Man-in-the-Middle Phishing Attack Successful Against Citibank's 2-Factor Token Authentication

On July 10th, 2006, the first reports of a Man-in-the-Middle Phishing 2.0 attack against CitiBank's CitiBusiness(SM) service were reported by the Washington Post. The phishing scam, originating in Russia, shows that cyber criminals are integrating multiple attack methods to defeat the latest security measures such as One Time Password (OTP) Tokens implemented by banks.

"In my testimony to Congress in 2004, I warned that, as more people become aware of current "phishing" scams, the cyber criminals often get even more clever, and create new, more sophisticated techniques," said Howard Schmidt former White House cybersecurity advisor and former Chief Security Officer of eBay and Microsoft.

In 2004, the first wave of "Phishing 1.0" attacks tricked unsuspecting consumers into clicking on links to fake bank websites and giving up their usernames, passwords, and other personal information leading to financial fraud and identity theft. Phishing 2.0 has evolved to combine traditional Phishing 'hooks' with a Man-in-the-Middle attack (in the Citibank case involving a botnet), and URL spoofing. A Phishing 2.0 attack tricks the user into clicking on a link to login to their bank through the Man-in-the-Middle phishing proxy site. It is actually easier to launch than traditional Phishing 1.0 scams because the attacker does not need to create and maintain a copy of a fake site. The phisher merely passes through the actual pages from the real web site, then steals data or makes changes to transactions automatically using easy-to-write scripts.

"This is a common and predictable attack. As an industry, we need to accept that solutions not incorporating strong client and server authentication cannot survive the Internet. Ten years ago, this was evident with the advent of key SSL mechanisms. It's time to put them to work," said Eric Greenberg, Chief Master Architect for security firm KSR and former leader of Netscape's security group, which originally created SSL.

Since 2004, most banks have responded by implementing one or more security technologies designed to fight traditional Phishing 1.0. In many cases, these security measures have temporarily reduced fraud rates based on their ability to prevent basic Phishing 1.0 techniques. However, these security measures are vulnerable to Phishing 2.0 attacks (see table below):

Security How it Works Vulnerability to

Measure Phishing 2.0

________________________________________________________________________

One Time Users receive a The one time password

Password Tokens hardware device, is passed through by

(Including Hardware, paper scratch card the attacker and used

Software, and or grid card that to login within

Scratch Cards) changes their milliseconds, making

passcode for every even the 30-60 second

every 30-60 seconds) synchronous tokens

irrelevant

________________________________________________________________________

IP Geolocation The website associates The man-in-the-middle

the user's account proxy server is routed

with the geographic to a local botnet

location of the computer located in the

IP address same geographic region

or ISP as the user's

computer.

________________________________________________________________________

Device Fingerprinting The website attempts The browser information

to create a profile is passed through

of the device based unchanged from the

on information provided original user's

by the web browser computer. This can also

be easily spoofed by

the phisher

________________________________________________________________________

Browser Cookie The website places a Due to frequent roaming

browser cookie on the and cookie deletion,

user's computer after users get accustomed to

answering secret answering secret

questions questions. The Man in

the Middle can trick

the user into answering

the secret questions at

the phisher site and

then use those

questions to log into

the real bank.

________________________________________________________________________

Picture or Text The user select a After stealing the

on Website personal picture or secret questions and

(such as Bank text phrase that resetting the cookie

of America's always appears on as described above,

SiteKey(TM)) the login website the attacker now also

to assure the customer has the picture and

that they aren't text that is unique

being phished to the user.

________________________________________________________________________

Virtual Keyboard The user inputs their The user's passcode is

passcode through a stolen after it is

web-based graphical entered through the

keyboard web-based virtual

keyboard.

________________________________________________________________________

Phone or Email The user enters a code Because the user is

Out-of-Band sent to them over the online performing

Authentication phone or through email transactions, when the

phone rings with the

passcode, the user

answers and enters the

code into the website.

The attacker's proxy

site passes the code

through, and a script

changes the transaction

that the code is

verifying without the

user knowing.

