Posts

Showing posts from October, 2010

Mobile Viruses in Man-in-the-Mobile Vs Multi-Factor authentications

Smart phones are drawing attackers' attentions especially for monetary gains. Viruses are targeting mobile platforms to compromise multi-factor authentication. Zeus is one of them. According to  http://www.darkreading.com/authentication/security/client/showArticle.jhtml?articleID=227700141&cid=RSSfeed we imagine a rough scenario how a mobile virus can compromise currently used assuming foolproof multi-factor authentication nowadays' banking industry use . USER Logins to FAKE BANKING SITE inspired by PHISHING Attack FAKE BANKING SITE asks USER to enter ONE TIME Device token to login to Actual Banking Site LOGIN SUCCESSFUL FAKE BANKING SITE Adds new Payee ACTUAL Banking Site asks ONE-TIME Device Token FAKE BANKING SITE asks USER to enter ONE TIME token to login to Actual Banking Site by showing UNSUCCESSFUL Login FAKE BANKING SITE submits ONE-TIME Device Token to ACTUAL Banking Site ACTUAL Banking Site sends ONE-TIME Authentication Token to USER's Mobile FAKE BANKING SITE