Monday, July 18, 2011

The Death of One-Time Passwords?

When Willie Sutton, the prolific US bank robber, was asked by a reporter on why he robbed banks he famously said "because that's where the money is."

A number of institutions have adopted one-time passwords as part of their two-factor authentication defense systems. Banks have instituted mainly SMS OTPs for their online banking. This has been a cost-effective preventative measure against phishing and pharming attacks. But as in every arms race, once the ante is raised, the hackers keep pace with any security development. We have always argued that such measures will only form a short-term solution, and that entities must plan for the looming worst case scenarios, sooner rather than later. With the emergence of a new class of man-in-the-middle attacks that leverage mobile phone operating systems and "talk" with the OS, the Man-in-the-Phone (sometimes referred as Man-in-the-Mobile or MitMo attacks), more online banking users are being targeted now.

Zeus, one of the most successful Man-in-the-Middle malware programs, has now emerged on the Android platform after already targeting the BlackBerry and Symbian OSes. Zeus on the mobile is often referred to as Zitmo. It poses as the trusted bank application Rapport, by Trusteer, and harvests SMS OTPs and Mobile Transaction Authentication Numbers (MTANs), then forwards them to a central server.

We will start to see more and more variants of these malware applications and browser exploits as more institutions use "weak" security on mobile phones. Banks and other entities should take a closer look at adopting challenge-response and transaction data signing if they want to futureproof themselves rather than continue firefighting. The recent security attacks have shown that hackers are the modern day equivalents of Willie Suttons. There will be more to come.

No comments:

Post a Comment