Page 17 - index
P. 17
Not All Two-Factor Authentication Techniques are Created
Equal as Demonstrated by Emmental Attack
Voice channel two-factor authentication and transaction verification via secure data channel are
protected from Man-in-the-Middle (MITM) and the SMS message-focused Emmental attack
By Lorenzo De Leon, VP of Applied Engineering at Authentify
All forms of two-factor authentication have not been defeated by the Emmental attack
despite widespread reports to the contrary. In fact, it was the use of an SMS-delivered one-
time password (OTP) that was exploited by the Emmental program cited last month in a
Trend Micro report. The report detailed attacks on 34 Swiss, Swedish, Austrian and
Japanese banks in which the exploit dubbed Emmental by Trend Micro allowed millions of
dollars to be fraudulently wired out of legitimate accounts.
The researchers who uncovered Emmental indicate it is a variation of a man-in-the-middle
(MITM) attack. Hackers send a targeted phishing email to an end user. The email appears to
be from a popular retailer. The email has an attachment that when downloaded, installs
malware on the user’s computer. The malware then installs a rogue SSL root certificate
which tricks the computer into trusting servers that look like those of their bank, but are
instead controlled by the hackers. The malware then deletes itself to help avoid detection.
The next time the user visits his bank website, they are routed to the fake banking website.
The user will log in using their legitimate credentials, handing them to the hackers. The end
user is instructed by the fake site to install a mobile app that will be used for additional
security. Instead, the malicious app diverts the one-time passcode (OTP) the legitimate bank
sends via SMS message to the end user’s mobile phone for confirming unusual transactions.
Armed with the user’s login credentials and able to receive the confirmation OTPs, the
hackers now have all the credentials needed to transfer funds to themselves.
The twist in this MITM variation is that it does include the redirect of an SMS message on the
end user’s mobile device via the malicious mobile app. The end user’s ability to provide the
correct OTP is the second authentication factor of the two-factor authentication schema for
these banks.
Numerous MITM/phishing/malware attacks have demonstrated the vulnerability of SMS
messaging for some time now. The twist in the Emmental variation is that it includes the
redirect of an SMS message on the end user’s mobile device via the malicious mobile app.
As an authentication factor, SMS messages are still used due to their low cost, convenience,
and ubiquity. End users are familiar with SMS messaging. The continued use of SMS
despite the vulnerability is a risk vs. cost and convenience assessment a financial
organization must make.
“It’s disappointing that reports claiming simply that ‘two-factor authentication has been
beaten’ are circulating once again when not all two-factor authentication techniques are of
equal strength and other forms of two-factor have definitely not been beaten,” said Alan
Dundas, Vice President of Product for Authentify.
17 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
