Share
From this page you can share Citibank Hardware Tokens Defeated: The Beginning of the End to a social bookmarking site or email a link to the page.| Social Web | |
|---|---|
Citibank Hardware Tokens Defeated: The Beginning of the EndSubmitted by epayments on August 10, 2006 - 7:49am.A long-predicted vulnerability of hardware-token based multi-factor authentication has now been successfully exploited against Citibank, marking the beginning of the end for the small security devices. (AllPayNews) August 10, 2006 -- Media sources around the world began reporting last week on a series of phishing attacks against Citibank business customers. See: http://www.techweb.com/wire/security/190400329 Normally, phishing attacks against a financial institution as large as Citibank would gain little attention. Such attacks occur almost daily. These attacks, however, exploited a vulnerability of hardware-tokens that had been long predicted by security experts, the "man-in-the-middle" attack. In a textbook example of a "man-in-the-middle" attack, Citibank business customers were lured to dozens of counterfeit websites located in Russia where they were prompted to supply their token-generated passwords and other credentials. The counterfeit websites then swiftly sent the solicited credentials to the genuine Citibank website where they were used to access the accounts. In the wake of the failure of hardware tokens to protect Citibank’s customers from attack, the U.S. financial industry is now questioning its headlong rush to implement the small security devices and many banking managers are putting the brakes on implementation plans or are looking for ways out of existing vendor agreements. Managers who stubbornly championed the hardware token approach to banking superiors are now dusting off their resumes in anticipation of the fallout. VULNERABILITY NO SURPRISE TO SECURITY EXPERTS "While this might sound shocking to the financial industry since we haven't seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community," wrote Internet Storm Watch analyst Jason Lam days following the attack. "Hardware tokens are incapable of performing website authentication," agrees Sestus Data Corporation CEO Taun Willis, "and website authentication is absolutely critical to preventing phishing attacks. Regulators have been saying this for years but the banking industry just hasn’t been listening." FFIEC AND FDIC WARNINGS IGNORED The FFIEC’s warnings came on the heels of a 2004 FDIC report in which that agency also identified the lack of "website authentication" as a root cause of the current phishing and account hijacking problem. Hardware tokens are incapable of authenticating websites to customers, being designed for the reverse action, authenticating customers to websites. Unfortunately for Citibank business customers, managers at that bank apparently chose to ignore these regulatory warnings. AN ALTERNATIVE TO HARDWARE TOKENS? "Shared secret" approaches are being increasingly eyed with skepticism owing to several recent acquisitions by panicked hardware token vendors struggling to hold on to shrinking market shares. Software-based approaches seem unable to stand up to growing regulatory and industry scrutiny. Of particular concern is the sheer number of "challenge question" approaches which, lacking true multi-factor authentication capabilities, resort to soliciting personal information from consumers, a process highly criticized by the FDIC and numerous security experts. There is at least one multi-factor authentication solution that appears to be gaining ground, however, and it may actually be capable of filling the void resulting from the demise of hardware tokens. PhishCops(tm) by Sestus Data Corporation is a unique "virtual token" approach that solves many of the problems associated with hardware tokens, not the least being its invulnerability to the type of man-in-the-middle attacks which recently afflicted Citibank. While hardware tokens and other authentication approaches appear to be fading in popularity, PhishCops(tm) appears to be gaining momentum quickly. The company reports that since its introduction to the market in March of this year, they have been contacted by over 530 financial institutions for additional information or to begin implementation. It should also be noted that, for its breakthrough in multi-factor authentication, the U.S. government named PhishCops(tm) a semi-finalist for the 2005 Homeland Security Award and InfoWorld Magazine awarded it its highest honor, the InfoWorld 100 Award. PhishCops(tm) facilitates website authentication and multi-factor authentication using unbreakable government-approved mathematic algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce. The company reports PhishCops(tm) has never been defeated in any form and credits this remarkable record to its mathematic approach to authentication. As noted on the company’s website, "Mathematics are reliable and consistent. Where mathematics are used in authentication, the results will also be reliable and consistent. They cannot be falsified. Two plus two will always equal four, no matter how hard an identity thief may try to make them equal five." In a recent survey of comparable vendors, PhishCops(tm) was rated #1, offering the lowest total cost of ownership with the fastest implementation time and the least support requirements. This is good news for business owners. Perhaps more important, however, PhishCops(tm) authenticates without soliciting personal information. This is good news for consumers who value their privacy in an increasingly insecure online world. Company Website: http://www.phishcops.com ### Press Contact: Media Contact »
| |
Delicious
Digg
StumbleUpon
Propeller
Reddit
Magnoliacom
Newsvine
Furl
Facebook
Google
Yahoo
Technorati
Icerocket
