Two Factor Authentication is DeadMay 1, 2008 – 7:13 AM
The fundamental problem with two factor (2FA) session authentication is that the approach is vulnerable to Man in the Middle and Man in the Browser attacks. 2FA requires that customers present not only a password (something they know) when they log into online banking, but also demonstrate that they possess an authentication device (something they have). Devices normally take the form of a key fob which displays a number that changes every few seconds, but another approach is to require the customer to insert their bank card into a stand-alone reader. Unfortunately, there is nothing to stop an attacker using a 2FA authentication code to commit fraud.
In the classic Man in the Middle attack, the customer is coerced to visit the attacker’s website, normally by a phishing email. The website will look identical to the legitimate bank site, but when the customer enters their account details and one-time-password, the malicious software will immediately connect to the real bank site and use the details to impersonate the customer and make a fraudulent transaction. Even mutual authentication does not defend against this attack, since the attacker also is able to see what the bank would normally show, making the customer think that they are communicating directly with the bank.
The Man in the Browser attack is an enhancement of the Man in the Middle, already seen in the wild. It is designed to work even against customers who are careful enough to not enter their bank details on sites visited from links in emails. In this attack, the fraudster installs malware on the customer’s PC, either via email or a drive-by download (even with up to date anti-virus software, 80% of new malware is undetected). Then, when the customer makes a transfer using their normal online banking, the malware inside the web browser silently manipulates the amount and destination.