Page 18 - index
P. 18
Dundas should know. As a former security architect at Symantec, he was responsible for
authentication technologies that touched more than 1 billion end points globally. According
to Dundas, “The problem lies with the practice of delivering a one-time password to the end
user via SMS. In general, OTP approaches of this type were fine several years ago. They’re
just not as secure as they once were. The cybercriminals have developed their own
countermeasures.”
The Foundations of Two-Factor Authentication
Two-factor authentication is a practice in which a user provides more than one
authentication credential. Traditionally, the first authentication factor used is “something you
know,” or knowledge. This knowledge is normally a shared secret like a password paired
with a username. Passwords are a valid shared secret when used appropriately. In many
cases the convenience and security strength are appropriate for protecting free online
accounts and other low value access points. In the case of financial accounts, however, a
simple username and password combination is obviously far from sufficient.
Some institutions use a second authentication factor, but in the same “form factor” or
category. A “something ‘else’ you know” as a second-factor of authentication is familiar to
many. It could be a query for a mother’s maiden name or the make of the user’s first
automobile. This factor could be formatted as multiple-choice challenge question. The idea is
an end user would be able to answer a private and personal question easily while strangers
would not. This technique is now inadequate due to the vast amount of personal information
available across social media platforms as well as many other websites. Hackers are adept
at capturing and mining this information in order to thwart knowledge based authentication.
Institutions that acknowledge this vulnerability and wish to increase security may migrate to
an authentication factor that is “something you have.” An ATM card is an example of
something a user possesses in addition to a PIN when using an ATM. A security token that
delivers an OTP is also often used as a second authentication factor. The OTP received via
token is then entered into the website. The rationale behind this method is that only the
legitimate end user with ownership of this token will be able to receive the case-sensitive
string of numbers to correctly connect and log in. Unfortunately, if the OTP is entered directly
back into an infected Internet connection, the OTP is delivered to the hacker as well. That is
the danger of a man-in-the-middle attack.
Passwords, usernames, transactional OTPs, and other information typed on the keyboard
and delivered to a website are considered “in-band” communication. They may be delivered
out-of-band, but they are then exchanged in-band, within the same communication band or
channel in which the primary Internet connection exists. If a hacker or cybercriminal is
monitoring that same channel via a MITM attack like Emmental, any confirmation information
exchanged between the end user and the website will be compromised.
A Better Two-Factor Solution
Out-of-band authentication is the use of multiple networks or communication channels such
as an internet connection and a telephony network, working simultaneously to authenticate a
user. As has been shown with OTPs however, simply delivering an authentication token like
an OTP out-of-band and then entering it in-band is not good enough. That communication
18 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
