What’s the use of One Time Passwords?!?

Hi again, so we’ve all been reading things about One Time Password’s and how there is a real attack that makes One Time Passwords useless. Well “useless” might be a bit of strong word, but I’m sure that’s what our players are thinking. I know I’m a little late to the game here and a bunch of my colleagues have done posts and have even had some talks on the issue. I’m going to try to gather this all up and add my own observations, so…….let’s take a second to discuss what’s going on and what we should be doing about all of this.

First let’s look at a One Time Password…what is it? Why do we even use them? Are they secure? What can I do to break them?

One Time Passwords (OTP)…this is a technology that can be used to make a password that can only be used once and changes in-between uses. Most of the time people see this technology on hardware devices like the Digipass tokens…but this isn’t the only way an OTP can be delivered. Some of the other ways are via SMS or as an Application on a PC or a Mobile phone or pretty much anything. The main reason to use the hardware devices rather than other locations is simply that the hardware device is a secure platform that is generally tamper-proof or at least tamper-evident. This makes it hard for hackers to get at the only thing that actually matters off the device, the seed. 

So I wasn’t going to get all the way down into who the technology works but as I’m writing this I’m thinking that I might as well since I’m here, then it will be here for everyone to see and refer to. 

So basically the technology is a random number generator. It uses a few items to create the display that you see. There are a few ways to generate that random number but most of them work along the lines of combining some type of counter (like every time the button is pressed or every x amount of time passes) with some random number (we call this the seed) into some algorithm (I like the open standard ones like 3DES or AES so that you don’t have to worry about the security of the algorithm). So in order to generate the same OTP, you need all 3 of these components FOR EVERY DEVICE (this is an important point, people forget that even if you get all the components for one device, the seed and probably the counter are different for the very next device). 

With that out-of-the-way, now let’s look at why I’d use an OTP. Mainly I use an OTP because I hate changing my password. Most sites now make users change their passwords every X days, but I know I haven’t changed my Station account password in like 11 years. And when my bank finally made me change my online banking account password I ended up getting myself locked out because I couldn’t remember what I changed it to. 

So am I suggesting that you get rid of your static password? No. In fact Static Passwords have their place in the security world and probably will for a long time to come. Why? Well it’s all about the factors of authentication. Let’s think about it this way, if I leave my token on my desk and there is a piece of mail on my table that says Will LaSala, I think most people would be able to figure out my user name and if they have stolen my token they can login as me pretty quickly. If I combine this with a static password then they would also need to have that to login as me, and if I use a finger print to get in, now they need that too. The more factors we add the more secure we are, but the less convenient it will be for me to play, which means the less likely I will play which means I won’t be paying for that subscription for much longer. Oh and the more factors we add the more we have to pay as a company to get the product in, and if someone manages to cut my finger off and guess my password and steal my token, the higher the cost for me to fix the problem. So security is always this balance of Ease of Use, Cost and Security. Ok enough preaching…. 

So what do we use OTP to fight against? Well this is pretty easy when you think about it. The main problem before OTP was that people would use the same static password for everything. So when I signed up for my Battle.net account and then went and signed up for my mmorpg.com account, typically users would use the same username and password. Well if that web site was some bad site they could steal my password and then just login and steal my account. By requiring the OTP we can be sure that even if I use the same username and password at these sites, the token will only work on my Battle.net account so I’m pretty secure against attacks. 

The statement I get when I use this story is, “well what if I want to use the same token for another site, it would make my life so much easier”. You’re right, but then we run into the problem that basically your secret seed value can be shared among different services and potentially hacked. Some day OTP devices will be shared across providers and we will trust the providers that are doing the sharing and that these providers will protect those credentials from the bad guys attempting to steal them. But today there’s just too much risk for my liking. 

Now we also use OTP’s to fight against social engineering attacks, attacks where people call up and ask you your username, password and the OTP over the phone (yeah why would anyone do this, I don’t know but It happens every day). We can train people not to read the OTP over the phone, remember the disclaimers that everyone uses “We will never ask you for your passwords”. This is the same thing as it is for static passwords and OTP’s. 

