About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Optical connection | Main | We don't need no stinking NFC phones »

Attacking 2FA

By davebirch posted Apr 19 2007 at 10:32 PM

[Dave Birch] Within all of the coverage of Barclays decision to start issuing 2FA "token authentication" devices to online banking customers (eg, me) to combat phishing and fraud, there were a few people pointing out that this kind of 2FA isn't a magic bullet, specifically because of "man in the middle" attacks.  We've discussed this before in the context of token authentication, but the problem extends to many other kinds of 2FA (basically, any 2FA that doesn't implement end-to-end encryption).

Technorati Tags:

A man-in-the-middle attack against Bank of America's SiteKey service reinforces the same point, although it has to be noted that it is not transparently obvious that schemes like this (that show you pictures of your grandmother or whatever when you log in) are particularly effective.  A study produced jointly by researchers at Harvard and the Massachusetts Institute of Technology looked at the technology in some detail.  Online banking customers are asked to select an image that they will see every time they log in to their account.  The idea is that if customers do not see their image, they could be at a fraudulent site and should not enter their passwords.  The researchers invited bank customers into a controlled environment and asked them to conduct routine online banking activities.  But the researchers had secretly withdrawn the images.  Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns because of the missing images.

It's boring to keep re-posting the same thing, but we need end-to-end security: this means use tamper-resistant hardware to store digital identities.  What are the barriers?

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Attacking 2FA:


The comments to this entry are closed.