[Dave Birch] Within all of the coverage of Barclays decision to start issuing 2FA "token authentication" devices to online banking customers (eg, me) to combat phishing and fraud, there were a few people pointing out that this kind of 2FA isn't a magic bullet, specifically because of "man in the middle" attacks.  We've discussed this before in the context of token authentication, but the problem extends to many other kinds of 2FA (basically, any 2FA that doesn't implement end-to-end encryption).

Technorati Tags: identity

A man-in-the-middle attack against Bank of America's SiteKey service reinforces the same point, although it has to be noted that it is not transparently obvious that schemes like this (that show you pictures of your grandmother or whatever when you log in) are particularly effective.  A study produced jointly by researchers at Harvard and the Massachusetts Institute of Technology looked at the technology in some detail.  Online banking customers are asked to select an image that they will see every time they log in to their account.  The idea is that if customers do not see their image, they could be at a fraudulent site and should not enter their passwords.  The researchers invited bank customers into a controlled environment and asked them to conduct routine online banking activities.  But the researchers had secretly withdrawn the images.  Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns because of the missing images.

It's boring to keep re-posting the same thing, but we need end-to-end security: this means use tamper-resistant hardware to store digital identities.  What are the barriers?

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]