An OTP works by generating a random PIN number after a fixed interval of time, like 30 or 60 seconds. The PIN must be entered into the login page of a Web site with a user ID and password. The user ID and password are one factor of the system -- the item the user knows -- and the token is the second factor -- the item the user possesses.
A phishing site is a fake Web site that resembles the actual site of a bank, financial institution, or merchant. The phishing site grabs a user's ID and password, allowing the attacker to log in later and drain the user's bank account or maliciously use their merchant account.
But if an OTP value is required to login, the phisher would also need that value to attack the Web site. Since that number is constantly changing, the idea is that the value would have changed by the time the phisher tries to log on later.
If the phisher set up a fake site to also grab the OTP value, the phisher would have to use the credentials immediately -- during a 30 to 60 second window to gain access.
With such a small window, it isn't likely that the attacker could breach a Web site using OTP tokens. The only way would be with a man-in-the-middle attack, where the hacker uses a server sitting between the user and the legitimate Web site. The server simultaneously communicates with both the user and the real Web site, and can pass the login credentials, including the OTP value, in real time. Since the attack is instantaneous, it defeats the protection from the ever-changing token value.
MITM attacks were outlined by security expert Bruce Schneier in 2005, when OTPs were starting to get a lot of attention and becoming more popular as a defense against phishing.
But real-time MITM attacks didn't become a reality until last year, when Russian hackers successfully broke into a Citibank site using the tactic. In January of this year, another hacking group created a kit that copied pages from existing banking Web sites, generated bogus URLs and set up a server to communicate login credentials in real time back to the hackers. The hackers sold the kit over the Web.
The scam worked by luring unsuspecting users to the fake URL through spam emails. Once the user logged onto the fake Web site, their login credentials were sent immediately back to the legitimate site, where the hacker was waiting to empty the victim's bank account.
Although both of these attacks were isolated incidents and were shut down quickly, security experts at EMC's RSA Security group predict real-time MITM attacks will become more common within a year, as hackers refine techniques and get more sophisticated.
For more information:
This was first published in July 2007