Assurance

["Cantor, Scott" <>]

On 7/24/14, 9:57 AM, "Farmer, Jacob" 
<>
 wrote:

>Tom,
>
>This is certainly in interesting attack and I agree with the premise that
>SMS-based MFA is less secure than other forms of tokens.
>
>However, this attack still requires that the endpoint be compromised, and
>as long as that happens, I don't think that all the MFA in the world will
>help.

Yep. This attack will break anything you throw at it short of end to end
crypto. Once you're in the middle, and if your goal is to specifically
hijack individual transactions and not long term credentials, you're
golden.

The end to end crypto could be on the client itself or on a second factor
device, but anything that's just a OTP or even a message based scheme that
includes crypto but doesn't involve channel binding is going to be
vulnerable. A lot of FUD out there about TLS from a certain vendor I can
think of is horrendously misguided. You need a secure transport, or you
need some very fancy tap dancing, to mitigate this kind of attack.

-- Scott