Phishing with the Man-in-the-Middle for Two-Factor Authentication

Computers & TechnologyNetworking

  • Author Adam Quart
  • Published March 5, 2012
  • Word count 1,083

What is a man in the middle attack (MITM)? Imagine this, an attacker puts up a fake bank website and entices users to that website. The user types in his or her password, and the attacker in turn uses that information to access the bank’s real website. If this is done correctly and discretely, the user will never realize that he or she isn’t at the bank’s website. The attacker then disconnects the user and makes any fraudulent transactions that they want or passes the user’s banking transactions while making his own transactions at the same time.

The real threat is fraud due to impersonation. The tactics of impersonation will change in response to the defenses. Out of band two factor authentication will force criminals to modify their tactics to impersonate you and is an effective way to deter these kinds of attacks.

Secure tokens, those little key fobs with changing passwords, has been seen as the solution to many of the security concerns banks face in identifying their users. It’s still a good option and better than a simple password, but it’s not a bulletproof solution that many people think that it is. With a man in the middle attack, where the user is supplying their password along with other important information, the attackers can clean out an account in just a few minutes.

Attackers are getting smarter every day as new security measures are being developed against them. Most end users would look at a fake site and not be able to determine that it is a fake site that was built by the attackers. Most of the time these type of websites are indistinguishable from the real websites.

With a man in the middle attack, Trojans and other malware lie in wait for a user to access a targeted website, primarily banking and financial services. If the website requires two factor authentication during the login process, such as a security key or token, the user would enter the one time password from the token completely unaware that an attack is being made on the user.

The most effective way to combat man in the middle attacks is to use an SSL connection (as all banks do), for the user to check the authenticity of the SSL certificate of the server they are connected to and to use out of band two factor authentication. This proves that you are connected to the bank directly, not to a man in the middle or even a phishing site and you’re able to identify yourself using out of band two factor authentication. Out of band two factor authentication is most effective when the second factor of authentication occurs at the transaction stage as opposed to when a user logs in.

Cyber terrorists are always scouting for confidential information held on your computer. They use phishing attacks to steal your credentials and identify them as you fraudulently.

How safe do you think you are against phishing attacks and man in the middle attacks? Even though you may feel secure browsing the internet and logging into your online banking, you are still connected to the main stream of the internet where man in the middle attacks can happen. Accessing servers across the world in order to process information or verify personal data puts you at risk. Even if you or your business utilizes out of band two-factor authentication, it depends on the level of security provided by your solutions provider and it depends on how cautious the end user really is. Only an out-of-band two factor authentication solution can offer the protection that you want. This can be taken even further by utilizing a out of band two factor authentication solution that offers zero footprint security as well.

Phishing for Information

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is like throwing out a hook and trying to catch your personal data. There are many ways of phishing through manipulation of web properties and branding but the idea is to pretend to be a brand of interest to the victim. Once the attacker has established trust by posing as the website you meant to visit or through some form of communication such as email or phone they will attempt to siphon your information. Phishing can also be carried out by email spoofing or instant messaging. Once your info is obtained you may be the victim of identity fraud or you could become the weak link in security at your company from a man-in-the-middle attack.

Identifying with the Man-in-the-Middle

Man-in-the-middle attacks are a form of eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly talking to each other over a private connection, when in fact the entire conversation is controlled by the attacker. Imagine this scenario, you are playing a game of telephone but your friend in the middle keeps changing the message. Once an attacker has established a connection between you and their point of interest, maybe through phishing, they can manipulate communication. With this manipulation of communication they can even capture important information used for two-factor authentication since most people have internet on their smartphones.

Better Two-Factor Authentication

Among the many forms of two-factor authentication the strongest ones utilize out-of-band zero footprint communication. Out-of-band authentication utilizes a separate network to identify a user such as the telephone networks. Attacks can occur even when two factor authentication is present, but the chance of a man in the middle attack working is much less. Implementing a zero footprint solution can protect even further against these types of attacks. Out of band two factor authentication with Zero footprints leaves no trace of verification behind and utilize no data files from the device used for identifying a user. The concept would be that without anything being in the water there is little to no chance of being caught by the hook of phishing.

Although there are truly no security methods that prevent attacks 100% of the time, out of band two factor authentication solutions are a dramatic improvement over single factor authentication systems. Advancing techniques and more sophisticated attackers make some forms of two-factor authentication seem more like a placebo than a solution. Out-of-band zero footprint two-factor authentication is the best protection from phishing and man-in-the-middle attacks.

Adam provides information about 2 factor authentication to help companies stay secure. Through authentication security and the use of a one time password he believes a company provides the best privacy for its employees and customers.

Article source: https://articlebiz.com
This article has been viewed 2,184 times.

Rate article

Article comments

There are no posted comments.

Related articles