Aditya, On 5/18/07, aditya kuppa <aditya1010@xxxxxxxxx> wrote:
How about this Trojan ;) http://www.hispasec.com/laboratorio/troyano_video_en.htm looks great method to get the Password if the inputs are scrambled,rotated randomly after each entry etc. Combination of trojan like this +a simple keylogger +a MITM can defeat all possible authentication mechanism Multi Factor,channel authentications like OTP,SMS based logging etc
Cute trojan, however, it cannot defeat an out of band challenge such as SMS, unless it's not properly implemented or the attacker has under control much more (in which case he doesn't really need to defeat this at all). The idea of the out of band challenge is that the user (the victim) will receive an SMS message which will state exactly what's happening, together with the authorization code. The code has to be unique and the bank has to calculate the code depending on the transaction and some secret (an MD5 hash would be enough). An example of such an SMS message would be: "You are about to transfer $100 to account number 12345678. Your authorization code is: 9876543". Now, the user has to enter this on the bank web site to complete the transaction. If he doesn't do it in a certain time interval the transaction is denied. If the authorization code is not correct, the transaction is denied. If the attacker changes anything through the MiTM, the user will see it in the SMS message. If the attacker captures user's login credentials and try to do this later (when the user is offline), the user would receive the SMS message (which would hopefully alert him) and the attacker would have to guess the authorization code to complete the transaction (the bank can implement a lockout, for example, if 3 incorrect authorization codes have been entered). As you can see, this defeats all attacks. The attacker would have to hack the SMS gateway/Telco in order to modify SMS messages sent which is almost impossible or impractical. Cheers, Bojan
