Cryptographic Protocols - Cryptology Unlocked

Cryptography Reference

In-Depth Information

notices that all of Mallory's customers seem to have problems authenticating

themselves all the time.

This type of attack is also a denial-of-service attack (we came across it in con-

nection with the wide-mouth frog protocol). This attack doesn't steal or forge

information; it disturbs or frustrates an activity. Good cryptological protocols

should prevent such attacks or at least identify the initiator.

6.5.2 Attacks Against Your Bank Account

In this short section, we will make a trip into harsh reality and study an attack

against Internet home banking that has become known. The result came to me

as a surprise and I hope it will give many readers cause for thought.

Nice Theory ...

In general, one-time passwords don't prevent man-in-the-middle attacks. On

January 28, 1997, the German TV channel ARD demonstrated in its popular

Plusminus program how hackers can get to people's online bank accounts

pretty easily. Like so many others within this program, the report was presented

spectacularly, without, however, giving exact information. I initially had the

following thoughts (don't believe what you will be reading now).

Certainly no hacker ever cracked one-time passwords, because they are not

cryptanalysts in the closer sense (i.e., they don't crack complicated encryption

algorithms). The freaks 2 in that TV program might have exploited security

flaws in the application program and in the operating system, and pretended to

a customer that their computer is the bank's. What would something like this

look like? Normally, the communication between the bank and its customers

proceeds as follows.

1. The customer fills in an electronic transfer slip and sends it to the bank,

together with a valid one-time password (in the banking trade more

elegantly called a transaction number ( TAN )).

2. The bank checks the password. If it is valid, the bank accepts the transfer

and stores the customer password (Step 5 of the protocol for one-time

2 I call them 'freaks' rather than using the infamous term 'hacker', because they made the

public aware of potential threats and wanted to prevent damage rather than cause it.

Search WWH ::

Custom Search

Home