By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData Collective
  • Analytics
    AnalyticsShow More
    data science anayst
    Growing Demand for Data Science & Data Analyst Roles
    6 Min Read
    predictive analytics in dropshipping
    Predictive Analytics Helps New Dropshipping Businesses Thrive
    12 Min Read
    data-driven approach in healthcare
    The Importance of Data-Driven Approaches to Improving Healthcare in Rural Areas
    6 Min Read
    analytics for tax compliance
    Analytics Changes the Calculus of Business Tax Compliance
    8 Min Read
    big data analytics in gaming
    The Role of Big Data Analytics in Gaming
    10 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-23 SmartData Collective. All Rights Reserved.
Reading: Answer to OTP Bypass: Out-of-Band Two-Factor Authentication
Share
Notification Show More
Latest News
SMEs Use AI-Driven Financial Software for Greater Efficiency
Artificial Intelligence
data security in big data age
6 Reasons to Boost Data Security Plan in the Age of Big Data
Big Data
data science anayst
Growing Demand for Data Science & Data Analyst Roles
Data Science
ai software development
Key Strategies to Develop AI Software Cost-Effectively
Artificial Intelligence
ai in omnichannel marketing
AI is Driving Huge Changes in Omnichannel Marketing
Artificial Intelligence
Aa
SmartData Collective
Aa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > Uncategorized > Answer to OTP Bypass: Out-of-Band Two-Factor Authentication
Uncategorized

Answer to OTP Bypass: Out-of-Band Two-Factor Authentication

thu@duosecurity.com
Last updated: 2014/07/30 at 8:00 AM
thu@duosecurity.com
8 Min Read
SHARE

Contents
A History of OTP-Based Bypass MalwareMedia Perspective: Overgeneralizing Two-Factor AuthenticationA Better Alternative to OTP: Out-of-Band Authentication (OOB)

Trend Micro’s one-time password (OTP)-based two-factor authentication bypass report (PDF) is hardly news to those in the tech world, but it is well-packaged and even branded with a weird name – Operation Emmental (also known as Swiss cheese) – how media-ready!

Trend Micro’s one-time password (OTP)-based two-factor authentication bypass report (PDF) is hardly news to those in the tech world, but it is well-packaged and even branded with a weird name – Operation Emmental (also known as Swiss cheese) – how media-ready!

More Read

big data for branding ideas

Big Data Is Fundamentally Altering the Future of File Transfer Security

The 5 Most Important Criminal DNA And Crime Data Sources
3 Crucial Ways Smart Data Eliminates Home Security Threats
Does Facebook “Libra” Illustrate The Dark Side Of Big Data?
4 Brilliant Ways To Use Big Data To Boost Gmail Security

The story is the same: Good ol’ phishing email pretending to be from a real bank contains malware in an embedded attachment. When clicked, the file downloads and executes another file pretending to be a Windows update – instead, it installs malware!

That malware does a few things – changes DNS settings and redirects to the attacker’s servers; installs a new SSL certificate in the user’s system; and deletes itself without leaving a trace (rendering anti-malware software useless after the fact).

Rogue SSL Cert

When users attempt to visit their bank’s landing page, they get redirected to a fake bank page that steals their username/password. Then, they’re asked to type in the one-time password (OTP) sent by their bank’s mobile app – but, the SMS never arrives, so then the website prompts the user to install a malicious mobile app that’s pretending to be an OTP generator. Whew.

This malicious Android app actually intercepts the real two-factor SMS tokens sent by the bank, thereby gaining access to the user’s account and stealing all their monies.

A History of OTP-Based Bypass Malware

Back in March, I wrote about the research of Dell SecureWorks that presented their work, Cryptocurrency-Stealing Malware Landscape at this year’s RSA Conference in San Francisco. While this was referring to online banking wallets for currencies like Bitcoin, it also holds true for traditional online banking. A quote from their report found the same thing, that malware can bypass OTP-based two-factor, albeit with a slightly different approach:

Many exchanges have implemented two-factor authentication using one-time PINs to combat unauthorized logins. However, more advanced malware can easily bypass OTP-based 2FA, by intercepting the OTP as it is used and creating a second hidden browser window in order to log the thief into the account from the user’s own computer.

As Duo Security’s Senior Security Researcher Zach Lanier states:

This is precisely why we emphasize push over SMS. The latter is too fallible, and this particular malware / campaign is just another in a long line…Zitmo (“Zeus in the Mobile”) being one of the original malware families to intercept one-time passwords that are delivered via SMS (and targeting banks in Europe).

Yup, it’s true – back in 2010, Trend Micro wrote another blog reporting that certain Zeus variants could break into bank accounts despite being protected by OTP two-factor authentication.

Media Perspective: Overgeneralizing Two-Factor Authentication

Yet the media coverage doesn’t go deep enough into variances of different two-factor solutions:

Most sites ask for a single password. But two-factor authentication systems require customers to enter a second, one-time password that has been emailed or texted to their phones. The hope is that a second identifying factor eliminates the risk that criminals can break into customers’ accounts simply by stealing an online password. – NYTimes.com, Hackers Find Way to Outwit Tough Security at Banking Sites

The problem is, many media articles resulting from the report are woefully simplistic, glossing over the fact that not all two-factor authentication solutions are created the same. Two-factor authentication does not translate to one-time passwords, exclusively.

All of this OTP-based 2FA bypass talk just makes more of a case for push notification-based two-factor authentication, the preferred and most secure method to protect against the most varied of attacks.

A Better Alternative to OTP: Out-of-Band Authentication (OOB)

Duo Push for Two-Factor Authentication An out-of-band authentication solution can protect against man-in-the-browser attacks and other attempts to steal a one-time password. Plus, it’s already recommended by the FFIEC for online banking security guidelines to protect transactions. Their take on it is:

Out-of-band authentication means that a transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., telephone) in order for the transaction to be completed. Out-of-band authentication is becoming more popular given that customer PCs are increasingly vulnerable to malware attacks.

Instead of using a one-time password or pin, some modern two-factor solutions allow you to authenticate via push notifications on your smartphone with the help of a secure mobile app. It’s important to check that your two-factor solution provides different methods to fit your organization’s needs, and isn’t limited to only SMS or token-based authentication.

Additionally, the design of the security solution matters – your users’ phones and your two-factor provider’s servers should be set up to validate each other to prevent network-level attacks against the authentication process.

A little more about Duo Security’s two-factor method using push notifications (Duo Push):

Duo Push leverages the capabilities of modern smartphones to create a more secure and user-friendly two-factor authentication experience. Specifically, Duo Push utilizes the native push notifications (APNS, C2DM, etc) to provide real-time notification of transaction and login requests to a user’s smartphone, a secure out-of-band (OOB) communications protocol to display the full verified details of the request to the user, and simple one-touch responses to allow the user to approve or deny the request on the smartphone itself.

While this blog relates more to protecting against RSA-style breaches by “ditching the traditional shared secret model of OTP-based two-factor,” it’s also a good explanation of Duo Security’s push cryptography: RSA-Proofing our Duo Push Two-Factor Authentication.

Ultimately, OTP-based two-factor authentication using SMS just isn’t the best solution, as shown in these bypass scenarios. And that’s exactly why Duo Security has designed a more secure out-of-band authentication solution to outpace remote attackers and protect against threats that many older, legacy two-factor authentication solutions cannot. Find out more about what your solution should include in our Two-Factor Authentication Evaluation Guide.

TAGGED: authenticity, security
thu@duosecurity.com July 30, 2014
Share this Article
Facebook Twitter Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

SMEs Use AI-Driven Financial Software for Greater Efficiency
Artificial Intelligence
data security in big data age
6 Reasons to Boost Data Security Plan in the Age of Big Data
Big Data
data science anayst
Growing Demand for Data Science & Data Analyst Roles
Data Science
ai software development
Key Strategies to Develop AI Software Cost-Effectively
Artificial Intelligence

Stay Connected

1.2k Followers Like
33.7k Followers Follow
222 Followers Pin

You Might also Like

big data for branding ideas
Big DataExclusiveSecurity

Big Data Is Fundamentally Altering the Future of File Transfer Security

7 Min Read
DNA and criminal data usage
Big DataExclusive

The 5 Most Important Criminal DNA And Crime Data Sources

9 Min Read
home security and big data
Big DataExclusiveSecurity

3 Crucial Ways Smart Data Eliminates Home Security Threats

8 Min Read
facebook libra cryptocurrency
Big DataBlockchainExclusivePrivacy

Does Facebook “Libra” Illustrate The Dark Side Of Big Data?

6 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

giveaway chatbots
How To Get An Award Winning Giveaway Bot
Big Data Chatbots Exclusive
AI chatbots
AI Chatbots Can Help Retailers Convert Live Broadcast Viewers into Sales!
Chatbots

Quick Link

  • About
  • Contact
  • Privacy
Follow US

© 2008-23 SmartData Collective. All Rights Reserved.

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?