1) user (Alice) wants to log in
2) attacker (Bob) uses (whatever attack) to MITM the request to the destination server.
3) Bob sends Alice’s auth credentials to destination server
4) Destination Server prompts user for request
5) Bob offers the prompt to Alice
6) Alice enters “transfer $1K to this account”
7) Bob hijacks the response, changes it to “transfer $2K to my account”
8) Destination Server holds account transaction
9) Destination Server passes request to Two-Channel system
10) Two-Channel system contacts Alice (say, over phone), offers transaction details.
11) Alice doesn’t confirm, because she doesn’t want Bob to get her $2K.
The banks, on the other hand, may be in the position to do something about this, but it’ll cost them some real money.
I posted more about this on another blog here: http://blogs.technet.com/rhalbheer/archive/2007/07/13/only-the-easiest-way-is-the-secure-way.aspx
Regardless, active MITM attacks are still the minority. PhoneFactor adds security in enough dimensions that it’s clearly a win for any IT department, particularly given the price (free!).
@anonymous 2: Text messages have their drawbacks too, of course: lots of people don’t know how to use them, they tend to be billed differently by cell phone providers, and most of all, they can’t be integrated as easily into existing applications like Windows and RADIUS without significant changes in user experience.
And regarding the point about reception – there’s a very very narrow window in which text messages work (fast enough to be practical) but voice calls don’t. In practice, we’ve never run into complaints about coverage, and besides, PhoneFactor works with land lines as well, so you can just use your home phone if your cell phone is out of range.
Text messages clearly have their place, and we can definitely agree that the time has come for using the phone as the second factor. Tokens everywhere are quaking in fear. 🙂
Thanks for the kind words about PhoneFactor!
Steve Dispensa
Chief Technology Officer
Positive Networks
(the PhoneFactor people)
Gardanto has a product called Nedu that does the same thing but uses text messaging to deliver the one time password.
There are a few advantages to using text messages, one of which is that it will work much better in low-reception areas. It is sold as service (follows the SaaS model) so you can be using it 10 minutes after you finish reading this.
(Disclaimer: I am an employee of Gardanto, not just because of the pay 🙂 but because we build some really cool stuff here).
]]>Check out this video:
http://video.google.com/videoplay?docid=2288395847791059857&hl=en
1)User want to login.
2)attacker does a DNS poison and sends the user request to his server.
3)He(attacker) then opens a new session with the real auth server.
4)User is given a fake login page to enter his data.
5)This is directly forwarded to the attacker server where he just resubmits the data to the real server.
6)Now user is placed a call by server and asked for permission of authetication as he is loggin real time .
7)User gives his code (real code to server ) to login
8)Server gives access to the User as he provided the real data BUT inturn Server is authenticating the bad guy and he had access to allthe user info .
DO perform this attack attacker need not compromise Users GSM network just has to be automate the user request real time which can be done with a $100 kit available in underground crime.
mitmwatcher.wordpress.com
]]>