________________________________________________________________________

Knowledge-Based The user answers a The attacker's man in

Authentication series of personal the middle proxy

questions automatically passes

the questions to the

user and returns the

user's answers to the

web site (after

stealing the answers).

________________________________________________________________________

Why Are These Security Measures Vulnerable?

-- These measures are vulnerable to Phishing 2.0 attacks for some

combination of the following reasons:

-- They rely on weak, easily spoofable information such as http header

information or IP geolocation

-- They rely on 'shared secrets' that must be sent over the Internet where

an attacker can get them

-- They use only one-way SSL security (only the website has an SSL

certificate) instead of two-way, which is the way SSL was designed to

be used

"This is a sad reminder that even the best intended security solution may not remain effective over time. This attack serves as a wakeup call for financial institutions and others who use the internet to interact with their clients -- it's time to put technically sound user authentication measures in place to prevent this sort of attack," said Rebecca Bace, CEO of Infidel, Inc.

The TriCipher Solution

The TriCipher Armored Credential System(TM) (TACS) would have prevented the CitiBusiness Services Phishing 2.0 attack by protecting their One Time Password Tokens. An attacker attempting to proxy traffic from a user with a TriCipher Armored Credential would cause the user's login to fail -- and the attacker would get no useful information, not even the one time password used.

TACS defeats Phishing 2.0 attacks by removing reliance on shared secrets sent over the Internet and making it possible to use 2-way SSL. With two-way SSL, the server knows who's on the other end of the session via a strong digital signature that an attacker can't use to log himself in and can't spoof. This prevents Phishing 2.0 -- no shared secret to intercept and no ability to read or change transactions. With TriCipher Armored Credentials, users are authenticated with proven digital signature techniques made easy by TriCipher's patented technology.

"When we deployed TriCipher's solution over a year ago, it was clear to us that such MITM attacks would start appearing," said Paul Darnell, Chief Operations and IT Director, Advanced Payment Solutions, a pre-eminent leader of general purpose pre-paid cards and payment solutions. "Using a combination of both the more economical PC2 Factor authentication credential, and TriCipher's Armored Token technology, we have protected our business from such attacks whilst preserving our investment in tokens."

The TriCipher Armored Credential System(TM) provides a variety of authentication types from a single system while also protecting security methods already deployed, including:

-- Passwords

-- Browser Cookie

-- Unique Picture & Text,

-- Digital Certificates

-- PC 2 Factor & Security Presence Check

-- Hardware Device (USB Key, iPod)

-- Hardware One-Time-Password Token (RSA Security, VeriSign, Vasco)

-- Smart Cards

To login, the user simply enters their passcode into the bank's website. The TriCipher system performs the steps needed to create a digital signature to log in the user without changing the user experience. As attacks evolve, banks can move the user to stronger security based on risk, ensuring protection against the next wave of attacks with a single authentication infrastructure.

Note: In March of 2005, TriCipher issued a press release announcing the TriCipher Armored Credential System(TM) (TACS) and its ability to prevent Man-in-the-Middle phishing attacks.

http://www.tricipher.com/news/pr062.html

About TriCipher, Inc.

TriCipher, Inc. provides Future Proof Risk Based Authentication. The TriCipher Armored Credential System(TM) (TACS) is the first authentication system that enables companies to deploy and manage multiple types of credentials from a single infrastructure. Through this flexible "Authentication Ladder," TriCipher delivers future proof security -- protecting your investment by enabling authentication strength to adjust in response to new threats and regulatory changes without the need to implement a new infrastructure. In addition, TriCipher delivers risk based authentication -- preventing online fraud through seamless integration with fraud detection systems, secondary authentication systems and the ability to enforce security software presence checks for malware protection. Founded in 2000, TriCipher is headquartered in San Mateo, California. The company was incubated as NSD Security before launching as a separate entity in 2005 with backing from ArrowPath Venture Capital, Intel Capital, Trident Capital, and Wasatch Venture Partners.