Authentication has effectively become one of the most highly regarded approaches to identity and access management in the modern market, as the tools negate the need for antiquated password and credential systems that have been found to be simply unsuccessful. Hackers have had a field day stealing login and credential codes from unsuspecting businesses, public sector agencies and consumers, while many still rely on these tools without looking toward a more effective approach.
Still, new protections will undoubtedly face some challenges, and reports have already started to surface regarding attacks that specifically target multi-factor authentication tools. It is important to note here that every authentication solution is not created equal, and the most dynamic, advanced options available will generally provide the greatest protection against threats.
Attack uncovered
Secure ID News recently reported that some banks which have been making the transition away from traditional credential systems and toward two-factor authentication tools are being targeted by middle-man attacks. According to the news provider, a study revealed that online banking portals that use authentication might be at risk of falling victim to a breach because a few components have not been adequately secured.
Interestingly, the researchers decided to call the type of attack taking place Operation Emmental, the source noted, which is a play on a type of cheese containing copious holes.
However, it might not be time to completely rule out the value of authentication tools for online banking platforms, as experts in the industry have spoken out about these types of issues. Citing comments from the report's authors, Secure ID News pointed out that a piece of malware is used to mimic an SSL certificate, then poses as a session token to intercept the text messages which send the real token to the end user.
SecureKey's take on the attack
"Overall, we expect more threats such as this to continue," David Mahdi, director of product marketing at SecureKey, explained. "As banks, and other services add 2-factor authentication, attackers will design their attacks to thwart these defenses. Unfortunately, the options many organizations including banks are offering (such as SMS OTP, and OTP) have known security vulnerabilities. OTPs can be collected at runtime. For instance, when you go to your bank website, the attackers malware can wake up; and if you are pasting in an OTP, either from an SMS code, from a hard-token, or stand-alone app, the attacker could key log the code and get real-time access to the user's account. There is a well known threat 'Eurograbber' which illustrates how SMS OTP is simply not sufficient."
Mahdi went on to elaborate on the other options that are available to avoid these types of issues while still using authentication solutions.
“As banks add authentication, attackers will design attacks to thwart these defenses.”
"The industry needs to move to device-based digital ID with dynamic authentication in addition to having a layered security approach," he added. "By anchoring a user's digital ID in devices they possess (such as smartphones, tablets, etc.), organizations can add a 'what you have' factor in addition to other factors such as a multi-device PIN (similar to an EMV chip + PIN), or, in the near, future biometrics. This approach ultimately offers a simple and secure approach to mitigating threats such as Eurograbber, and the one in question, 'Emmental.'"
At the end of the day, choosing leaders in the authentication arena will often be the best way to avoid falling victim to novel threats such as the Eurograbber and Emmental. With dynamic authentication solutions that can be used for a variety of purposes and processes, companies can better protect against threats before they proliferate.