Its unfortunate that some outlets lump all forms of two-factor authentication factor together as if all two-factor form factors were equal.
There are a number of two-factor authentication techniques that would have withstood the recently discovered
One must offer some level of grudging admiration for the hackers behind the exploit dubbed Operation Emmental. The exploit was specifically targeted at about 30 European institutions that use SMS one-time passwords (OTP) to complete a login, payment or other transaction. What is unique is the coordinated combination of attacks to create a man-in-the-middle on steroids.
The exploit, discovered by researchers at TrendMicro, first deploys malware after a user clicks on a malicious link in a phishing email. Then the malware changes the computer's DNS settings to point to a server controlled by the hackers. Then it installs a rogue SSL root certificate. The certificate installation ensures the hacker's HTTPS servers will be automatically trusted and not trigger any warnings to the end user. Finally, it deletes itself.
When a user then attempts to log in to their account, the DNS redirects send them to the hackers server with a replica of the banks Web site. On the fake Web site, the user is instructed to download an Android app that will generate one-time-passwords. Instead, the app redirects legitimate SMS messages received on the users phone to the hackers. All combined, the hackers can harvest the usernames, passwords and account numbers of the end users, as well as receive their OTPs. The end user uses the fake Web site and fake OTPs and their account appears to behave normally. You have to admit its clever, but not clever enough to beat more robust forms of two-factor authentication.
Consider using the end users same mobile device, but instead of an upfront OTP for login purposes, one might use the voice channel post-login. The voice channel represents a completely different communication band from the SMS or data channel on a phone. It represents a way to do an out-of-band two-factor authentication.
For example, after the user logs in and sets up a transaction, a call is placed to the end user via the voice channel on their phone. During the call transaction details are repeated. The user has the ability to authorize or cancel the transaction by pressing #22 to authorize or *99 to cancel. Its simple, potentially easier than an OTP and does not require the entry of data into a potentially infected data channel. Transaction verification is a form of two-factor authentication. The two factors are knowledge of the correct details and control of the phone. The stronger element still is the out-of-band exchange.
Voice channel telephony is also not immune to attacks. Calls can be forwarded without an end users knowledge. If that is a risk to be mitigated, speaking an approval or denial phrase with voice biometrics applied to the voice would thwart call forwarding.
Asymmetric Cryptography/PKI employing digital certificates for a second authentication factor and encrypted communications would have worked against Operation Emmental as well. The hacker's fake Web site could not have provided the appropriate certificate to authenticate to the end users computer or app.
John Zurawski is a vice president at Authentify, Inc.
