Saul Hansell of the Washington Post has posted an article about real time attacks on one-time password tokens like SecurID and SafeWord.
The strategy is to steal a user's one-time password after it is typed in and redirect it to a hacker to exploit immediately. The attack relies on Trojan software that has installed itself in the victim's computer.
One time passwords were not designed to protect against this type of thing. Once you have that sort of trojan, there's no way
to use your computer reliably. Attackers can intercept what you're doing, change it to benefit them, and you won't know what happened until you look at your bank statement.
The only way to protect against such things is to ensure that your computer has not been hacked. This is hard, since there are lots of ways to attack a computer and not nearly as many ways to protect it.
A one-time password token generates a password - usually a 6-digit number - that only works once. If an attacker intercepts one, it shouldn't work if used later, since the legitimate user will have already used it to log in. If an old one isn't used, it 'expires.'
This protects against a broad range of attacks. If the attacker runs "sniffer software" that collects passwords on the Internet, the password will be useless by the time it gets reused. If the attacker runs such software on your own computer and collects the passwords at a later time, the password again is useless. If the attacker collects several
passwords, there's no practical way to use them to predict subsequent passwords.
Unless the attacker uses the one time password immediately, the password is useless. Given the challenge, modern attackers have found a way to go after it. They set up a mechanism to exploit such passwords immediately. People postulated about such things many years ago, but such attacks have surfaced for-real in the past year or so.
The problem for most users is to establish a trustworthy computing system to use for on-line banking. All modern commercial operating systems are vulnerable to attack. Even open source systems are vulnerable.
We try to create trustworthy computing today by applying well-known - if limited - techniques to reduce the risk of successful attacks:
- Keep the operating system properly patched.
- DO NOT use your administrative account for routine work! Recent systems from Microsoft and Apple make it more practical to do the rare administrative task when logged in as a regular user. It's called "User Account Control" on Vista. Yes, it's a pain, but it's worth the safety it provides.
- Run anti-virus software. These days, it really needs to be anti-malware software since it needs to look for trojans or other malicious software.
- Don't install software from the Internet unless it's from a well protected, reputable source. Operating system updates are usually well protected. Adobe updates, unfortunately, tend to be less trustworthy. I wish it were possible to run a computer without Acrobat Reader, since Adobe has done such a poor job of keeping it safe.
In the military and defense communities it's common for people to use two separate PCs: one for regular work and one for classified work. The classified machine is heavily restricted as to how it is used. Security officers keep a closer watch on those computers.
I think a similar strategy should apply to computers used for financial activities. For the cost of a separate "desktop" and a KVM switch
, a company can isolate banking activities from more risky activities. The IT department can designate such machines as deserving extra attention, and actively monitor their antivirus and patch status. They can also monitor the machines' network traffic for unusual patterns.
It doesn't take very many $50,000 losses to justify such caution.
Is this trustworthy enough?
Traditionally, trustworthy computing refers to a system for which we can prove its security properties, or at least argue them into the dust
. Successful modern commercial systems are too complex to allow this sort of approach.
Even so, I think there's a benefit to building a fairly thorough "trust argument" regarding a computer that handles tens - or hundreds - of thousands of dollars, or more. I think attacks take most people by surprise because they don't have the time or expertise to figure out the risks.