no one elseknows). However, there are other ways of authenticating ourselves. Forexample, we can use “something we are”, such as a fingerprint or otherbiometric, or even “something we have”, such as an access control card.“Two-factor authentication” refers to the concept of using twoinstances of “something we know”, “something we are”, or “something wehave”. Two-factor authentication provides much stronger guarantees whencompared to using just one of these means of authentication.
Oneof the most popular forms of two-factor authentication involves the useof a hardware token that displays a sequence of digits that changes atset intervals. To authenticate ourselves on a network using thismethod, we provide our regular password in conjunction with thesequence of numbers that appear on the hardware token screen at themoment we are entering the password. While the sequence of numbers onthe token changes periodically, in what appears to be an unpredictableway to anyone looking at the token, a server is capable of validatingthe sequence at any given point in time. The password represents“something we know” and the token represents “something we have”. Oneof the biggest benefits of two-factor authentication tokens is thateven if our password is somehow leaked, we are still protected becauseonly we should be in possession of our unique hardware token. Somepeople have gone as far as claiming that, as a result, the widespreaddeployment of such tokens will solve the phishing problem. In myopinion, generally speaking, this assertion is false.
Allow me to explain. Suppose that I browse to a phishing siteaccidentally and provide the site with a username, password, and thecurrent sequence of digits on the hardware token that is associatedwith a legitimate Web site that I transact with. As soon as I have donethis, the phisher controlling the malicious Web site will learn all ofthis information. Of course, if the phisher tries to use thisinformation to log into my account at a later time, he or she will beunsuccessful because the sequence of digits on the hardware token willhave changed by then, and, since the phisher does not possess my token,he or she will be out of luck. There is one subtle problem with theclaim I have just made in the previous sentence. If the phrase “at alater time” actually means “in one day” or “in one hour”, then thestatement is fine. But, what if “at a later time” actually means “infive seconds” or “immediately after I enter my credentials”? In thatcase, the sequence value on the token is still valid; a phisher can goahead and use it to log into my account and wreak havoc.(Alternatively, a phisher can simply hijack the current, authenticatedsession).
These days, most typical attacks don’t engage in this level ofsophistication. Usernames and passwords are still collected, but it isusually some time before they are used. Two-factor authenticationtokens work well for these very simple-minded attacks. However, if anattack is more sophisticated and the phisher can use the credentials inreal-time, we’re the ones out of luck. The community of securityresearchers has always known that real-time attacks are quite possibleand in fact, a prototype demonstrating such an attack was displayed atthe April 2006 meeting of the Anti-Phishing Working Group. At thattime, we still felt a certain sense of comfort that phishers were notactually attempting such sophisticated attacks. Sadly, that no longerseems to be the case. Just this past week, a phishing attempt againstCitibank contained a field for the entry of a two-factor authenticationtoken value. The window of opportunity (when the value on the token wasknown to the user) was a mere 60 seconds. This seems to suggest thatthe perpetrators were prepared, and ready to use these credentialsimmediately after they were submitted.
In an earlier blog entry Icommented that we are in an arms race—where phishers are leveragingmore sophisticated techniques to circumvent the technologies being putforth by the security community. This new attack further supports thatclaim, but, please don’t get me wrong. I think that two-factorauthentication tokens are very useful. They help provide securityagainst the threat of password leakage and do protect against verysimple phishing attacks. However, as with any security technology it’simportant to understand what it can and cannot do. In this regard, Ibelieve that two-factor authentication security will be almost futilewhen we tackle the next generation of phishing attacks.