Are one-time password tokens susceptible to man-in-the-middle attacks?

BROWSE BY TAG Identity Management and Access Control,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Emerging Information Security Threats,   Information Security Threats,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

RELATED CONTENT Identity Management and Access Control How to find and remove keyloggers and prevent spyware installation How to encrypt passwords using network security certificates Prevent meet-in-the-middle attacks with TDES encryption How to use single sign-on (SSO) for a server configuration Choosing management for Active Directory user provisioning LDAP signing requirements for various directory configurations User account best practices for an investment management website How to determine password strength for a website The pros and cons of implementing smart cards Keep files from being deleted by assigning read and execute permission Security Token and Smart Card Technology The pros and cons of implementing smart cards First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Emerging Information Security Threats Leverage Google Attacks to Improve Cybersecurity SCADA system, critical infrastructure security lacking, survey finds Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Information security podcasts: 2009 archive Hathaway calls for international cybercrime task force Active PDF attacks target Reader, Acrobat zero-day vulnerability Sites hit with massive automated SQL injection attack Cybercriminals invest in social networking attacks Best practices for (small) botnets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED June 2007:
One-time password (OTP) tokens are a type of two-factor authentication system. They've been talked about a lot lately as a way to prevent phishing attacks on Web sites.

An OTP works by generating a random PIN number after a fixed interval of time, like 30 or 60 seconds. The PIN must be entered into the login page of a Web site with a user ID and password. The user ID and password are one factor of the system -- the item the user knows -- and the token is the second factor -- the item the user possesses.

A phishing site is a fake Web site that resembles the actual site of a bank, financial institution, or merchant. The phishing site grabs a user's ID and password, allowing the attacker to log in later and drain the user's bank account or maliciously use their merchant account.

But if an OTP value is required to login, the phisher would also need that value to attack the Web site. Since that number is constantly changing, the idea is that the value would have changed by the time the phisher tries to log on later.

If the phisher set up a fake site to also grab the OTP value, the phisher would have to use the credentials immediately -- during a 30 to 60 second window to gain access.

With such a small window, it isn't likely that the attacker could breach a Web site using OTP tokens. The only way would be with a man-in-the-middle attack, where the hacker uses a server sitting between the user and the legitimate Web site. The server simultaneously communicates with both the user and the real Web site, and can pass the login credentials, including the OTP value, in real time. Since the attack is instantaneous, it defeats the protection from the ever-changing token value.

MITM attacks were outlined by security expert Bruce Schneier in 2005, when OTPs were starting to get a lot of attention and becoming more popular as a defense against phishing.

But real-time MITM attacks didn't become a reality until last year, when Russian hackers successfully broke into a Citibank site using the tactic. In January of this year, another hacking group created a kit that copied pages from existing banking Web sites, generated bogus URLs and set up a server to communicate login credentials in real time back to the hackers. The hackers sold the kit over the Web.

The scam worked by luring unsuspecting users to the fake URL through spam emails. Once the user logged onto the fake Web site, their login credentials were sent immediately back to the legitimate site, where the hacker was waiting to empty the victim's bank account.

Although both of these attacks were isolated incidents and were shut down quickly, security experts at EMC's RSA Security group predict real-time MITM attacks will become more common within a year, as hackers refine techniques and get more sophisticated.

For more information: