Tom Olzak

One-Time Passwords are Not Foolproof

In Access Controls, Cybercrime, Hacking, malware, Password Management on September 18, 2009 at 09:47
Credit: Technology Review

Credit: Technology Review

Many of us started using one-time password devices some time ago.  They typically take the form of “footballs” or smartcards and generate a random—or pseudorandom—string used only as a password for one session login.  This was considered to be “safe enough.”  But now we might have to rethink our approach.

In a recent article by Robert Lemos, he describes an actual theft using a Trojan that rides one-time password sessions. 

The theft happened despite Ferma’s use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. “I think it’s a broken model,” Ferrari says.

Source: Real-Time Hackers Foil Two-Factor Security, Robert Lemos, Technology Review, 18 September 2009

The use of multiple factors of authentication is often viewed as a panacea for sensitive data access control challenges.  However, it was only a matter of time before attackers found a way to exploit these methods.  So what do we do?  How can we ensure our business and personal systems are protected when we perform online transactions, like banking or accessing strategic business data?  There are multiple answers to this question, which implemented together provide a layered approach.

  1. Continue to use multi-factor authentication.  This is still a good way to thwart the majority of attempts to get to your data, and it’s far better than using only a traditional password.
  2. Keep patching and updating your AV solutions.  Patching is still one of the best ways to keep bad stuff off your endpoint devices.  Combined with AV (anti-malware) software, patching can smack down bad stuff crawling over the wire.
  3. Remove local admin access—even for you.  No one should browse the Web while logged in with an account which allows installation of anything on the desktop.  This is much easier with Windows Vista and Windows 7, but the large number of Windows XP systems still running on systems at the office and at home still require some special effort to make this happen.
  4. Consider using a sandbox or virtual machine.  The best way to prevent unwanted software from making a home on your PC is to browse the Web with a browser running in a sandbox.  Products like Sandboxie provide a free solution for isolating any Internet activity to a work area with read only access to the hard drive, system files, etc.  When finished, kill the sandbox and everything picked up along the way simply goes away.  Another approach is using virtual machines.  For home or home office, Sun’s VirtualBox is an excellent choice.  For larger businesses, VMware is an option.  However, beware of using a sandbox or VM for casual browsing and for accessing your bank account.  Remember, anything installing itself in your VM or in your sandbox will function as it would on your actual desktop.
  1. I just found this post where you discuss using a sandbox and/or VM. I also read the associated articles you linked to. VERY interesting stuff! Since I own a copy of VMware Workstation, I’ve just finished installing a new Ubuntu 9.04 VM and am in the process of installing all the updates. Once everything is the way I like it, I’ll set the VM’s hard drive to non-persistent — and I have my sandbox. 🙂 Thanks for the info!

  2. Hey Tom, have you heard of Virtual Appliances (or vApps) from VMware? They are basically pre-built encapsulated VM’s you can download for free. I found a “Browser Appliance” at WIth the free VMware Player, something like this makes a great sandbox!

Comments are closed.

%d bloggers like this: