Hacking, OTPs and next generation of Authentication Methods

The following authentication scenarios discussed here apply to a simple connection between a client and his online banking website. After reviewing the most dangerous hacking techniques, we will see what solutions can be implemented.

What is a Man-in-the-middle (MITM) attack?

A MITM attack is an active eavesdropping in which the attacker combines several techniques to make the two legitimate entities think that they are interacting directly in a secure connection when in fact the attacker controls the data being exchanged. An example of simple MITM is a combination of sniffing and spoofing. Sniffing is used to ‘see’ the data packets that are sent to the end user by the bank. Spoofing is the act of forging the user’s IP address in messages sent to the bank’s website.

What is a Man-in-the-browser (MITB) attack?

A MITB is one of the most advanced attacks used by hackers. The malware (often a worm) does not reside in the usual locations (storage hard drive, etc.) but installs itself inside the browser application, this is why it is so hard to detect and remove. Most of MITBs were specific to one browser and one bank’s website. Newer versions extend to different browsers and various banks’ websites. In simple terms, a browser is usually composed of a GUI (Graphic User Interface) and an engine (among other components). The MITB consists in controlling data exchanges between the GUI and the engine, displaying whatever the hacker wants to the user and sending exactly what he wants to the bank.

Why are One Time Passwords (OTP) sensitive to these hacking attacks?

All 1-way authentication methods (with or without OTPs) are sensitive to MITM and MITB.

To make things pretty clear, showing an OTP (or biometrics, smart cards…) during a simple 1-way authentication with the presence of a MITM or MITB is like showing your ID (passport, fingerprints…) to a fake police officer. In fact, the user is “strongly authenticated” but to the wrong person.

Hacking a classical 1-way authentication is like a walk in the park even for a junior hacker. Indeed, many techniques are available to the attacker in order to impersonate the legitimate end-user.

The incoming and outgoing data channels can be controlled by the hacker.

The hacker can spoof the IP address of the end-user to fool the bank, he can perform sniffing to know whatever is sent to the end-user, he can redirect the traffic of the user to fake sites that he controls (via the host file or DNS hack).

Ultimate hacking technique is performed by setting up a Man-in-the-browser attack, where the malware resides inside the browser of the end-user. This type of technique is most of time not detected by anti-viruses, IPS or other security software as they are specific to the environment.

What is the point in using OTP then?

The main interesting feature about OTPs is that they cannot be replayed.

“Time based” OTPs are the best (compared to “event based” OTPs). Time based OTPs are based on the time they were generated, where event based OTPs are triggered by the event itself, meaning the OTP chain does not change and you jump from one OTP to the other.

OTPs though not perfect, are still way more secure than a simple static password or token.

How can I protect a connection between 2 entities from MITM?

The only way to realize a secure connection between 2 entities is to… involve a 3rd entity. The goal is to perform strong MUTUAL authentication. The point is to use the same approach as the hackers with the difference of providing positive security effects.

In this model, the 3rd party acts like a “good man in the middle”. The 3rd party’s purpose is to validate the legitimate identity of the two parties who want to engage each other in a secure connection and to prompt the 1st party to enter an OTP only after validating the second party.

A trusted 3-party model makes it harder than ever for hackers. They have to take control of 6 channels of communication (+ 1 out-of-band channel) which includes 4 channels between business entities instead of 2 channels between 1 business entity and 1 weak link which is the user in a 1-way authentication.

The integration of an out-of-band channel to send the OTP to the first entity makes it impossible for hackers to control the overall scheme.

How can this process be insensitive to MITB?

A 3-party scheme (including an out-of-band channel) in which communication between 1st and 3rd party does not involve communication via a browser application makes the process insensitive to MITM and MITB.

Additional features considerations

Such a model combines the strengths of different techniques.

The system also has to include tamper resistant features such as the ones provided by sandbox architecture (multi-process with controlled inter-process communications) and include its own self-defense modules. This delivers another hurdle for hackers who try to test the security on the end-user’s computer. Even if a hacker finds a way to force the application to execute code at the process level, the hacker would not be able to execute it out-of-the-box, meaning this hack would be useless and could not harm the user’s computer or compromise the authentication or transaction validation process.

For obvious cost efficiency reasons it should also be compatible with the authentication devices and methods already in place and those to come.

A solution like this exists. It is just up to the banks or business entities to care enough about their customers to implement it. Now that revenues are impacted but rampant online fraud, businesses should consider implementing an efficient solution that would benefit everyone but hackers.