Wednesday, July 19, 2006

Token-based security cracked

Two-factor security tokens have always been thought of as the solution to password security woes. But now history has been made with man-in-the-middle attacks being used for the first time to circumvent token security being rolled out by banks at huge costs.

Over the past few weeks, approximately 35 phishing Web sites have been set up that use the new attack. They attempt to trick users into divulging the temporary passwords created by the security token devices used by banks such as Citigroup Inc. Phishers have only recently begun looking for ways around token authentication, using what is known as a "man-in-the-middle" attack.

These attacks are worrisome because they took advantage, fairly early on, of a system that's seen as enhancing security for banking customers. Token devices are used to create a temporary second password for online banking customers. These passwords are valid for a very short period of time and can be used only once, making it impossible for attackers to steal them for later use. U.S. banks have been offering the tokens to users in an effort to comply with federal guidelines that call for stronger, two-factor authentication for online transactions by year's end.

Security experts had predicted that phishers would eventually use a man-in-the-middle attack to circumvent token-based authentication, but these recent attacks mark the first time they have actually done so.

CATEGORIES : 1identity theft, 1tokens, 1id management, 1banking, 1passwords
Rate this post: (Provided by NewsGator)

0 Comments:

Post a Comment

<< Home