Great silver bullet right….ok so we all know this isn’t it. It helps restrict the attacks and helps push our attackers on to the next “lowest hanging fruit”, it buys us time to figure out what to do next. How much time you get really depends on who you are and how tasty your fruit is. 

So let’s discuss the latest public attack against OTP which happened to one of the big publishers over the last couple weeks. 

Ok so I’m not going to make any ground breaking announcements I don’t think, but let’s review. 

What happen? Well most people say it’s a Man-in-the-middle attack. This is untrue. A Man-in-the-middle attack is when someone hijacks a session and changes information in real-time for their own benefit. The reports on what this attack actually was are a little less scary. Basically it was a Trojan that installs a key logger that waited for the game client to launch and then started recording key strokes and sending them to the attacker. As long as the attacker turned around and used the credentials immediately then the attacker could get in. I can already hear the responses, “That’s a Man-in-the-middle attack”…no its actually closer to a shoulder surfing attack (basically where the attacker walks up behind you and reads the static password your typing in and the OTP that was generated and then shuts your computer off and runs over to his and logs in as you). 

So why didn’t OTP fix this problem? Well as I mentioned, it’s basically like they were looking over your shoulder and shutting off your PC before you were ever able to login with that OTP. If you had managed to get in with that OTP or the next OTP before the attacker could login, then the attack wouldn’t work. OTP’s are great when the attacker can’t do things very quickly or can’t gain direct access to the end-user in some way. They were perfect against the original problem of passwords that could be stolen and saved for later use. OTP’s have a shelf life that is relatively short. If you don’t use the OTP before the next counter then you won’t be able to use the OTP at all (you’ll have to generate a new one). 

So what do we do now? First remember that attackers go after the lowest fruit or the tastiest fruit first. So if you application is still only using static passwords, fix this first. This is easy and OTP’s are relatively inexpensive, accepted by users and solve this problem. Second if you have an app where people will stop at nothing to get access to it, start planning for your next 3 steps in security. Realize that each hurdle you put in place will buy you time until the attackers adapt. 

As I mentioned I’m still a fan of OTP. OTP is good when it’s combined with other security related technology. So proper antivirus software, malware detection software, even software on the server that detects what IP you are logging in from would have helped to prevent these attacks. If we educate our users and implement secure practices, OTP is still a very good option for security. 

If we assume that we can’t stop these attacks with other technology what can we do? Well there are still a few OTP options available and I’m sure we will see some of these soon. Here are some of my thoughts:

How about if we ask for 2 one time passwords. Maybe one when we launch the client that gets validated locally and then how about a second one when the network connection is up. Using the same device, this means that the attacker would need to steal some local information from the client so that it can validate the OTP locally and then of course it would need a key logger to get the network on too.

  1. What about using 2 OTP’s at different points. How about we use an OTP to login to our account, and then whenever we notice the user is doing something potentially dangerous, we ask them for a second OTP. So if the user is deleting or selling their gear, or simply transferring large amounts of currency, or if they are trying to change important end-user data, like an email address.
  2. Session Based (or mutual) OTP, generate an OTP on the server and send it to the client to type into the device which will unlock the device and then generate an OTP that can be typed back into the client and sent to the server for verification.
  3. Sign details the user would know. This is an old trick called transaction data signing, basically we take a few pieces of data and create a unique signature for them. The signature can be validated on the server and we can ensure that none of the data has changed from the client to the server. I’m not really sure what to suggest to sign here, but some of my thoughts are:
    1. Serial Numbers
    2. Account Numbers
    3. Item IDs, or other in-game numbers that users would know and understand

    The main thing here is to make sure the user understands what they are doing and why they are signing the data. So if we use random data it is no different from option number 3 above. 

Those are just a few of my thoughts on what we should be looking at to add security to games that already have OTP’s in place. I’m sure there are other ones that we can come up with, and I would love to hear them so leave me a comment below. 

As a first post, this one is extremely long…sorry about that, I’ll try to keep them shorter next week.

Thanks for reading this far 🙂
-Will

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: