Monday, May 21, 2007

economics of 2 factor man-in-the-middle phishing

by now i would hope that most people reading this blog are aware that 2 factor authentication doesn't protect against phishing...

over on the symantec security response weblog, zulfikar ramzan concedes very much the same thing, that man-in-the-middle phishing can compromise even 2 factor authentication schemes, but puts it into a broader context and states that the 2 factor authentication still changes the economics of the attack and effectively makes it less profitable...

you see, the world of cybercrime is one where information is frequently bought and sold and the one-time passcodes generated by security tokens used in 2 factor authentication schemes are supposed to prevent your credentials from being traded like a black-market commodity... as such, the theory goes that the phishers, rather than having a salable good that they can pawn off on someone prepared to actually use the information, are only able to access the compromised account login sessions directly and so have to be prepared to get their money from the victims directly... this is a riskier proposition and therefore seemingly less valuable to the phishers...

although it may seem like the credentials the phisher captures are useless for resale, i'm not entirely convinced they are - credential re-use being what it is and with the heightened sense of security that the tokens offer, i'm sure those usernames and passwords will often be useful on sites other than the ones using the 2 factor authentication systems... moreover, i'm not convinced that the economics of the attack are changed as much as one might think, or that there isn't a comparable salable good to be offered here... if pornographers can monetize live video feeds of young women in various states of undress then i don't see why phishers can't sell real-time access to the login sessions they've compromised, perhaps even by setting up their customers as mirrors for the phishing page(s) and using load balancing to direct the appropriate proportion of phishing page requests to those customers' mirrors depending on how much the customer paid (and those customers could in turn resell the sessions in exactly the same way their provider sells them)...

2 factor authentication certainly changes the phishing landscape, but to say that it will reduce profitability assumes the bad guys can't innovate (which is a pretty bad assumption to make)... one simply has to imagine new ways to do things, and criminals are already familiar with imagining new ways to make money...

0 comments: