White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication



Similar documents
Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

How CA Arcot Solutions Protect Against Internet Threats

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Multi-Factor Authentication of Online Transactions

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

A brief on Two-Factor Authentication

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Remote Access Securing Your Employees Out of the Office

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Internet Banking Attacks. Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic)

How To Protect Your Online Banking From Fraud

Using Entrust certificates with VPN

Security Evaluation CLX.Sentinel

Strong Authentication for Secure VPN Access

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Keystroke Encryption Technology Explained

Multi Factor Authentication API

The Key to Secure Online Financial Transactions

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS

IDRBT Working Paper No. 11 Authentication factors for Internet banking

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

The Top Web Application Attacks: Are you vulnerable?

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Secure Web Access Solution

STRONGER AUTHENTICATION for CA SiteMinder

White Paper. The Principles of Tokenless Two-Factor Authentication

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Swivel Multi-factor Authentication

Enhancing Web Application Security

SOLUTION BRIEF CA ADVANCED AUTHENTICATION. How can I provide effective authentication for employees in a convenient and cost-effective manner?

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Multi-factor authentication

ADVANCE AUTHENTICATION TECHNIQUES

PortWise Access Management Suite

Dashlane Security Whitepaper

How to stay safe online

Guide to Evaluating Multi-Factor Authentication Solutions

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

a. StarToken controls the loss due to you losing your Internet banking username and password.

Two-Factor Authentication and Swivel

Beyond passwords: Protect the mobile enterprise with smarter security solutions

A Security Survey of Strong Authentication Technologies

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

How to Prevent It What to Do If You Are a Victim

Best Practices for Secure Remote Access. Aventail Technical White Paper

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Layered security in authentication. An effective defense against Phishing and Pharming

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Entrust IdentityGuard

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

Where every interaction matters.

PASSWORD MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

The Hidden Dangers of Public WiFi

Ensuring the security of your mobile business intelligence

Top tips for improved network security

SENSE Security overview 2014

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

PINsafe Multifactor Authentication Solution. Technical White Paper

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

White Paper. The risks of authenticating with digital certificates exposed

WHITE PAPER Usher Mobile Identity Platform

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Authentication Levels. White Paper April 23, 2014

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

What are the common online dangers?

FORBIDDEN - Ethical Hacking Workshop Duration

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

Secure Login Issues & Solutions

ONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR

White Paper Secure Reverse Proxy Server and Web Application Firewall

Threats to Online Banking

Securing Virtual Desktop Infrastructures with Strong Authentication

Integrating Single Sign-on Across the Cloud By David Strom

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

The Benefits of SSL Content Inspection ABSTRACT

Hard vs. Soft Tokens Making the Right Choice for Security

WHY YOU NEED AN SSL CERTIFICATE

Transcription:

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication Page 1 of 8

Introduction As businesses and consumers grow increasingly reliant on the Internet for conducting essential business transactions, new security threats are evolving that are harder to spot and harder to foil. No longer the purview of select security experts, new generation security risks such as phishing and trojan horses are now being discussed and worried about by the general public. Phishing, in particular, takes advantage of the trust a company has built with its customers, partners and employees to steal credentials the phisher can use to gain access to bank or brokerage accounts, internal systems and confidential information. They put a company s assets and reputation at risk. They have also made email useless for business to consumer communication. Recent media attention has shined the spotlight on new threats that are preoccupying security experts including man in the middle phishing attacks and the inadequacy of most existing technology to combat them. The emerging standard for security technology is two-factor authentication. Recognizing that simple passwords are too easy to discover, many companies are beginning to implement two-factor authentication systems such as a password and a token that generates a new number every minute. However, security experts and journalists (see http://www.computerweekly.com/articles/article.asp?liarticleid=137454&liflavourid=1&s p=1 and http://www.eweek.com/article2/0,1759,1776085,00.asp for examples) have reported that basic two-factor authentication alone, though it solves many of the problems of a simple password, is not up to the challenge of today s phishing attacks. Is this new brand of phishing really the threat it s made out to be and what can be done about it? The Phishing Problem The phishing threat is indeed real, and is of particular concern to those in financial services, e-business and ISPs where their business is directly affected. Phishing has evolved rapidly. Initially, users were lured to a phishing site where passwords were harvested. In the next phase, passwords were captured by blending phishing with spyware. Now, because more companies are deploying one time password tokens, phishers are able to use a far simpler man in the middle attack to strike organizations. With man in the middle phishing, all the phisher needs is a freely available web proxy server which is manipulated in minutes to set up an attack. Ironically, such attacks require far less sophistication than the initial phishing attacks. Here the attacker does not even have to take the trouble to copy the real web site they simply proxy it and use it. Here s how it works: In a man in the middle phishing attack, users are lured to a phishing site (such as a fake bank site) by an email or DNS caching attack where they enter their username, password, and the number from a one-time-password token. Rather than Page 2 of 8

simply a copy of the legitimate site, the phishing site is actually a web proxy server that connects to the legitimate site. The phisher s server uses the information entered by the user to immediately log in to the legitimate site, then automatically either keeps the session open, pages the phisher, or alters the user s transaction to benefit the phisher. The user surfs or transacts, unaware that they are not at a legitimate site. When the user logs off, the phisher remains logged on, refreshing the session with the legitimate site to keep it active. Here s one example of what man in the middle phishing can look like. In this case, the users think they have gone to a site and have purchased ABC stock. In reality, the phisher has purchased XYZ stock with their information. Phishing represents an acute threat, with serious consequences. Phishers can wreak havoc with a user s assets and a company s reputation, by: - stealing money from the user s bank account - manipulating the price of penny stocks - gaining access to the user s personal information, account numbers, etc. for identity theft How to Solve the Problem If one-time passwords and tokens can t solve the problem, what can prevent phishing attacks? Because phishers always find new angles and have moved beyond reliance on user naïveté, education alone will not solve the problem. The best way to protect your Page 3 of 8

customers, assets and reputation from phishers is with authentication systems that don t reveal secrets. According to Becky Bace, President of Infidel, Inc., The key to foiling these attacks is to take advantage of the existing SSL infrastructure to authenticate the client. SSL was designed to prevent man in the middle attacks and doesn t require the user to reveal the credential. Ideally, you would also like to make it impossible to steal the entire credential from the user. Phishing occurs because Only the server authenticates to create the SSL channel Phishers can intercept the user s secret login information With activity, sessions can be kept open for hours Users are not sophisticated about looking for the SSL lock, or they are fooled by fake URLs To prevent phishing SSL client authentication should be turned on Choose a system that does not require the user to share their secret Keep the session from being hijacked Educate users to check for the SSL lock and not accept unrecognized certificates but don t rely on education alone to solve the problem There are several vendors promoting technologies which do not strengthen client authentication, but instead try to educate users to make them less susceptible to being fooled by a fake site. We strongly encourage enterprises to adopt these technologies, which include improvements in the browser to help the user identify fake sites and improvements in firewalls that block access to known phishing sites. They are useful and further protect the enterprise. However, it would be a serious mistake to assume that these technologies are, by themselves, sufficient. At the end of the day, there is no substitute for strong authentication. And unfortunately, phishing targets the most gullible of users the ones whom security awareness techniques usually do not reach. Some users will always remain gullible, and the only way to keep their credential from being phished is to make it impossible for them to reveal their credential. Page 4 of 8

SSL Using One Time Password Tokens SSL Client Auth OFF Server Auth ON Userid, password, OTP Userid, password, OTP SSL Session 1 SSL Session 2 The server uses the userid, password and OTP to authenticate user. The phisher decrypts and reencrypts the userid, password and OTP, fooling the server. SSL Using the TriCipher System SSL Client Auth ON Server Auth ON The server uses a signed, jointly determined message to authenticate the user. The phisher can t pretend to be the user. Only the web server and user can decrypt messages sent between them. TriCipher Solution: The TriCipher Armored Credential System (TACS) The TriCipher Armored Credential System (TACS) prevents proxied man in the middle phishing attacks by leveraging the Internet s existing SSL infrastructure, and combining it with a unique multi-part credential. TACS creates a multi-part credential by splitting the user s credential between the user and a secure appliance kept in the enterprise s data center. Since the user doesn t have the entire credential, he or she can t give it away to the phisher, nor can the phisher steal it from their desktop. In addition, TriCipher s Double and Triple Armored credentials use Page 5 of 8

SSL client authentication, preventing a phisher from sitting in the middle of the user s session with the web server. To prevent phishing SSL client authentication should be turned on SSL is standard software that exists in all web browsers and servers. The SSL software can perform three functions: 1. Authenticate the web server to the browser 2. Set up encrypted communications 3. Authenticate the end user to the web server While every web server has the ability to do all three, most only use functions 1 and 2, and rely on weak user IDs and passwords to achieve end user authentication, leaving them open to attacks such as phishing. To use the TACS system, at a web server the administrator simply turns on the third feature no software to install. Client side SSL is not vulnerable to man in the middle attacks for the following reasons: With SSL client authentication turned ON, the web server knows who it's talking to, so the phisher cannot impersonate a legitimate user. The way SSL is typically used today (server authentication only), the user authenticates the server to set up the SSL session, but not the other way around. With TriCipher s Double and Triple Armored credentials, the user's authenticating information is not sent to the web server. With a one-time password (OTP) token, the userid, password and OTP are all sent to the web server over SSL. Since the SSL session is set up without authenticating the client, a man in the middle attack is possible. The message to be signed to set up the SSL session with the web server is jointly agreed by the server and browser. The message between the phisher and web server is different than that between the phisher and user. So, the phisher cannot pass through the signature, nor can he get the user to sign the wrong message so he can pass it along. To prevent phishing Choose a system that does not require the user to share their secret If the entire credential were stored with the user, then an attacker who compromises that PC can usually steal it (even if it is encrypted). Whereas in the TACS approach the part of the credential stored securely on the TACS-Appliance blinds the attacker for a wide variety Page 6 of 8

of attacks against the part the user holds. Double Armored Credentials A Double Armored Credential can be seamless for the user, but does require a small CAPI driver on the client, the TriCipher ID Protection Tool. The tool automatically pops up when the user goes to a page that is protected by SSL client authentication. The tool collects the user s id and password, then signs (encrypts) the password using a key stored in the Trusted Platform Module (TPM) or Windows Key Store. This key is completely invisible to the user. The login is completely familiar. The ID Protection Tool authenticates the user to the TACS Appliance which checks that the user s credential is still valid. To sign the jointly agreed message in SSL (the running hash), the ID Protection Tool sends the hash to the Appliance, which uses its part of the credential to sign. This partially signed has is returned to the desktop, where the ID Protection Tool signs with the user s part of the credential. The fully signed hash is then returned to the web server for verification. At $5/seat, Double Armored Credentials provide a secure, two-factor solution that does not require the user to carry a token or smartcard, yet cannot be phished a cost effective, highly secure alternative to time synchronous or challenge response one time password systems. Triple Armored Credentials A Triple Armored Credential works just like Double Armored, except a third factor (besides the user s password and a key stored on the PC) is required. Often this is a smartcard, but it could be a biometric or a simple USB memory stick used to store a key pair (this is secure in our system for reasons we won t go into here). When the user enters their password, it is signed using both the key on the PC and this second key. This raises the bar for an attacker. They not only have to steal the password and get access to the PC, they have to steal the smartcard, too. Our patented technology fills the gap between authentication systems that are either not secure enough or too hard to use and deploy. TriCipher s innovative approach to strong multi-factor authentication protects against phishing and eliminates dictionary attacks. Page 7 of 8

Deployment TACS is designed to work with your single sign on, identity management, provisioning, authorization and directory systems. TACS integrates through a simple provisioning plugin to your directory, and authentication plug-in at your identity management system. At the web server or any relying system, all that s required is to turn on support for SSL/IPsec client authentication or X.509 certificates. Contact Us Contact us for more information on TriCipher s strong authentication system and how it can help your business defeat phishing. TriCipher, Inc. +1.650.372.1300 tel 1900 Alameda de las Pulgas +1.650.372.1301 fax Suite 112 www.tricipher.com San Mateo, CA 94403 Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information