Snippet: Another week brings us news of yet another breach of online systems supposedly protected by one-time passwords, this time at 34 banks in Switzerland, Sweden, Austria, and Japan. At this point, I’m strongly tempted to edit one-time passwords out of the Wikipedia article on multi-factor authentication.

Another week brings us news of yet another breach of online systems supposedly protected by one-time passwords, this time at 34 banks in Switzerland, Sweden, Austria, and Japan. At this point, I’m strongly tempted to edit one-time passwords out of the Wikipedia article on multi-factor authentication. They’re so hopeless that they threaten to give our whole industry a bad name.

Not that this is the first time an online security technique has failed miserably. Remember out-of-wallet questions? Facebook caught on and suddenly your mother’s maiden name was there for every fraudster from Tampa to Tajikistan to see.

Then came SiteKey, from Passmark Security, a technology intended to prove a user is on a legitimate, non-phishing bank web site by displaying a previously configured phrase and/or JPEG of your uncle smoking a pineapple. A Harvard study found that the technology was 97% ineffective. “The obvious flaw in the design is that a phishing site can get the correct SiteKey info from the genuine site, then serve it to the user, ‘proving’ its legitimacy,” said its authors.

(This flawed approach obviously positioned Passmark well enough to be acquired for $44.7 million by another company claiming to know a lot about security, but which hasn’t really come up with a new product in a decade.)

Next, it was the era of the one-time password (OTP). The United States was slow to accept this particular silver bullet; banks everywhere else, not so much. They jumped at the chance to have their longsuffering customers enter alphanumeric codes into their banking portals. OTPs, whether delivered by email or text message, became a frustrating fact of life for tens of millions of people in Germany, the Netherlands, Australia and South Africa. 

Ironically enough, it was only after distinguished Gartner analyst, Avivah Litan, started warning banks against using browser-based technologies like OTP that OTP caught on in the US. From consumer-focused companies like Google, Facebook and Apple to multinational banks, OTP is the new SiteKey!

Avivah’s concerns are not just theoretical. Multi-factor authentication systems using OTPs are defeated by fraudsters daily and have been for years now. If your bank account is protected using this approach, your money really is safer under your pillow. 

This week brought us another great example of why that’s the case.

Operation Emmental

Enter the exploit with the cheesy name. Some have said it invalidates multi-factor authentication as a means of securing online banking accounts. We at Entersekt disagree, but before we get to that, how does Emmental actually work? 

Like most exploits, it begins with fraudsters sending you a phishing email with a link, which you, like many recipients, will unthinkingly open. The malware that is downloaded as a result of this rash action then runs a script that doesn’t infect your machine in any way anti-virus programs understand: before deleting itself, the malware installs an additional root SSL certificate on your machine and changes your DNS settings.

Doesn’t sound so bad? There are, after all, no “YOUR PC HAS BEEN STONED” messages during POST; no emails from a seductive Melissa sent to your 50 closest friends. 

Unfortunately, what’s happening is a lot worse. From this point onwards, every browser request initiated from your machine will be carefully scrutinized. If it’s for something interesting, like your email or online banking portal, it will be man-in-the-middled and your passwords extracted from the communications in clear text. Because the requests are actually originating from your machine, most browser fingerprinting solutions are completely unaware that an attack is occurring.

At this point, if you’re using an out-of-band authentication system relying on emailed OTPs, it is likely game over. The attackers have probably accessed your email account using the technique I described above. Your OTPs are theirs now.

If your bank sends you OTPs via SMS, you’re no safer. The bad guys have a strategy for that too. Apart from changing your computer’s DNS settings, the phishing email opens a Web page with information on mobile security. It lures you into downloading a mobile application that promises to protect you from online banking fraud. Once it’s installed on your phone, the app intercepts all text messages containing OTPs, and forwards them in real-time to the attackers, who then use them to authenticate their fraudulent transactions on your accounts. 

Multi-factor authentication is still the solution

Conceptually, multi-factor authentication still affords users and service providers the best chances of surviving an attack by a sophisticated cyber-adversary. It’s just that most organizations use antiquated implementations of the approach. To safeguard their customers’ online accounts, they must migrate to new technology that is secure, easy to use, completely out of band, and does not rely on vulnerable browser and SMS channels.

Out-of-band authentication, along with transaction signing, can be accomplished using Entersekt’s mobile-based Transakt product and requires no retyping of codes into compromised browsers by users. Communications are encrypted and secured using industry-standard cryptography completely separated from the mobile device’s operating system, and cannot be intercepted by any third party, guaranteeing end-to-end integrity of all authentication payloads. 

Banks around the world have successfully stopped account takeover attacks like Emmental by migrating to Entersekt’s state-of-the-art authentication solutions. One such institution is Nedbank. Here’s what John Bestbier, strategy group executive at Nedbank recently had to say about the Entersekt alternative to OTPs: 

Despite the clear vulnerabilities one-time passwords present, many financial institutions continue to rely on this method of customer authentication before a transaction can be completed. 

Rather than requiring our customers to enter static passwords or one-time passwords that can easily be stolen or intercepted by online fraudsters, partnering with Entersekt enables us to leverage advanced authentication capabilities to streamline the approval process by utilizing the customer’s mobile phone to complete the purchase with a simple touch of a button. With no password to retype anymore, there is no password left for an online fraudster to steal. 

OTP-based multi-factor authentication will leave your consumers vulnerable to fraud. Why not join the world’s most innovative banks and become part of the solution? 

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.