RSA SecurID SID800 Token vulnerable by design

Lance James lancej at securescience.net
Fri Sep 8 14:31:28 EDT 2006 

Hadmut Danisch wrote:
> Hi Lance,
> 
> On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote:
>> Another problem from what I see with Malware that steals data is the
>> formgrabbing and "on event" logging of data. Malware can detect if
>> SecureID is being used based on targeted events, example: Say HSBC
>> (Hypothetical example, not targeting HSBC) has two-factor logins in
>> place, the problem with this is that it is vulnerable to session riding
>> and trojan-in-the-middle attacks anyway, because the minute the user
>> logs in, the malware could launder money out (unless transaction auth is
>> in place, which in most cases it's not), or they could pharm the user
>> with a fake website that resolves as HSBC but they go in within the time
>> frame of that token being valid and have access. Either way, however you
>> cut it, SecureID/Two-Factor User auth is not protected against malware,
>> period.
> 
> 
> Partly agreed. These kinds of attacks I usually teach in my
> workshops. 
> 
> However, in all of these cases the attacker has to be online in the
> moment you are logging in and you experience any failure, e.g. can't
> login or something like that. 
> 
> But with the SID800 malware could silently sit in the background and
> pass token codes to the attacker even if you do not login at this
> moment. E.g. it could wait until you have logged in (or out) and grap
> the next token code.
> 
> Furthermore, the attack you described presumes that the attacker knows
> where you want to login. But when you could use the current token code
> as an indicator for searching login data in the input stream, then you
> can find new places to login, e.g. your company VPN access point.
> 
> While the attack you describe is more important for banking, the USB
> attack is more against company logins.
> 

Agreed, and since my research is focused on online banking I can see
yours and my point, either way, SecurID should not be the only concept
for dependence.
> regards
> Hadmut
> 
> 
> 


-- 
Best Regards,
Lance James
Secure Science Corp.
http://www.securescience.net

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list