Security x.0

ABN-AMRO has been using disconnected smartcard readers (similar to e.g. Xi-Sign devices) for user authentication for several years, yet recently they were hit with a real-time man-in-the-middle (MiTM) attack as reported by Finextra.

The bank says that its customers opened an email attachment that resulted in a virus being executed on their machines. This virus changed their browsers' behaviour so when they went to open the real ABN Amro online banking site, they were instead re-directed to a spoof site.

The customers then typed in their passwords, which the attacker in turn used to access the bank's real Web site. The customers' own transactions were passed along to the real site, so they didn't notice anything wrong right away, while the attacker simultaneously made their own fraudulent transactions using the bank's urgent payment feature.

Although there have been previous reports of successful MiTM attacks: (Citibank, Amazon, PayPal), no real-time fraudulent transactions have been reported, instead attackers just used the real-time authentication to convince the user that the web site was genuine and then request personal and financial details as in usual phishing. Until this incident, it was possible to speculate that perhaps this type of attack is still too expensive for the phishers to execute, therefore the risk is insignificant. Not any more.

The interesting data point is that in the attack against ABN-AMRO, only 4 customers were affected (according to another comment: "only 200 people who reacted to the email and only 10 victims (10K euro or more)". Unfortunately, this demonstrates that no matter how few customers fall victim to a particular scam, the return on investment is high enough to make MiTM a real attack vector today. It might still take some time to become as common as "normal" phishing due to required "de-specialisation" of phishing groups, as we have suggested, but it has to be addressed today.

Financial Cryptography also commented:

This was what the European banks were worried about when we reported MITB earlier in 2006. One year later there has been no epidemic, and that gave them time to respond. Hopefully they are ready. Chances are, nobody else has or is. To live in interesting times...

[Not sure why European banks are singled out, given the amount of phishing happening in the US]

The main problem with multifactor authentication is that it is what it is - a user session authentication mechanism establishing a secure connection between a trusted host and a user. Whereas what is really needed to mitigate a MiTM attack is transaction verification. If one can protect all important actions performed by the user with a reliable way of signing off on the transaction, the security risk will be minimised - in the worst case, the attacker will have an equivalent of "read-only" access to data. What does it mean practically? Once transaction verification is in place, a user can stop worrying about whether or not their host computer is compromised, even if the attacker has access to their bank account, no funds could be transferred without secure authorisation by the account holder.

There are multiple ways of implementing transaction verification. Some are simple but not reliable, e.g. text messages with transaction details sent to the user's mobile phone (problems with delivery delays/availability and recurring costs). Some are very secure but complex to deploy, e.g. PKI-based solutions. Some are hardly user-friendly, e.g. CAP readers (is having I,M or S as menu options really intuitive?). Although it is not clear which method will become most accepted, it is certain that the current push for 2-factor authentication is not a longer term solution.

As Barclays is preparing to roll out disconnected readers to their 1.6m customers, perhaps they should at least look at how exactly the same approach was compromised in the ABN-AMRO case. Chances are they will. Would it change their plans? I doubt it. For better or worse, yet another massive user trial of a 2FA solution is about to begin, so we shall see...