Man-in-the-Middle Phishing Attack Successful Against Citibank’s 2-Factor Token Authentication

Man-in-the-Middle Phishing Attack Successful Against Citibank’s 2-Factor Token Authentication TriCipher Defeats New Wave of “Phishing 2.0” Attacks

SAN MATEO, CA – July 12, 2006 -- On July 10th, 2006, the first reports of a Man-in-the-Middle Phishing 2.0 attack against CitiBank’s CitiBusinessSM service were reported by the Washington Post. The phishing scam, originating in Russia, shows that cyber criminals are integrating multiple attack methods to defeat the latest security measures such as One Time Password (OTP) Tokens implemented by banks.

“In my testimony to Congress in 2004, I warned that, as more people become aware of current “phishing” scams, the cyber criminals often get even more clever, and create new, more sophisticated techniques,” said Howard Schmidt former White House cybersecurity advisor and former Chief Security Officer of eBay and Microsoft.

In 2004, the first wave of “Phishing 1.0” attacks tricked unsuspecting consumers into clicking on links to fake bank websites and giving up their usernames, passwords, and other personal information leading to financial fraud and identity theft. Phishing 2.0 has evolved to combine traditional Phishing ‘hooks’ with a Man-in-the-Middle attack (in the Citibank case involving a botnet), and URL spoofing. A Phishing 2.0 attack tricks the user into clicking on a link to login to their bank through the Man-in-the-Middle phishing proxy site. It is actually easier to launch than traditional Phishing 1.0 scams because the attacker does not need to create and maintain a copy of a fake site. The phisher merely passes through the actual pages from the real web site, then steals data or makes changes to transactions automatically using easy-to-write scripts.

"This is a common and predictable attack. As an industry, we need to accept that solutions not incorporating strong client and server authentication cannot survive the Internet. Ten years ago, this was evident with the advent of key SSL mechanisms. It's time to put them to work," said Eric Greenberg, Chief Master Architect for security firm KSR and former leader of Netscape's security group, which originally created SSL.

Since 2004, most banks have responded by implementing one or more security technologies designed to fight traditional Phishing 1.0. In many cases, these security measures have temporarily reduced fraud rates based on their ability to prevent basic Phishing 1.0 techniques. However, these security measures are vulnerable to Phishing 2.0 attacks.

Why Are These Security Measures Vulnerable?

These measures are vulnerable to Phishing 2.0 attacks for some combination of the following reasons:

- They rely on weak, easily spoofable information such as http header information or IP geolocation

- They rely on ‘shared secrets’ that must be sent over the Internet where an attacker can get them

- They use only one-way SSL security (only the website has an SSL certificate) instead of two-way, which is the way SSL was designed to be used

"This is a sad reminder that even the best intended security solution may not remain effective over time. This attack serves as a wakeup call for financial institutions and others who use the Internet to interact with their clients - it's time to put technically sound user authentication measures in place to prevent this sort of attack," said Rebecca Bace, CEO of Infidel, Inc.

The TriCipher Solution

The TriCipher Armored Credential System™ (TACS) would have prevented the CitiBusiness Services Phishing 2.0 attack by protecting their One Time Password Tokens. An attacker attempting to proxy traffic from a user with a TriCipher Armored Credential would cause the user’s login to fail – and the attacker would get no useful information, not even the one time password used.

TACS defeats Phishing 2.0 attacks by removing reliance on shared secrets sent over the Internet and making it possible to use 2-way SSL. With two-way SSL, the server knows who’s on the other end of the session via a strong digital signature that an attacker can’t use to log himself in and can’t spoof. This prevents Phishing 2.0 – no shared secret to intercept and no ability to read or change transactions. With TriCipher Armored Credentials, users are authenticated with proven digital signature techniques made easy by TriCipher’s patented technology.

“When we deployed TriCipher’s solution over a year ago, it was clear to us that such Man-in-the-middle attacks would start appearing,” said Paul Darnell, Chief Operations and IT Director, Advanced Payment Solutions, a pre-eminent leader of general purpose pre-paid cards and payment solutions. “Using a combination of both the more economical PC2 Factor authentication credential, and TriCipher’s Armored Token technology, we have protected our business from such attacks whilst preserving our investment in tokens.”

The TriCipher Armored Credential System provides a variety of authentication types from a single system while also protecting security methods already deployed, including:

Browser Cookie
Unique Picture & Text,
Digital Certificates
PC 2 Factor & Security Presence Check
Hardware Device (USB Key, iPod)
Hardware One-Time-Password Token (RSA Security, Verisign, Vasco)
Smart Cards

To login, the user simply enters their passcode into the bank’s website. The TriCipher system performs the steps needed to create a digital signature to log in the user without changing the user experience. As attacks evolve, banks can move the user to stronger security based on risk, ensuring protection against the next wave of attacks with a single authentication infrastructure.

Note: In March of 2005, TriCipher issued a press release announcing the TriCipher Armored Credential System (TACS) and its ability to prevent Man-in-the-Middle phishing attacks.

About TriCipher, Inc.

TriCipher, Inc. provides Future Proof Risk Based Authentication. The TriCipher Armored Credential System™ (TACS) is the first authentication system that enables companies to deploy and manage multiple types of credentials from a single infrastructure. Through this flexible "Authentication Ladder," TriCipher delivers future proof security – protecting your investment by enabling authentication strength to adjust in response to new threats and regulatory changes without the need to implement a new infrastructure. In addition, TriCipher delivers risk based authentication - preventing online fraud through seamless integration with fraud detection systems, secondary authentication systems and the ability to enforce security software presence checks for malware protection. Founded in 2000, TriCipher is headquartered in San Mateo, California. The company was incubated as NSD Security before launching as a separate entity in 2005 with backing from ArrowPath Venture Capital, Intel Capital, Trident Capital, and Wasatch Venture Partners.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.