Slashdot Mirror
Phishers Defeat Citibank's 2-Factor Authentication
An anonymous reader writes "Crypto experts and U.S. Government regulations (FFIEC) have been pushing the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" — the second factor being something the user has in their physical possession like a token — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data. According to a Washington Post Blog, 'SecurityFix,' phishers have now started phishing for the two-factor token ID from the user as well. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a man-in-the-middle attack against the victim and Citibank to log in via php and conduct money transfers immediately when logged in." (An update to the blog entry notes that the phishing site mentioned has since been shut down.)
My bank has had this for ages. How's about protecting you from the man in the middle attack by a little extra procedure, though ? Immediately after you've done the transactions through the web and you log out, the bank sends you an encrypted email with all your transactions in it. Those emails can be parseable for your own financial package as well. And it should give you some time to cancel all the transactions that are bogus. There can be no forgery involved, since the bank _always_ sends those mails. Just an idea, I know there's no cure for utter stupidity.
Religion is what happens when nature strikes and groupthink goes wrong.
My bank (Rabobank, netherlands) uses a key-generating hardware device, based on account, PIN number, optional numbers generated by the site (which are to be entered into the keygen) and an internal clock. With sending any transfer, the site requires a new key to be generated. If the amount to be transferred is sufficiently large, one of the numbers used to generated the key is the exact amount, thus requiring the user to validate the amount as well.
Phishers may be able to coordinate up to the point of this validation, but if one suddenly had to enter an additional verification number of, e.g. "2000.00" (minus the decimal point), it'd be very hard to use phishing for large amounts of money.
Then again, I also have other accounts at two other banks, both of which require only a one-time, 5/6-digit, non-changing, numeric password.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
This isn't at all a shocker. The authentication problem is only one piece of a very complex puzzle. But in this case simple and common SSL certificate verification would work to stop such a man-in-the-middle attack.
... So when you enter your token into the browser, first the browser checks the web-site is the "owner" of that token and if it is not then it warns the user, after verification the browser then sends the token and the user is verified to the site.
Further down the road though, this is why technology leaders need to standardise authentication tokens to include some kind of two way verification
Something like this:
mybankcom - 9 -
The browser implements a "token box," when a post is attempted with said box the domain gets stripped of all special characters (up to the path) and then compared to the first part of the token. If they are case insensitively identical then the browser will submit the rest of the token (the pseudo random number) to the web-site.
The token box would have to look unique and be very difficult to clone... Which might require it to jump out from the main content window, but that is a problem for browser UI developers and beyond the scope of the problem.
The target authorities and security developers should be aiming for, in my opinion, is not the people who do the wrong-doing, but the users themselves. The major difference that phishing has from hacking or physical robbery is that the attack is forceful against either the bank's online front or the customer whereas phishing preys on not physical or technological weakness but on intellectual weakness: ignorant users are conned into giving up personal details, going to a particular site or running a program because they are unaware of the risks. In phishing cases there really should be a bigger push for educating customers through more than just 20-pixel-high signatures on electronic correspondance. There should be in-bank brochures, tv spots/advertisements (or at least addendums to current tv spots) and users should clearly know never to click a link in an email from anyone, especially if it's pertaining to a bank or paypal-like site or in a personal mail from someone unfamiliar. There's a reason many geeks have clean-as-whistle computers (I virus and spyware scan every now-and-then -- about every 6 months -- and they both always come up clean) whereas the "common user" has problems with viruses and scumware seemingly constantly, and that reason is education and not-so-common sense. The answer then is obviously to educate, and make that sense common.
A man in the middle attack will breach just about any security you have. Unless you can recognize it, or teach others to, this sort of attack will always work. The trick is that it is sophisticated and you have to educate people to know when they are connecting to the correct site or not; that is, check the URL and the SSL certificate when connected. And, never use self-signed SSL certificates.
Quality Hosting e3 Servers
People might just be able to determine if they were valid or phishing attempts.
Almost all email clients support s/mime these days, all you and the banks have to do is sign up to a certificate authority and install a certificate. They can be acquired for free.
Deleted
How about the other side of authetication - anonymity. There are cases when the service provider doesn't need to know personal or professional details about the customers, but nevertheless this kind of data is collected widely. The Shibboleth technology developed in the Internet 2 project in principle makes it possible for a customer to limit the access to personal data by service providers. This kind of solutions should be made widely available. Now there are all too many authentication systems collecting data which may be used (at some point) for nefarious purposes.
I don't think he meant "encrypted" to be "cryptic looking". Instead I think he was thinking of actal encryption, where the email appears to you in plaintext if your email program supports encryption (and you have the proper key, of course). Especially if you have to get a physical token anyway, it should be no problem to store a personal key on it as well.
The Tao of math: The numbers you can count are not the real numbers.
Website Controls
Additional "next PIN" for each transaction
Challenge response
Enter a PIN challenge based on dollar amounts to transfer
The usual web security stuff - see OWASP for more
Signing transactions with certificates and tokens
Security Awareness
Workstation security is paramount, firewalls, anti-spam, anti-malware, running as non-admin all assist in this process
Some trojans imbedded into IE and pop-up boxes that sift the credentials upon the user typing in their banking website
As you can there is so much you can do.
Have fun!
Nearly all US and UK Internet banking systems are susceptible to this.
There is an easy fix for this as well - client side certificates. I have an account with a bank in an ex-eastern European country and they use it. Many scandinavian banks use that as well (with the certificate on a token or a smartcard).
In order to authenticate the SSL handshake has to use both client side and server side certificates. After that the actual user id has to match the certificate one. A man in the middle cannot break through that because it will not have the private key from the user machine. From there on even if it can fake the bank interface to the user it cannot fake the user towards the bank. Game, set and match.
The only reason for US and UK banks not to use it is outright incompetence. I remember trying to explain the concept of client side SSL certificates to one of the cretins who have implemented a well known UK bank Internet banking security subsystem. He could not grasp the concept. By the way - he now works in the "risk" (that is the way they like calling this now) department of another well known UK bank.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Let's see
1) the website is simply at another address, well-educated users will spot the lack of https and the different URL
2) I have an account at postbank(.nl) which uses a password for logging in, and then additional codes for transactions. The password will only give you read only access.
3) At this same bank, the transactions are verified by sending you a text-message; not the most secured channel, but the message doesn't just include a "transaction acceptance code", but also the amount of money being transferred. If something is amiss it's spotted easily through this second channel, beyong the phishers' control.
4) Another bank, abnamro.nl, lists the IP number you were last logged in from on the welcome page.
I feel that 1) could be attacked by phishers using malware, so that's no guarantee.
Using the amount of money to be transferred as part of the challenge is trivial and should simply be implemented at first opportunity. One of citibank's problems is that they're using a token that simply displays a code, rather than a challenge response system; no way to enhance the challenge..
Number 3) is also pretty neat. Reall, I don't care so much about my bankstatements per se that they need to be protected with two-factor authentication (though of course in the US, identity theft might make this more prudent). The ability to check my account without too much rigmarole is very user friendly.
Number 4) would be neat, but also confusing to many users, especially those behind DHCP.
Sum conclusion;
use challenge response, with the amount to be transferred firmly embedded in the challenge, or communicated to the user out-of-bounds.
SCO employee? Check out the bounty
Customer number + pin, then new code for every transaction. Been using it for years. Can't even login to the Sampo web-bank without these 3 things. They may grab my account number and pincode as much as they want cause, they're doing shit with those codes without my every-time-changing code. Welcome to Finland.
-m10
Why is online banking allowing you to create new billing accounts online? Why can you make a transfer to a new, unlisted, account online? Answer: Banks want to save money.
Most people almost never create new billing and transfer "destinations". We could afford to go in person once or twice a year to do this. The very few who need these options are usually kwolegeable about security issues. Even if they are not, the fact that there is so few of them is a protection in itself. Remove these options from online banking and even a "phished" account will be of limited use to the phisher since the only thing he can do with it is pay your bills.
This solution was actually implemented in the beginning of online baking. The idea of pushing "new" features with no regards to their actual impact is almost like a disease in the current corporate world.
Actually quite a few people use this for personal transfers in the UK. For example if I go for a weekend trip with some old college friends who now live in different parts of the country, I may book all the flights or hotel rooms. Setting up a transfer direct to their personal accounts is quite useful and quick, compared to cash or cheques. My online banking used to take a couple of days to set up these arrangements, and now its immediate. I think this is rather dangerous.
My bank uses a two-factor authentication system, the second factor being a card with a 10x10 matrix of double-digit numbers. When you login, the website asks you for your username, PIN and the number which appears in certain coordinates in the matrix card.
It used to ask you for it in the login page itself. Nowadays you need to have a mobile phone number associated with your account; when you try to login, the coordinates are sent to you by SMS. In that way, even if a phisher gets your username, PIN and full matrix, they cannot login because they don't know what coordinate is asked to you (and you receive the unsolicited SMS, so you can alert the bank). They would have to steal your cellphone too.
Ah, and you have to enter those numbers using an on-screen keypad which moves around randomly anter you click on each number, so keyloggers are now useless too.
Users know nothing about encryption... it's too easy to spoof.
eg. There's a virus going around that reads "This is an encryted email from AOL.. click on the attachment to read it".
Telling users that encryption is somehow better is just going to leave them open to that kind of attack.
What is needed is for one of the tokens to be "active" in the negotiation. Anything that can perform a unique challenge-response will fix the MITM attack.
As others have stated, client side ssl certificates, hardware tokens with key-pads, smart cards, trusted-computing would suffice.
A lot of people, like you, are suggesting sophisticated technological solutions (which won't really work IRL). The REAL problem isn't the bank's security - it's the user's gullibility. My bank simply uses a username/password style login. It works fine. The only one with problems are those who believe evrything they get in their inbox.
I know this won't fix all problems with phishing emails, but it should fix one factor of it. Could those who contribute their programming skills to Firefox make it so the actual domain of the site you are at is highlighted? This means that if you are at a site
http://citibusinessonline.da.us.citibank.com.tufel -club.ru/sahdlhasal
Firefox would display it as:
http://citibusinessonline.da.us.citibank.com. tufel-club.ru /sahdlhasal
I know some victims refuse to think about it at all and refuse to even look at the URL but this would give them one more tool to use to possibly see it is a scam.
But why is the rum gone?
...and I'll keep on saying it.
If email encryption and certificates were a *STANDARD* feature by the major email clients (desktop and web based), then institutions could set a blanket policy that any email communication from them to their clients/customers must be encrypted and/or contain a digital certificate. Even better, these certificates could contain usage policies so that email clients could automatically filter/delete messages w/o the proper certificate or that don't follow stated policies.
The trick is that the user needs to be abstracted away from the encryption/signing process so that they understand the basics of what encryption/certificates are but can use them with with just a click or two.
A good example of taking security technologies and providing them to the user in a well abstracted form is TLS under HTTPS. IMHO, phishing would be drastically reduced if email encryption/certificates, along with usage policies, were as common and supported as TLS under HTTPS is today.
[Pre-rebuttle]I am not saying that this will solve ALL phishing scams. I'm just saying that there are technologies out there that, if commonly supported and intergreted into email clients/services, would greatly increase the difficulty of pulling off a phising scam.[/Pre-rebuttle]
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
My bank requires you to install some java software + some keys in your C:\ or /home/ before you can use online banking (and it's protected by a password).
