Doubling Up on Passwords Doesn't Stop Cyber-Criminals

by Rich

Sunday, September 20, 2009 at 09:07 PM EDT

I’ve posted here before about the weaknesses inherent in using passwords for verifying the identity of system users, and about one of the approaches being taken to address those weaknesses: introduction of a second authentication method or device, sometimes called two-factor authentication. One particular method of implementing two-factor authentication uses a small electronic “token”, manufactured by RSA Security (a division of EMC), which generates a new one-time access code every 30 or 60 seconds. To access a system set up in this way, the user enters a User ID and password (”something you know”), and the access code from the token (”something you have”). Neither the password nor the access code alone are sufficient to gain access. Adding the second factor materially improves the security of the system.

Unfortunately, security technology is always involved in an “arms race” between attackers and defenders. According to a recent article in Technology Review, a new series of attacks has been seen that are aimed specifically at this two-factor security scheme.

Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain.

Essentially, the malicious program “listens” for the entry of the security information, and submits its own, fraudulent transactions so that they fall within the time window in which the access code is valid. (Simplifying slightly, the generation of the access code is done using a cryptographic hash function of the User ID, the token serial number, and the time — the token contains a battery-powered clock.) RSA has responded, reasonably enough, that users should not expect the system to protect against all conceivable security risks:

Bedford, MA-based security company RSA, which manufactures a one-time password device known as SecurID®, argues that neither companies nor consumers should rely on any single factor to secure their transactions. Sam Curry, vice president of product marketing for the firm, which is now a division of EMC, says that one-time password technology and other additional security measures can raise the bar against attackers but will not keep them out forever

The unpleasant reality is that, if an attacker is able to install, or trick the user into installing, software of the attacker’s choice on a machine used for sensitive transactions, the possible defenses are very limited.

A few weeks ago, I posted a note on a report by Brian Krebs of the Washington Post that cyber-criminals were focusing their attention on small- and medium-sized businesses, and attempting to steal electronic banking credentials. This more recent attack is another example of that trend. One of the pieces of advice I gave then was:

A sensitive function like money transfer should never be done from a general-purpose PC that may be used for E-mail, browsing, Facebook, online shopping, and goodness knows what else. It should be done using a workstation dedicated to that function, and that workstation should be carefully configured so that only software that is required for that function is installed.

One axiom of the IT industry is worth remembering. There is only one kind of software that never causes a system failure or security compromise: the kind that is not installed.

Technology Review quotes Joe Stewart, director of malware research for security firm SecureWorks of Atlanta, with some very similar advice:

One solution is to use software or a dedicated terminal to ensure that no malicious program can intercept a consumer’s communications with a bank. Consumers who have an old PC or laptop lying around could install the free Linux operating system on the machine and use the machine exclusively for financial transactions

In my earlier post, I did not specifically mention using Linux for this purpose, but it is something I have recommended to several clients I’ve advised. Linux has a few advantages for this: it’s free; it is much more modular than Windows, so it is easier to remove unneeded components; and it has, in my opinion, a more straightforward and robust security model than Windows. In addition, of course, the bad guys are usually more focused on attacking Windows systems.

Security is a process, not a product; there is no security “silver bullet” than will slay all attackers auto-magically. Careful thought and planning are still vitally important parts of defense.