One-time password tokens and FFIEC compliance

No authentication mechanism is foolproof -- including one-time password tokens. However, if you take some precautionary measures when implementing OTP tokens, you can ensure your customer a reasonable level of security and compliance with the FFIEC's two-factor authentication mandate. This tip, reposted courtesy of SearchSecurity.com, provides OTP token best practices.

The recent phishing attack on Citibank's one-time password (OTP) authentication has questioned the viability of OTP tokens as a secure method for two-factor authentication. That concern is even greater among banks who had pinned their hopes on using tokens to meet the Federal Financial Institutions Examination Council (FFIEC)'s recommendation that they implement two-factor authentication to protect their Internet banking Web sites from malicious access. Does that mean the end for OTP tokens as a way to comply with the FFIEC? Not exactly. One-time password tokens can still be effective for two-factor authentication depending on how and where they're implemented.

OTP tokens generate new PIN numbers every 30 to 60 seconds and can be used in addition to static user IDs and passwords to log on to a Web site. The idea is that if the static credentials are stolen, say, in a phishing attack, the malicious user would still have to guess the PIN to gain access. But since the time window is short to guess the PIN, it would be nearly impossible to break in.

MITM attacks and one-time passwords

Information security professionals have known for a while that OTP tokens are susceptible to man-in-the-middle (MITM) attacks. So the Citibank attack was no surprise. It was a real-time phishing attack, which is exactly what was expected. However, as scary as a real-time phishing attack may be, it requires that the hacker be at their keyboard at the right moment and act very quickly (like in 30 seconds) to gain access to the victim's online bank account. So unless it can be automa

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Identity management technologies and products to offer customers Access control compliance and corporate governance considerations Partner Program Directory: Authentication vendors The importance of PCI compliance Tech Watch: Biometric devices What current authentication methods are in use on the network? How many users utilize the network resources currently? Do off-site workers require remote access? How large is the customer's employee pool? Have you considered multiple levels of authentication? Regulatory Compliance Services PCI compliance guide: A resource for solution providers PCI DSS pre-assessment services: Prelude to a QSA The impact of PCI compliance on the channel Compliance drives opportunities for security integrators How to turn the HIPAA compliance changes into opportunities Data protection services offer revenue for security solution providers Agiliance and McAfee partner for better governance, risk and compliance services SonicWall announces partnership with Western NRG Building a framework-based compliance program HIPAA privacy regulations get some teeth: Be prepared Identity Management and Access Control Identity management technologies and products to offer customers Despite downturn, channel committed to identity and access management Access control compliance and corporate governance considerations Access control management The importance of access control Partner Program Directory: Authentication vendors Identity management: Compliance and trends Tech Watch: Biometric devices Identity management best practices and precautions Introduction to identity management solutions

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ted, it doesn't make a lot of sense for the serious criminal. Remember, phishing attacks are committed by organized criminal gangs interested in making a fast buck. This means constant monitoring of the victim online. Traditional phishing sites can harvest more prey, more efficiently, and make more money through passively harvesting credentials than the occasional one-off real-time attack, which depends mostly on luck. Of course, with the right combination of automated scripts and botnets, this could all change.

One-time password token best practices

There are two strategies for successfully and securely implementing OTP tokens: architecture of the token implementation and physical security of the tokens themselves.

In terms of architecture, the first consideration is placement of the token in your system. The most secure use of OTP tokens is for logging in to workstations locally or for accessing an internal network behind a firewall. In an internal network, where all servers are monitored (unlike the open Internet) an MITM attack isn't as likely. But that isn't much help for putting an OTP on a customer-facing Web site, which is the point of the FFIEC guidance. Therefore, a good approach for Web sites is to use Secure Sockets Layer (SSL) for the login page where the OTP value is entered instead of only for the following transaction pages. This encrypts all credentials – both the user ID and password, and the OTP's PIN – from the beginning. Login pages of some Web sites that use plain HTTP may pass credentials openly unencrypted over the Internet, where they can be sniffed.

But SSL itself can't stop a man-in-the-middle attack. SSL with mutual authentication enabled can provide some protection since both the server and client exchange certificates, preventing the type of server spoofing needed for MITM attacks. Design your site with the latest version of SSL that has mutual authentication.

Tokens are also vulnerable to theft, which is why their physical security is equally important for secure implementation. If tokens are stolen en route to customers along with the user's other login credentials, they're as good as compromised. The following are some tips for physically securing one-time password tokens:

Man-in-the-middle attacks will continue to plague one-time password tokens, but these suggestions should help mitigate the risk and allow for successful FFIEC compliance.

About the Author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in web and application security, and the author of The Little Black Book of Computer Security available from Amazon.

This tip originally appeared on SearchSecurity.com.