Protection Against Man-in-the-Middle Attacks

Arcot Protection Against MITM Attacks TB2006_CS01 Page 1 of 3

The Arcot universal platform for strong authentication uniquely guards against Man-in-the-Middle attacks like the one experienced by Citibank customers

In early July 2006, the Washington Post reported a phishing attack where Russian scammers disguised themselves as CitiBank’s CitiBusiness service and were able to obtain legitimate credentials from valid CitiBank customers. This latest phish used an e-mail message that targeted users of Citibank's CitiBusiness service. Even though CitiBank had implemented a two-factor authentication solution requiring its customers to use a One Time Password (OTP) hardware token combined with their user name and password to log into their online accounts, they were still vulnerable to this type of attack. The OTP device generates an additional password that changes every minute. It was assumed that this uniquely generated password would protect customers from phishing attacks, but this is not the case. This attack was aimed at CitiBank, but could happen to any bank – even those that have deployed a solution that meets FFIEC guidelines.

The fraudulent e-mail said that someone had tried to log in to the customer’s account and that the customer needed to "confirm" the account information. When the customer clicked on the link, they were directed to a very convincing site that looked identical to the bank’s real login page.

The fraudulent site asked for the user name and password, as well as the token-generated OTP. In this case the fraudulent site acted as a "man-in-the-middle" -- it submitted data provided by the user to the actual bank login site. When the customer entered authentic credentials, the phishing site passed those credentials along to the true site completing the authentication of the user to the real bank site. In doing so, the phishers were able to piggyback on a legitimate banking session.

By intercepting the traffic between the client and the server, the attacker can either:

• Capture the user’s credentials and use them to repeatedly gain access to the server posing as the genuine user. This is the case when the credential is a fixed password.

• Log into the system once and stay logged on presenting a “System temporarily down” type message to the user or wait for the user to log off. In either case, the attacker can stay on indefinitely with full access to the user’s account and only log off the real site when he has finished his fraudulent transactions. This is the case when the real site uses a changing password system.

Protection Against Man-in-the-Middle Attacks

Arcot Protection Against MITM Attacks TB2006_CS01 Page 2 of 3

The root problem in an MIM attack is that a user has no way of verifying who is asking for his authentication information. Consequently, most two-factor credentials, including OTP tokens, risk analysis engines, personal assurance message or picture, virtual keyboard, out-of-band authentication, or knowledge-based Q & A are susceptible to this type of attack. (See Table 1)

The Arcot Solution Protects Against Man-in-the-Middle Attacks

Only Arcot can provide a solution that solves the root problem. The Arcot strong authentication solution, employing the ArcotID and the WebFort Authentication server, is able to programmatically verify that the site requesting the authentication credentials is in fact the site that issued them. The Arcot solution is not expecting the user to check the “lock” at the bottom of the browser, or verify a text or image that is displayed – all susceptible to errors.

Each ArcotID contains information on the web domain that issued that ArcotID. The ArcotID client checks the Arcot certificate to confirm that it is connected to the right web domain before signing the challenge string. Even if a phishing site replicates the challenge from the domain server, the ArcotID client will not sign the challenge because the fraudulent site does not have valid domain information. Therefore, the attacker is unable to complete the authentication. The Arcot solution is unique in its built in ability to defeat these types of attacks through its use of PKI technology using a challenge/response protocol to ensure a mutually authenticated communication session between the client and the authentication server.

Protection Against Man-in-the-Middle Attacks

Arcot Protection Against MITM Attacks TB2006_CS01 Page 3 of 3

The following table describes how other authentication techniques fall short of protecting against the MIM attack. TABLE 1 Authentication Technique Man-in-the-Middle Vulnerability One Time Password Tokens The one time password is passed through by the attacker and used to

login within milliseconds defeating the password 30-60 second interval update cycle.

IP Geo-location The Man-in-the-Middle proxy server is routed through a computer located in the same geographic region or ISP as the user’s computer.

Device Identification The browser information is passed through unchanged from the original user’s computer. The phisher can easily spoof the HTTP header information to mimic what is received from the user’s computer.

Browser Cookie Due to frequent roaming and cookie deletion, users get accustomed to answering secret questions. The Man in the Middle can trick the user into answering the secret questions at the phisher site and then use those questions to log into the real bank.

Personal Assurance Message (Picture or Text on Website)

After stealing the secret questions and resetting the cookie as described above, the attacker now also has the picture and text that is unique to the user.

Virtual Keyboard The password is stolen in transit after being entered on the virtual keyboard.

Out of Band (Phone or email) Because the user is online performing transactions, when the phone rings with the passcode, the user answers and enters the code into the website. The attacker’s proxy site passes the code through, and a script changes the transaction that the code is verifying without the user knowing.

Identifying Questions The attacker’s man in the middle proxy automatically passes the questions to the user, intercepts and steals the user’s answers then returns the user’s answers to the web site.