Alice, Bob, and Mallory: Simple security tokens needed

Simple security tokens needed

Jonas Elfström — Tue, 27 Mar 2007 22:46:00 +0200

In an earlier post I mentioned that a security token that lets you sign your transactions is one way to go to get more secure Internet banking.

Now a couple of swedish students have shown (by also using the problem I mentioned in this post) that a security token both needs to be used in a secure manner and that it also needs to be simple for the user to know what he is actually signing. According to the press it seems that they did this as a man-in-the-middle attack. This is just speculations but it seems the reason that this were possible were that the user did not have a clear view of what he was signing.

It could have been done something like this:

Redirect the user to a fake site (and hope that he does not investigate the certificate).
Ask for username and challenge the user with the verification code and then login to the bank in the background.
Try to add a new account for transfers and then tell the user he mistyped and has to login again while challenging him to verify the new account.
Transfer money the same way.

The bank has solved the problem by adding a 9 before all login codes. I'm not convinced this is simple and obvious enough for the users. One way to make it simple could be a security device with buttons labeled "login", "sign account" and "sign amount" or such.

EDIT: Now it has started to arrive phishing mails that asks the customers of Swedbank to install ssl3.exe...

"Simple security tokens needed" by Jonas Elfström

Fri, 30 Mar 2007 08:41:46 +0200

I will check out WiKID as soon as possible. Markdown removed a couple of underscores from the URL you supplied. I might have to disable Markdown.

"Simple security tokens needed" by Nick Owen

Thu, 29 Mar 2007 16:11:06 +0200

Jonas:

Glad to have found your blog. Be glad that banks in your country are putting forth such a strong effort. (Although I was not able to read the articles in Swedish. :)

I would be interested in your thoughts on our two-factor solution as it applies to online banking. It is interesting in that because we use public key cryptography, we can have cryptographically distinct OTP mechanisms within a single client (or across multiple clients of course). We also can perform host authentication for SSL websites, preventing MITM attacks - and we launch the default browser to the correct website, making it easier for the user, which I agree is paramount. You can find more info here:

http://www.wikid.com/two-factor-authentication/industry/antiphishing2_factor/

I’m of the opinion that banks will have to do session, host/mutual, & transaction authentication before long. Seems like it will occur last in the US.