« What's the deal with SCADA & Smart Grid? | Main | InfoSec Lessons from The Blind Side »

Dear People, Enough With the One-Time Code Tokens

Dave Navetta of InfoLaw Group posted a review of the "EMI v. Comerica: Comerica's Motion for Summary Judgment" a few weeks ago. Part of the case revolved around the use of one-time code tokens for providing a second authentication factor. The argument, which seems to have succeeded, was that these tokens do not provide a reasonable level of protection for accounts. I couldn't agree more!

Folks, as much as one-time code tokens seem like a good idea, and can have a useful place in authentication schemes, they are also not foolproof. In fact, worse than that, organizations that have deployed these tokens in the foolish belief that they will magically halt all phishing and account hacking attempts are laboring under a delusion.

From the article:

The following summarizes the main arguments put forth by Comerica in its motion for summary judgment ("MSJ").
* Comerica’s security procedure was commercially reasonable as a matter of law. (...)

EMI counters this statement by calling on an expert witness:

"EMI then takes on the substance of "commercially reasonable security" using expert witness testimony. EMI’s expert contends that secure token technology was known to be lacking in any reasonable defense to a “man-in-the-middle” phishing attack. EMI’s expert opines that secure token technology has been unacceptable for banking logins since 2003."

In my capacity as an incident responder, I personally saw cases of tokens being successfully phished more than 5 years ago. In fact, the perps got so good at doing it that they were able to almost fully automate the phish and subsequent account compromise. Now consider a motivated, organized, well-funded criminal enterprise targeting commercial bank accounts.

It's time that we put aside one-time code tokens as a good idea whose time has come and gone.


TrackBack URL for this entry:

Comments (2)

I can't wait to see how this plays out. I'm still rooting for limited customer liability to spark innovation and action across service providers.
Cost, ease, security - pick two :)

ps. thanks for the infolaw link.

Dan Houser:

Amen. It's been broken for years, yet still touted as "best practice". So easy to MITM.


Post a comment


This page contains a single entry from the blog posted on July 31, 2010 12:40 PM.

The previous post in this blog was What's the deal with SCADA & Smart Grid?.

The next post in this blog is InfoSec Lessons from The Blind Side.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.