Page 52 - index
P. 52
to the cloud continues, we increasingly are using IT infrastructures almost as a utility, similar to
the electricity grid.
These has also coincided with the increased use of soft tokens, or using cellular devices for
OTP services.
But as has been proven on several occasions, all OTP systems share the same inherent flaws.
The OTP passwords are generated as either time-synchronized or counter-synchronized codes
and often require the user to carry a small hardware device. Some solutions generate and send
OTPs to the customer’s mobile phone via SMS. There have been several well documented
attacks against OTP systems and since they all remain reliant on browser-based
communications, it means that a phishing site mimics the webserver or the browser is
otherwise compromised, the customer’s credentials and the OTP can be harvested by
fraudsters and immediately used to gain access to accounts and authenticate fraudulent
transactions.
The increased use of SMS is even more alarming and even the Telcos have openly stated that
"SMS is not designed to be a secure communications channel and should not be used by banks
for electronic funds transfer authentication," http://www.itnews.com.au/News/322194,telcos-
declare-sms-unsafe-for-bank-transactions.aspx
Another approach that has recently come under increasing scrutiny is the use of digital
certificates. The combination of breaches resulting the theft of private keys, to the recent
Heartbleed vulnerability has demonstrated that certificates are no longer a guarantee that the
user is who they say they are. And in any case, an increasing number of organizations are
recognizing that device identity is no longer sufficient to guarantee a user’s identity
Are Passwords Dead?
So how can we reduce the risk associated with authentication given that the evidence
demonstrates that most commonly used systems are vulnerable?
The password still continues to offer the most convenient method both for users and the
industry at large, and to a certain extent it is not dependent on technology. A password has in
certain respects a biometric element in that it is a cognitive choice by an individual as to what it
is.
However they are vulnerable as demonstrated daily, although they are well qualified for their
purpose. So although they are of little value, they do have a purpose.
Authentication relies on three cornerstones, what I know, what I have, and what I am. What I
have can be stolen or duplicated, and what I know can be guessed or shared or stolen.
What I am has two key elements, physical and behavioral attributes. The increased used of
physical biometric technology such as fingerprint, facial recognition, etc., are unique to each of
us and although no one will chop of your finger without you noticing, we have now designed
technology that has the capability of stealing digital representations of those features.
52 Cyber Warnings E-Magazine – December 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
