I was listening to episode 103 of SecurityNow, and all in all it was a good episode. However one thing that baffled me (ok, maybe not so much because I didn’t have high expectations), is the fact that nowhere in the process did they ask about man-in-the-middle type attacks (although they mentioned it briefly when talking about SiteKey and BofA).
Now I don’t want to bash businesses here, but lets look at the future (or at least how I imagine it – I’ve been known to have a wild imagination :-)):
- PayPal successfully launches its security key program
- Marketing will try to sell it as the the best thing since sliced bread, AKA the perfect security solution
- It gets a considerable user base from the lines of the PayPal/eBay users (lets say 30%). Not only will these 30% be a considerable part of the users, most probably they will be the most active / the people with the most money in their accounts, because probably they will be the most worried about the security of their accounts.
- The attacks will shift in a very short time from off-line (eg. steal your password and use it later) to on-line / real-time man-in-the-middle attacks.
What do I mean on-line/real-time man-in-the-middle attacks?
Imagine this: the user gets infected with a malicious piece of code which follows every browser request (yes, it can do this despite of HTTPS/SSL/TLS, because it would operate locally before the encryption is applied) and modify the request to redirect founds, or to detect that the user successfully authenticated and then issue some automated transfers. Similar pieces of code are already in the wild, although they are currently (only) used to insert advertisement to unsuspecting third party pages, but the above modification would be trivial.
An other factor which will contribute to the problem is that the
mobility of larger number of people is slower (maybe exponentially slower) than those of smaller number of people, because of the communication overhead. In a concrete manner: the attackers can change their tactics very quickly both because they are few (as compared to the employees of eBay and their customer base) and because (from a technical tooling view) they follow a hierarchical structure (that is, there is a very small group of people with the technical knowledge, who supply the tools to the larger – but still small – community of people who actually use them). This hierarchical way of communicating is much more efficient than the semi-chaotic communication which goes on between a company and their user base. Also, the communication between the
bad guys is of much higher priority (for them) than the message put out by a company for their customers (eg. If X sends a message to Y saying
here is the new version of the tool which can get around the new security measures of Z, this communication is of much higher value to them, and it is much more probable that they will listen / react to it, than a customer getting a security notice or something similar from a company).
My conclusion is (which you are free to agree or disagree with – I’m waiting for your comments) that as soon as this technology gets any significant usage, we will see the scenario described above become a reality very quickly. And not just for eBay/PayPal but for all the participants of this program. The problem is not with the technology itself, but (as it frequently happens) with the way it is used and the fact that its limits are not properly understood by many of the people using it. The most important aspect of this is that these technologies only focus on authentication, leaving aside the problem of message integrity/authenticity! That is, after they build up a connection between the client device and the server device, authenticating both ends, their job is done. However there is still a complicated layer of technology on the client machine (like the browser, operating system and malware) which can modify transactions and/or create transactions on the fly!
On the long run this will mean that cost of implementing this solution is money thrown out of the window. (Then again as one of my favorite quote from economics says
Long run is a misleading guide to current affairs. In the long run we are all dead. – John Maynard Keynes). So why are companies using these solutions as opposed to more secure solutions which are already being deployed by other companies in the same business (read the description of ING described in this post for an example)? I can only theorize, but a few reasons may be:
- Lack of information on the part of the decision maker, who might not be a technical person and relies on his/her technical advisors to provide the information
Update: see episode 56 of the Linux Action Show, where they explain how the CIO magazine (which you can consider a type of advisor) gets it all wrong when it talks about Linux in the enterprise (again you can theorize if this was pure lack of knowledge from the part of the article writer, the fact that he believes everything PR/marketing departments feed him or he actually gets payed to try to twist things).
- Misleading information from the vendor (in the same vein as
nobody got fired for buying IBM, the solution vendor X must be good since (a) they are successful, (b) they say they hold a lot of patents and (c) it solves the current attacks)
- Other factors, like
small attentions(as they say it here in Romania) from an interested party (which may be a vendor, a consultant, etc) to the decision maker
- And finally: it is real possibility (although I don’t think that it happens very much) that the costs (like user training, user annoyance) and benefits (like the fact that this actually reduces the fraud on the short term) got carefully weighted and the result was such that it made sense to implement this solution, while possibly preparing the roll-out of a more complex solution in the long term.
Two final thoughts: in the show Leo mentions that it is still possible to log-in even though the one-time password is not provided, by answering a
secret question. This still leaves the system vulnerable to off-line abuse, since a man-in-the-middle attack can be performed, where the attacker claims that there was a
system error or an other plausible exceuse and asks the user for his/her answer to the secret question. Using these data, the account can still be used by a third party without needing to possess the token. I understand the convenience aspect of the problem, but there are other solutions (like SMS-ing an one-time password to a predefined number – something that even got mentioned in the show) which are much more secure.
And also: because of this hierarchical or layered structure of the (semi-)organized-crime, antivirus companies have still a long life ahead of them. The reason being that, although there are a very great number of people perpetrating electronic crime, only a very small percent of them actually create their own tools, the others live off of their back, which means that the AV needs to be able to detect only a smaller number of malware. This small group of people may also employ algorithms to create different variants of the same malware (essentially creating a program which creates a program), but given that computers are deterministic, these algorithms can be reversed and AV products can provide methods to detect every piece of malware produced by the given algorithm.