Sunday, January 14, 2007

Real Time MITM for OTPs is Now Real

This had been predicted for a long time, but it's finely become an automated attack rather than a lab simulation. There was an article in Finextra this week about Man-In-The-Middle (MITM) phishing kits for sale on the web.

Authentication credentials are stolen through a phishing site, usually from a link in a spam e-mail. The kit sets up a phony URL that communicates with both the user and the real company's web site. As with other phishing attacks, the user is asked to enter their log in credentials, whatever they may be -- user ID, password and even One-Time Password (OTP) token value.

The difference here is that the attack simultaneously and automatically logs onto the real web site, authenticates with the right credentials and allows the attacker -- the MITM -- to access the user's account and steal funds. Before, phishing sites just gathered static credentials for later use by criminals.

The other danger is that the kit is generic yet customizable, so a crook has a base to work with but can tailor make it for any target financial institution. It can also be customized to gather all authentication credentials, not just a user ID and password.

I wrote an article for TechTarget about OTP best practices in September of last year. I mentioned a recent MITM attack against tokens but also cautioned that this was an isolated instance. I said the real danger was when these things become both real time and automated. That time has now arrived.

Bruce Schneier first warned about MITM attacks against OTPs in his now famous post in 2005 and then again last year after an attack.


Post a Comment

<< Home