Monday, July 18, 2011

The Death of One-Time Passwords?

When Willie Sutton, the prolific US bank robber, was asked by a reporter on why he robbed banks he famously said "because that's where the money is."

A number of institutions have adopted one-time passwords as part of their two-factor authentication defense systems. Banks have instituted mainly SMS OTPs for their online banking. This has been a cost-effective preventative measure against phishing and pharming attacks. But as in every arms race, once the ante is raised, the hackers keep pace with any security development. We have always argued that such measures will only form a short-term solution, and that entities must plan for the looming worst case scenarios, sooner rather than later. With the emergence of a new class of man-in-the-middle attacks that leverage mobile phone operating systems and "talk" with the OS, the Man-in-the-Phone (sometimes referred as Man-in-the-Mobile or MitMo attacks), more online banking users are being targeted now.

Zeus, one of the most successful Man-in-the-Middle malware programs, has now emerged on the Android platform after already targeting the BlackBerry and Symbian OSes. Zeus on the mobile is often referred to as Zitmo. It poses as the trusted bank application Rapport, by Trusteer, and harvests SMS OTPs and Mobile Transaction Authentication Numbers (MTANs), then forwards them to a central server.

We will start to see more and more variants of these malware applications and browser exploits as more institutions use "weak" security on mobile phones. Banks and other entities should take a closer look at adopting challenge-response and transaction data signing if they want to futureproof themselves rather than continue firefighting. The recent security attacks have shown that hackers are the modern day equivalents of Willie Suttons. There will be more to come.

2 comments:

  1. As with all of our designs, the Zenith desk could be customized in your alternative of bespoke sizes, colors, and finishes. Drawing inspiration from magnificence of|the great point about|the fantastic factor about} geometric types, the Rumba roulette desk in brushed aluminum is characterised by a sequence of hollow and stable shapes 원 엑스 벳 that form an offset uneven base. Accented with a roulette wheel and bet blocks for skilled recreation play, this custom desk includes a high-end designer appeal that coordinates seamlessly into any modern room design. As with all of our designs, the Rumba desk could be customized in your alternative of bespoke sizes, colors, and finishes. Three stable pieces of wooden seemingly float around a concealed center base, making the Louve roulette desk in chrome certainly one of our most mind-bending designs. As with all of our designs, the Louve desk could be customized in your alternative of bespoke sizes, colors, and finishes.

    ReplyDelete