Monday, July 21, 2008

Interesting Authentication Questions

People ask me security questions on a daily basis. I’d like to share some of those conversations with you all. Here are a few interesting recent questions I’ve received.

Q1: Some security researchers claim that mutual authentication solutions are vulnerable to “Man in the Middle” attacks. I’m wondering if OAAM could also be compromised this way, or if you have other safeguards that make it stronger. Check out this article http://news.cnet.com/8301-10784_3-9776757-7.html

A1: Yes, this particular MITM discussion comes up whenever a security guy is attending an OAAM presentation. The basic issue is that a shared secret solution such as the personalization features of OAAM virtual devices (image, phrase and time stamp) are intended to combat mass phishing attacks not MITM. This is not a deficiency as long as a solution does not stop there. This fortunately is not an issue for OAAM because personalization is only one small feature of the product as opposed to some other products that make mutual authentication the primary feature. Personalization serves its purpose but to stop MITM other OAAM features are needed. To best illustrate how OAAM can prevent MITM here is an example scenario. I'm using banking for the example because many MITM attacks focus on banking applications but this could be extended to any type of application.

For example: The MyBank banking site allows their customers to do money transfers online. Money transfers are a favorite target of MITM attacks. Generally a MITM attack will wait for a user to login and submit a transfer request. At that moment the software will alter the receiving account number and dollar amount before it reaches the bank application. Basically this allows them to transfer money to their own account. One simple way to stop this is to protect the to account number so it cannot be altered.

A user flow might go as follows:

1. User logs in successfully

2. User navigates to the transfer page

3. User selects the account to transfer from

4. User enters the transfer receiving account number using a PinPad virtual device

5. User enters the dollar amount and clicks submit

Since the receiving account number is not sent over the wire in an understandable form it cannot be altered by the MITM so the fraud is prevented.

In addition to this of course there is the Adaptive Risk Manager watching for anomalies in behavior to prevent MITM and other types of attacks while they are being attempted.

Q2: I’ve seen a number of interesting new authentication products. One in particular uses categories of images mapped to characters that are used in the creation of a one-time use password. The user memorizes categories then matches images shown to those categories then figures out what their OTP is then authenticate with it. Will OAAM include similar methods in future releases?

A2: There are many unique attempts at authentication solutions. Over the last few years we have developed and experimented with many different unique approaches in our labs. Some have worked and some others have not been as successful. In my experience solutions that have an overly complex user experience, such as you describe, will have a lot of user issues resulting in costly call center activity. This is why even the most technically complex OAAM virtual authentication devices are easy to operate. An important concept to keep in mind when thinking through these issues is that authentication alone is not enough to stop sophisticated attacks such as MITM. Even traditional strong authentication methods such a hardware tokens and biometrics when working alone cannot stop MITM. Notice that many of the authentication only products do not say they can stop MITM. They say things like "man in the middle attacks are hindered". I'm not sure what that means but their solution won't stop the scenario I describe above. This is precisely the reason we developed both components of OAAM to be a complete solution.

Q3: What is your take on CAPTCHAs. I was just reading an article on just how compromised they have become:

http://www.computerworld.com.au/index.php/id;489635775

But I was intrigued by a link in the article to a 3-D based CAPTCHA that may prove invulnerable to the bots (for now).

http://spamfizzle.com/CAPTCHA.aspx

A3: The 3D CAPTCHA is an interesting take on the idea. The purpose of a CAPTCHA of course is to prevent navigation of a process by automated means such as a bot. OAAM virtual devices actually offer CAPTCHA like capabilities but from the opposite direction. CAPTCHA attempts to prevent a bot from "reading" a temporary code by hiding it in a 2D or 3D image. A KeyPad or PinPad virtual device prevents a bot from entering a credential/code because the automated process does not know how to figure out where the keys are in the image and how to navigate a mouse to click on them. We actually have a customer that is using the PinPad virtual device in the classic role of a CAPTCHA, to secure their new account registrations. Most customers however get this capability as part of the total solution and don’t even think about it in these terms. Of course the most powerful way to stop automated bot type activity is a complete solution that includes use of the virtual devices, multifactor authentication and risk analytics.

No comments: