No Silver Bullet
While a well-designed system using two factor authentication can be very secure, simple two-factor authentication is not secure against phishing, pharming, and man-in-the-middle attacks. That has led some people to question its usefulness. However, here again the term two-factor authentication conceals as much as it reveals.
- The most rudimentary form of a man-in-the-middle attack is to simply listen in on a transaction and harvest information. Although there are many ways to safeguard against this type of attack, such as using Secure Sockets Layer (SSL) to protect the transaction against eavesdroppers, it's still one of the most popular and potent forms of attack because most network traffic is not encrypted.
- A more sophisticated example of a man-in-the-middle attack is pharming—the process of redirecting the unsuspecting user to a phony web site. This strategy works by corrupting a DNS server somewhere on the Internet and substituting phony IP addresses for real ones. Because almost everyone uses the URL (such as http://www.mybank.com) rather than the IP address, the corrupted server redirects the unsuspecting customer to a criminal's web site, where information can be harvested, transactions spoofed, and all kinds of other nasty things can happen.
- Phishing, of course, is the process of tricking the victim into revealing identifying information, such as PINs or credit card numbers.
Some forms of two-factor authentication have features to protect against such attacks, including encrypting transactions and ID information, changing keys constantly, and handling authentication information only in a highly protected space inside the system. A number of vendors have systems that make such attacks much more difficult. TranSend, for example, has a product that uses a challenge-response system with the party on each end of the transaction generating an encrypted key that the other party can decrypt and recognize. The responding party, such as a bank or merchant, uses a system built around the IBM 5000 series cryptography board to automatically generate keys in a highly controlled space. The initiating party, such as a customer, uses a protected hardware device to generate his or her key. Because the keys can change minute by minute or even faster, it's extremely difficult to mount an effective man-in-the-middle, phishing, or pharming attack against such a system.
Similar systems are available from many vendors. E*Trade employs a similar system from RSA Security; E*Trade customers can be issued devices (the size of a credit card) that produce a six-digit identification code with the press of a button. The customer attaches the code to his or her password. Since the codes change every minute, the chances of a successful man-in-the-middle attack are greatly reduced.
"The great strength of secure ID is that the token code is changing every minute," says Karl Wirth, Director of Product Management for Authentication Solutions at RSA Security Inc. "It's only valid for a very short period of time. Assuming someone got your PIN and your token code, that would only be valid for a minute." One further variation, Wirth points out, is to hash the token code with the PIN to produce what's entered into the banking site. Even if someone is intercepting the communication, they don't get your PIN.
However, even within this approach there are variations. "The big discussion in the industry is whether the generation of the second factor is done in protected or unprotected space," says TranSend's Scott. "If you protect the space where the second factor is created and make it harder to duplicate and copy, and harder to discover, you're increasing its reliability." The IBM board is considered quite secure because it generates keys in its own space, which cannot be accessed by the host system's operating system. Using a hardware security module such as a protected smart card or USB fob and adding safeguards such as intrusion prevention and detection greatly increases security.