About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Passport control | Main | Pseudo's corner »

Two-timing two-factor

By davebirch posted Jul 17 2006 at 8:13 AM

[Dave Birch] A couple of years ago, Steve Pannifer and I wrote a paper about two-factor ("token") authentication pointing out that token authentication wasn't the solution to the general Internet authentication problem but just a first step on one potential roadmap to a solution.  One of the reasons we gave was that token authentication is vulnerable to a "man-in-the-middle" (MITM) attack.  Now this attack "in the wild" has been reported in the Washington Post.

Technorati Tags: , ,

Citibank are the target of this particular attack.  The phishing site asks Citibank customers for a user name and password, as well as the token-generated key.  But the site is a MITM: it uses the customers details and the key to log in to the real Citibusiness site. Authentication is a critical element in digital identity infrastructure, but it needs to work end-to-end.  PKI is one way of doing this (see, for example, the newly-rebranded IdenTrust).  I hate to harp on about smart cards, but if your private key never leaves your smart card (or smart thingy of some description), then the messages from the bank can be encrypted and signed all the way to that smart card.  A MITM can't use them. An interesting example of this architecture is the use of Bluetooth smart card readers to provide authentication to other personal devices.  This is now being used by the DoD to provide authentication for Crackberrys using CAC cards.  We looked at this solution for a client back in 2003 (not for CAC cards but for a commercial solution), but at that time the readers were too expensive for the particular application: so either the costs have come down or the DoD is less price-sensitive than our client was! The 2004 paper, which provides a useful introduction to EMV-based token authentication, is here... Phishandchips V4 .


The comments to this entry are closed.