In a rather timely fashion, after yesterdays story on Barclays card readers for security, here are clearer details on the Citibank ‘man in the middle’ attack, that defeated hardware tokens.

Citibank Hardware Tokens Defeated: The Beginning of the End – AllPayNews: Payment and fraud news, blog, jobs and discussions

A long-predicted vulnerability of hardware-token based multi-factor authentication has now been successfully exploited against Citibank, marking the beginning of the end for the small security devices.
…..

In a textbook example of a “man-in-the-middle” attack, Citibank business customers were lured to dozens of counterfeit websites located in Russia where they were prompted to supply their token-generated passwords and other credentials. The counterfeit websites then swiftly sent the solicited credentials to the genuine Citibank website where they were used to access the accounts.

And the final sobering reality from the experts.

VULNERABILITY NO SURPRISE TO SECURITY EXPERTS

Security experts have long warned against relying on the small hardware devices, citing their vulnerability to man-in-the-middle attacks, their unpopularity with consumers, and their inability to perform website authentication as recommended by federal regulators.

“While this might sound shocking to the financial industry since we haven’t seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community,” wrote Internet Storm Watch analyst Jason Lam days following the attack.

“Hardware tokens are incapable of performing website authentication,” agrees Sestus Data Corporation CEO Taun Willis, “and website authentication is absolutely critical to preventing phishing attacks. Regulators have been saying this for years but the banking industry just hasn’t been listening.”

The hardware token systems owe it to us all to come through with answers on this. (eg MasterCard, Visa, RSA, Vasco, etc)

Relevance to Bankwatch:
Don’t panic. There are solutions, but there are no silver bullets.  My experience in watching this evolve and the best advice I get from experts who know more than me, is that the best approach is a portfolio approach of multiple solutions that do not put all your eggs in one basket.

Technorati Tags: online+banking, security