TriCipher Press Releases
Man-in-the-Middle Phishing Attack Successful Against Citibank’s 2-Factor Token Authentication
TriCipher Defeats New Wave of “Phishing 2.0” Attacks
SAN MATEO , CA – July 12, 2006 -- On July 10 th, 2006, the first reports of a Man-in-the-Middle Phishing 2.0 attack against CitiBank’s CitiBusiness SM service were reported by the Washington Post. The phishing scam, originating in Russia, shows that cyber criminals are integrating multiple attack methods to defeat the latest security measures such as One Time Password (OTP) Tokens implemented by banks.
“In my testimony to Congress in 2004, I warned that, as more people become aware of current “phishing” scams, the cyber criminals often get even more clever, and create new, more sophisticated techniques,” said Howard Schmidt former White House cybersecurity advisor and former Chief Security Officer of eBay and Microsoft.
In 2004, the first wave of “Phishing 1.0” attacks tricked unsuspecting consumers into clicking on links to fake bank websites and giving up their usernames, passwords, and other personal information leading to financial fraud and identity theft. Phishing 2.0 has evolved to combine traditional Phishing ‘hooks’ with a Man-in-the-Middle attack (in the Citibank case involving a botnet), and URL spoofing. A Phishing 2.0 attack tricks the user into clicking on a link to login to their bank through the Man-in-the-Middle phishing proxy site. It is actually easier to launch than traditional Phishing 1.0 scams because the attacker does not need to create and maintain a copy of a fake site. The phisher merely passes through the actual pages from the real web site, then steals data or makes changes to transactions automatically using easy-to-write scripts.
"This is a common and predictable attack. As an industry, we need to accept that solutions not incorporating strong client and server authentication cannot survive the Internet. Ten years ago, this was evident with the advent of key SSL mechanisms. It's time to put them to work," said Eric Greenberg, Chief Master Architect for security firm KSR and former leader of Netscape's security group, which originally created SSL.
Since 2004, most banks have responded by implementing one or more security technologies designed to fight traditional Phishing 1.0. In many cases, these security measures have temporarily reduced fraud rates based on their ability to prevent basic Phishing 1.0 techniques. However, these security measures are vulnerable to Phishing 2.0 attacks (see table below):
Security Measure |
How it Works |
Vulnerability to Phishing 2.0 |
One Time Password Tokens
(Including Hardware, Software, and Scratch Cards) |
Users receive a hardware device, paper scratch card or grid card that changes their passcode for every login (in some cases every 30-60 seconds) |
The one time password is passed through by the attacker and used to login within milliseconds, making even the 30-60 second time period for time synchronous tokens irrelevant |
IP Geolocation |
The website associates the user’s account with the geographic location of the IP address |
The Man-in-the-Middle proxy server is routed to a local botnet computer located in the same geographic region or ISP as the user’s computer. |
Device Fingerprinting |
The website attempts to create a profile of the device based on information provided by the web browser |
The browser information is passed through unchanged from the original user’s computer. This can also be easily spoofed by the phisher |
Browser Cookie |
The website places a browser cookie on the user’s computer after answering secret questions |
Due to frequent roaming and cookie deletion, users get accustomed to answering secret questions. The Man in the Middle can trick the user into answering the secret questions at the phisher site and then use those questions to log into the real bank. |
Picture or Text on Website
(such as Bank of America’s SiteKey) |
The user select a personal picture or text phrase that always appears on the login website to assure the customer that they aren’t being phished |
After stealing the secret questions and resetting the cookie as described above, the attacker now also has the picture and text that is unique to the user. |
Virtual Keyboard |
The user inputs their passcode through a web-based graphical keyboard |
The user’s passcode is stolen after it is entered through the web-based virtual keyboard. |
Phone or Email Out-of-Band Authentication |
The user enters a code sent to them over the phone or through email |
Because the user is online performing transactions, when the phone rings with the passcode, the user answers and enters the code into the website. The attacker’s proxy site passes the code through, and a script changes the transaction that the code is verifying without the user knowing. |
Knowledge-Based Authentication |
The user answers a series of personal questions |
The attacker’s man in the middle proxy automatically passes the questions to the user and returns the user’s answers to the web site (after stealing the answers). |
Why Are These Security Measures Vulnerable?
These measures are vulnerable to Phishing 2.0 attacks for some combination of the following reasons:
- They rely on weak, easily spoofable information such as http header information or IP geolocation
- They rely on ‘shared secrets’ that must be sent over the Internet where an attacker can get them
- They use only one-way SSL security (only the website has an SSL certificate) instead of two-way, which is the way SSL was designed to be used
"This is a sad reminder that even the best intended security solution may not remain effective over time. This attack serves as a wakeup call for financial institutions and others who use the Internet to interact with their clients - it's time to put technically sound user authentication measures in place to prevent this sort of attack," said Rebecca Bace, CEO of Infidel, Inc.
The TriCipher Solution
The TriCipher Armored Credential System™ (TACS) would have prevented the CitiBusiness Services Phishing 2.0 attack by protecting their One Time Password Tokens. An attacker attempting to proxy traffic from a user with a TriCipher Armored Credential would cause the user’s login to fail – and the attacker would get no useful information, not even the one time password used.
TACS defeats Phishing 2.0 attacks by removing reliance on shared secrets sent over the Internet and making it possible to use 2-way SSL. With two-way SSL, the server knows who’s on the other end of the session via a strong digital signature that an attacker can’t use to log himself in and can’t spoof. This prevents Phishing 2.0 – no shared secret to intercept and no ability to read or change transactions. With TriCipher Armored Credentials, users are authenticated with proven digital signature techniques made easy by TriCipher’s patented technology.
“When we deployed TriCipher’s solution over a year ago, it was clear to us that such Man-in-the-Middle attacks would start appearing,” said Paul Darnell, Chief Operations and IT Director, Advanced Payment Solutions, a pre-eminent leader of general purpose pre-paid cards and payment solutions. “Using a combination of both the more economical PC2 Factor authentication credential, and TriCipher’s Armored Token technology, we have protected our business from such attacks whilst preserving our investment in tokens.”
The TriCipher Armored Credential System provides a variety of authentication types from a single system while also protecting security methods already deployed, including:
- Passwords
- Browser Cookie
- Unique Picture & Text,
- Digital Certificates
- PC 2 Factor & Security Presence Check
- Hardware Device (USB Key, iPod)
- Hardware One-Time-Password Token (RSA Security, Verisign, Vasco)
- Smart Cards
To login, the user simply enters their passcode into the bank’s website. The TriCipher system performs the steps needed to create a digital signature to log in the user without changing the user experience. As attacks evolve, banks can move the user to stronger security based on risk, ensuring protection against the next wave of attacks with a single authentication infrastructure.
Note: In March of 2005, TriCipher issued a press release announcing the TriCipher Armored Credential System (TACS) and its ability to prevent Man-in-the-Middle Phishing attacks.
http://www.tricipher.com/news/pr062.html
About TriCipher, Inc.
TriCipher, Inc. provides Future Proof Risk Based Authentication. The TriCipher Armored Credential System™ (TACS) is the first authentication system that enables companies to deploy and manage multiple types of credentials from a single infrastructure. Through this flexible "Authentication Ladder," TriCipher delivers future proof security – protecting your investment by enabling authentication strength to adjust in response to new threats and regulatory changes without the need to implement a new infrastructure. In addition, TriCipher delivers risk based authentication - preventing online fraud through seamless integration with fraud detection systems, secondary authentication systems and the ability to enforce security software presence checks for malware protection. Founded in 2000, TriCipher is headquartered in San Mateo, California. The company was incubated as NSD Security before launching as a separate entity in 2005 with backing from ArrowPath Venture Capital, Intel Capital, Trident Capital, and Wasatch Venture Partners.
# # #
Sally Sheward
TriCipher, Inc.
sally@tricipher.com
(650) 372-1312
Elizabeth Safran
Trainer Communications
tc@trainercomm.com
408-920-0585
