We ran into a friend a while back who was logging into her employer’s Virtual Private Network on the weekend. She caught our attention by whipping out her keys and typing in some information from a key-fob. It turns out that her work uses an additional layer of protection for logging into the network. They have implemented a username, pin number, as well as a hardware token system called SecurID.
The hardware consists of a key-fob with an LCD screen on it. A code is displayed on the screen and changes frequently, usually every 60 seconds. The device is generating keys based on a 128-bit encryption seed. When this number is fed to a server that has a copy of that seed, it is used as an additional verification to the other login data.
This seems like a tech trickle-down of the code generating device from GoldenEye. It does get us thinking: with the problems free email services have been having with account theft, why aren’t they offering a fee-based service that includes a security fob? With the right pricing structure this could be a nice stream of income for the provider. We’re also wondering if this can be implemented with a microcontroller and used in our home network. As always, leave comments below and let us know if you’ve already built your own system using these principles.
Update: Thanks to Andre for his comment that tells us this type of security is available for Apache servers. The distribution includes a server side authentication system and a Java based token generator that can run on any handheld that supports Java.
Another company Arcot Systems has 2 factor with software token – more convenient.
I cant believe noone here mentioned that the new trojans are circumventing almost all brands of these type of tokens, hell even the phishing scams are getting past them. The phishing scammers simply added a instant messenger to their fake pages and instant msg the valid code off to the attacker then whoops you got a “session timed out, please login again” to give the scammers in the background a second code to empty your account. As for the trojans, Zeus, URLzone silon etc etc they simply hijack your browser and do the same thing, even permanently saving your now empty balance value so you dont know youve been scammed. The user has no idea what he is authenticating with the generic numbers all these things spit out. PassWindow is immune as the transaction values ie destination account, value etc can be included in the challenge itself which even the trojans cant touch, and the transparent key patterns cost nothing to implement.
Oh just in case anyone above thinks mobile phone SMS authentication offers and better security than the broken tokens heres the first of many articles coming to you.
http://news.cnet.com/8301-13506_3-10403425-17.html?part=rss&subj=news&tag=2547-1_3-0-20
These systems are NOT totally secure, the 2FA sytem that you refer to (two factor authentication) were breached by a very simple ‘man in the middle’ attack back in 2007.
see: http://www.out-law.com/page-7967
The technical staff of banks know this, and they also know that it will cost a bomb to totally implement, and not even work, don’t forget, the thieves are ALWAYS one step ahead
The article might not have been new, but some of the comments have been interesting and enlightening.