Dave Navetta of InfoLaw Group posted a review of the "EMI v. Comerica: Comerica's Motion for Summary Judgment" a few weeks ago. Part of the case revolved around the use of one-time code tokens for providing a second authentication factor. The argument, which seems to have succeeded, was that these tokens do not provide a reasonable level of protection for accounts. I couldn't agree more!
Folks, as much as one-time code tokens seem like a good idea, and can have a useful place in authentication schemes, they are also not foolproof. In fact, worse than that, organizations that have deployed these tokens in the foolish belief that they will magically halt all phishing and account hacking attempts are laboring under a delusion.
From the article:
The following summarizes the main arguments put forth by Comerica in its motion for summary judgment ("MSJ").
* Comerica’s security procedure was commercially reasonable as a matter of law. (...)
EMI counters this statement by calling on an expert witness:
"EMI then takes on the substance of "commercially reasonable security" using expert witness testimony. EMI’s expert contends that secure token technology was known to be lacking in any reasonable defense to a “man-in-the-middle†phishing attack. EMI’s expert opines that secure token technology has been unacceptable for banking logins since 2003."
In my capacity as an incident responder, I personally saw cases of tokens being successfully phished more than 5 years ago. In fact, the perps got so good at doing it that they were able to almost fully automate the phish and subsequent account compromise. Now consider a motivated, organized, well-funded criminal enterprise targeting commercial bank accounts.
It's time that we put aside one-time code tokens as a good idea whose time has come and gone.
I can't wait to see how this plays out. I'm still rooting for limited customer liability to spark innovation and action across service providers.
Cost, ease, security - pick two :)
ps. thanks for the infolaw link.
Amen. It's been broken for years, yet still touted as "best practice". So easy to MITM.
-ddh