PCI DSS and Regulatory Compliance Blog

Two-Factor Tokens

June 4th, 2008 Posted in Vendors

I finished a great training session today.  Everyone in the class really enjoyed the entertainment and several people described me as “animated” and “high energy”.  I hope that’s a good thing and I didn’t overdo it on the coffee.  One of the participants offered me a complimentary PayPal Security Key.  These are basically Verisign key fobs used for two-factory authentication.  These retail for about $15-20 but PayPal sells them at cost for about $5.

Being the security geek I am, I immediately enrolled it with my PayPal account.  I know nothing changed really, but I somehow felt more secure about my account (which I never use.)  I told Chipmonkey who immediately asked, “What if you loose the token?”  “Uhm… then I can’t log in… or have to jump through several hoops to log in w/o it.”

I think the mass market adoption of any two-factor technology will ultimately be in the form of cell phone payments.  Either your phone can be loaded with a “soft” token, or you simply get an SMS message with an authorization code you can enter into a POS.  Whatever the future holds, it’s nice to feel a little more secure in the present.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 7 Responses to “Two-Factor Tokens”

  2. By Stefan Javor on Jun 9, 2008

    Hi,

    i think today there is a better Solution. EMV on cell phones with OTP and C/R,MAC and MDS

    it is cheaper under 3$ and you don’t need an add. devices - ex. one for banking, one for paypal, one for company and one for my …..! Its mobile with no SMS cost - YES - you are right - cell phones!! i have it ;-) and works!
    Bye
    Stefan

  3. By Andrew on Jun 9, 2008

    The problem with tokens is that they just don’t solve the problem. They don’t prevent MITM attacks, and there has been a couple of high profile, successful, attacks on European banks that use these types of OTP systems.

    Out of band communications, such as SMS on a cell phone, that can provide transaction details for verification, along with an OTP that is cryptographically linked with the purchase/transfer/payment are much more secure.

  4. By Stefan Javor on Jun 9, 2008

    Hello Andrew,

    it is not really SMS - it is to expensive - for Bank and customer. You get a SMS with a link from ex. your individuell link. And you get a Mail from your Bank with your first init. PIN - and you must change your first PIN. This Application runs on all Java cell phone. You generate all PINs TAN signature MAC MDS with no SMS cost! It works for B-to-B or B-to-C etc.. look on

    http://www.logos.hr/?q=en/node/174

    In US have a very big finance customer from this company the CAP Solution. MITM can only read the Data if they encry. TLS etc… if they change any data the hash is change and the C/R are changing ;-)

    Bye

  5. By Michael Dahn on Jun 10, 2008

    I agree and would certainly sign up for SMS OTP 2-factor authentication if anyone offered it. I don’t want to handle a token and would rather consolidate everything into my phone.

  6. By Andrew on Jun 10, 2008

    Code based two-factor systems on a phone are no better than a token - sure, you are probably less likely to lose it, or to not have it on you when you need it, but it does not prevent MITM attacks.

    Hmmm. I’m actually going to disagree with myself here - if you had a code based system on your phone that you had to enter transaction details into (amount, payee account number would be the minimum), then this could be quite secure. Phone based malware would remain a problem, but it would cryptographically link the transaction details with the data sent to the merchant/bank.

    I like it! :)

  7. By Michael Dahn on Jun 11, 2008

    Andrew it sounds like you just drafted out the business plan for your next startup!

    Yes, simple phone-based token systems are susceptible to the same MITM attacks, but what you described is pretty good. I believe it’s currently being implemented in some countries (i.e. Japan)

  8. By Stefan Javor on Jun 11, 2008

    Dear Guys,

    OTP on phone or token or etc… is all the same. But if you have more information to make you hash , then you can be secure MITM attack, yes they can read - ok CIA - it is not confidental - but i think - for me as user - its easy to use - for business - cost cost. Guys you know there is no 100% security - or yes - switch off ;-))

Post a Comment