Dual factor authentication

16 views
Skip to first unread message

Donald Tabone

unread,
Apr 7, 2007, 4:02:04 AM4/7/07
to Malta Information Security
These past few days I have indulged in doing some research into the
topic of dual factor authentication tokens that are currently in use
by our local banks. What I fell upon is Vasco's Digipass 250 which one
of our main local banks uses. How easy/difficult would this type of
security system be to circumvent? Well, this is a statement I found by
Vasco in reply to an email they received claiming to have 'discovered'
their algorithm techniques used in their security tokens.

I invite you to read it here - http://lists.openwall.net/bugtraq/2006/11/24/14

The conclusion I came to after having read and compared a host of
other solutions that exist (Safeword/Vasco/RSA) is that Vasco indeed
do provide reliable two factor authentication.

What are your general experiences and view about this?

References:
http://seclists.org/bugtraq/2006/Nov/0189.html
http://www.securityfocus.com/bid/21040
http://www.brianmadden.com/forum/tm.aspx?m=262&mpage=1&key=&#7447

Sandro Gauci

unread,
Apr 7, 2007, 3:10:06 PM4/7/07
to Malta Information Security
I'm not particularly knowledgeable about the subject (not yet :D) -
though I do find it very interesting.

The post you mention is about reverse engineering of Vasco's algo and
that basically they don't rely on secrecy of the algorithm but rather
on secrecy of a key(s). That's of course a good thing.

FYI RSA's SecurID tokens can be emulated by making use of Cain and
Abel - quoting http://www.oxid.it :

RSA SecurID Tokens Calculator
The calculator produces valid tokens given the serial number and the
activation key of an RSA SecurID device. These parameters are found in
Token's activation files typically named "something.ASC".

On Apr 7, 10:02 am, "Donald Tabone" <dtab...@gmail.com> wrote:
> These past few days I have indulged in doing some research into the
> topic of dual factor authentication tokens that are currently in use
> by our local banks. What I fell upon is Vasco's Digipass 250 which one
> of our main local banks uses. How easy/difficult would this type of
> security system be to circumvent? Well, this is a statement I found by
> Vasco in reply to an email they received claiming to have 'discovered'
> their algorithm techniques used in their security tokens.
>

> I invite you to read it here -http://lists.openwall.net/bugtraq/2006/11/24/14


>
> The conclusion I came to after having read and compared a host of
> other solutions that exist (Safeword/Vasco/RSA) is that Vasco indeed
> do provide reliable two factor authentication.
>
> What are your general experiences and view about this?
>

> References:http://seclists.org/bugtraq/2006/Nov/0189.htmlhttp://www.securityfocus.com/bid/21040http://www.brianmadden.com/forum/tm.aspx?m=262&mpage=1&key=ᴗ

n8in

unread,
Apr 27, 2007, 6:43:38 PM4/27/07
to Malta Information Security
Hello guys & girls,
this is my first post on this forum (Well done for the growing
community)!

>From my recent research experiences with security tokens and their
practical use, the use of two-factor authentication has had a positive
impact on fraud (in the short-term) and users are getting used to
them. Having said that, I don't think that it will have a long-
lasting effect. The reason is not due to token reverse-engineering
efforts, but rather because attackers change tactics.

A couple of weeks ago, ABN AMRO's Internet Banking Service (which
makes use of tokens) was hit by a "simple" Man-In-The-Middle phishing
attack and the media made a big deal out of it by saying that two-
factor authentication has been "cracked". As usual, it was simply a
case of attackers changing their attack vectors.

See the article on The Reg: http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication/

As all of you know, the biggest problem in Information Security is the
human element - and it will ALWAYS be so!


n8in

On Apr 7, 8:10 pm, "Sandro Gauci" <sandrog...@gmail.com> wrote:
> I'm not particularly knowledgeable about the subject (not yet :D) -
> though I do find it very interesting.
>
> The post you mention is about reverse engineering of Vasco's algo and
> that basically they don't rely on secrecy of the algorithm but rather
> on secrecy of a key(s). That's of course a good thing.
>
> FYI RSA's SecurID tokens can be emulated by making use of Cain and

> Abel - quotinghttp://www.oxid.it:


>
> RSA SecurID Tokens Calculator
> The calculator produces valid tokens given the serial number and the
> activation key of an RSA SecurID device. These parameters are found in
> Token's activation files typically named "something.ASC".
>
> On Apr 7, 10:02 am, "Donald Tabone" <dtab...@gmail.com> wrote:
>
> > These past few days I have indulged in doing some research into the
> > topic of dual factor authentication tokens that are currently in use
> > by our local banks. What I fell upon is Vasco's Digipass 250 which one
> > of our main local banks uses. How easy/difficult would this type of
> > security system be to circumvent? Well, this is a statement I found by
> > Vasco in reply to an email they received claiming to have 'discovered'
> > their algorithm techniques used in their security tokens.
>
> > I invite you to read it here -http://lists.openwall.net/bugtraq/2006/11/24/14
>
> > The conclusion I came to after having read and compared a host of
> > other solutions that exist (Safeword/Vasco/RSA) is that Vasco indeed
> > do provide reliable two factor authentication.
>
> > What are your general experiences and view about this?
>

> > References:http://seclists.org/bugtraq/2006/Nov/0189.htmlhttp://www.securityfocu...

Reply all
Reply to author
Forward
0 new messages