It's a bit complicated to set up (especially in Linux, although the instructions were good enough to figure it out), but I don't see how phishing would work with this system. An attacker would have to trick the user into sending the 3 files with keys + entering his password.
You could get what you need easily with a trojan and keylogger, ofcourse (well, good luck tricking me into installing a trojan on Ubuntu), but sending e-mails with 'please enter your password' won't do a lot for a phisher. Besides, I don't even think my bank has my e-mail address, and I would find it very suspicious if I ever received an e-mail from them.
Phishing works because some banks apparently set up their online banking systems in the same way as slashdot, with just an username and password. That's fine for unimportant stuff, but when handling money, a login/password just won't cut it.
A primary reason for the difference between US security standards and European security standards is the compute environment, and hence, the assumption of trust given to the terminal.
In the US, most users are accessing their accounts from their work or home computers. Although keyloggers may be present on these machines, it isn't very common yet. In northern europe, the use of internet terminals in cafes or kiosks is much more common. On these machines, it is likely that keyloggers will be present, so it is conservative to assume that everything the user does will be logged someone.
This assumption (everything the user does is logged) drives the need to require access to some thing (PIN grid, token generator, etc) that is needed in addition to the normal username and password. The higher level of justified paranoia drives a higher perception of security requirements.
One tremendous downside to this: loss of one of the best features of online banking - ease of use and portability. I personally have about ten online accounts with different banks, and I use all those accounts frequently. Everything I need to know to manage my personaly finances is carried in my head, and I can access my accounts from any computer anywhere in the world with nothing more than the knowledge I possess. Having to carry any sort of physical object to access my accounts would be a tremendous loss, one that would probably drive me to seek another bank, or a bank in another country, to avoid.
I like how the Postbank does it here in the Netherlands. For every transaction (which may include multiple transfers) they SMS you a random number which you have to enter in the site to validate the transaction. They send the SMS to a phone which they previously determined belongs to you (you don't enter the number on the spot or something like that). A phisher might hack your Postbank account, but they won't be able to impersonate you since the security number (and the total amount of money involved in the transaction) is sent to your cell phone which they can't get at (and which alerts you to the fact that your account has been hacked).
In the past (actually it's still possible for people who don't have a cell phone or don't want to use this system) the number wasn't sent as an SMS, but was on a long list of numbers they would mail you (the list was printed and sealed by a machine, no humans would see it before you). This was a nuisance because I kept losing the list and it was a hassle to use, but this new system is quite convenient in my opinion. I always have my cell phone with me, so I can do my banking from any location.
Something similiar happened to the company I work for a few years back, except it was done by an inside employee from the bank who found a flaw in their online system. All current accounts (without informing any of the account holders) the bank had were given a username and the same default password when their online access system was set up. By getting a list of all the usernames, it was no problem for them to log in, set themselves up as vendors to be paid, and then have a check mailed to them from the bank automatically. They were caught when trying to cash the check and a suspicious bank clerk called for confirmation before cashing the check.
kurzweil_freak
5th Kyu Genbukan Ninpo/KJJR student
Be the darkness that allows the light to shine.
I can't help but notice that all the authentication schemes being discussed are basically way that the bank verifies the customer is who they say they are. But the issue isn't that; it's that the customer is being tricked into thinking that they're talking to the bank when they are actually talking to someone else (who may be talking to the bank). There is nothing that I see that helps the customer verify that it's actually their bank on the other end.
The whole "phishing" thing is based on the fact that the bank's end can be spoofed, and customers have no reliable way to verify that they are really talking to their bank. A Man-in-the-Middle is simply a variant of this, in which the customer thinks they're talking to the bank, when they're actually talking to the MitM, who is talking to the bank.
Adding extra stuff to better authenticate the customer is not going to help here. Confusing the issue by just talking about "authentication" doesn't help either, since it conflates the two directions of authentication into one, and people don't notice that the customer may not have authenticated the bank.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.