On Sun, 17 Jul 2005, Colm MacCarthaigh wrote:
> On Sun, Jul 17, 2005 at 01:37:45PM +0200, Ole Tange wrote:
> > [One time passwords]
:> > Using this setup it is much harder to do an attack on the client. You
> > could do a man-in-the-middle, and do another transaction than the user
> > asked for. But you would have to falsify the electronic account statements
> > as well.
>> Why? With a MITM you can just pass right back whatever information the
> real server is giving you.
That would require the user to not read what is on the screen.
Example:
Me -> MIM: I want to login
MIM -> Real: I want to login
Real -> MIM: If you want to login, please give me one time password 02.ru
MIM -> Me: If you want to login, please give me one time password 02.ru
Me -> MIM: 2384
MIM -> Real: 2384
Real -> MIM: OK, you are now logged in.
MIM -> Me: OK, you are now logged in.
So far everything goes well for the attacker.
Me -> MIM: I want transfer EUR 100 to account 12345
MIM -> Real: I want transfer EUR 10000 to account 18238 (attacker's
account)
Real -> MIM: If you want to transfer EUR 10000 to account 18238, please
give me one time password 24.kr
Now, if this is passed to Me, then I will be suspicious.
MIM will have to change this (which makes the logic of MIM harder to do):
MIM -> Me: If you want to transfer EUR 100 to account 12345, please
give me one time password 24.kr
Me -> MIM: 8233
MIM -> Real: 8233
Real -> MIM: OK, you have now transfered EUR 10000 to account 18238
And again MIM will have to change the reply:
MIM -> Me: OK, you have now transfered EUR 100 to account 12345
If I request a list of transactions, more logic will have to be built into
MIM:
Me -> MIM: Give me a list of transcations
MIM -> Real: Give me a list of transcations
Real -> MIM: List of transactions - including the EUR 10000 transaction
and totals
MIM will now have to work a bit harder. Not only does he have to change
the transaction in the list, he also has to change the totals.
MIM -> Me: List of transactions. The EUR 10000 transaction changed to the
EUR 100 transaction. Totals readjusted accordingly.
It is not that it cannot be done, but it will be _much_ harder as the
attack will have to take place on-the-fly.
If the attacker can empty 10000 accounts within 30 minutes of his choosing
then he will not have to care if he is exposed later. But if he can only
empty the accounts when users are logged in, then he will have to cover
his tracks.
/Ole
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
