SafeTok Security: Introduction
The main aim of SafeTok is to make users' accounts secure. In this section we explain in simple terms what SafeTok security is all about. First, we will briefly describe the history of online security, discussing the first solutions for the early attacks. Afterwards, we will take a more detailed look at modern attacks, including Man-In-The-Middle - what it is, why it is so dangerous and finally see how SafeTok prevents it.
In the beginning, all websites were protected with nothing more than a username and password. In fact, to this day passwords are the most popular way of controlling access to an account, because they are so easy to set up and convenient to use. Unfortunately, soon very effective ways appeared to steal passwords: Key-loggers, Phishing and Man-In-The-Middle. Let's take a look at attempts to fight them.
Key-loggers are very simple spyware programs, which record everything that a users types in using a keyboard, including account passwords. Today, key-loggers are out-of-style, because they can be spotted by antivirus software, which makes them less effective than before.
Phishing on the other hand is extremely dangerous to this day, because of the nature of the attack. Phishing is a modern term used to describe a social engineering attack aimed at websites. In simple terms, the attacker understands all the details of how the system works, and uses this knowledge to fool the unsuspecting users by pretending to be a part of the system. A simple example of a phishing attack, is an e-mail sent to the user, where for some reason (for example, security upgrade), the user is asked to go to a certain page and change his password. The user clicks on the link, goes to the attackers page and gives away his password - not even realizing what he did. Most users have probably heard about not clicking on links, and other precautions one should take. Unfortunately, there is always a way to trick even a careful and knowledgeable user.
Multi-factor authentication is rather more effective against phishing than attempts to educate users to be careful. Multi-factor authentication uses additional information to verify the user. In most systems, it is some sort of item or device, which acts as the second factor. Only a person who possesses this device, should be able to pass authentication. Theoretically, this should have prevented phishing altogether. Unfortunaltely, a more advanced variant of phishing appeared soon after, which is usually referred to as Man-In-The-Middle. Actually, the choice of the term Man-In-The-Middle is rather unfortunate, since it really refers to any attack where the attacker is between the user and server, but for the sake of simplicity we will stick to the convention.
Early multi-factor systems and how Man-In-The-Middle beats them
Let's start by summarizing how most popular early multi-factor systems work. First we had OTP tokens - press a button and you get a code to log in valid for, say, 30 seconds. Then appeared phone and SMS authentication, through which users would get a one-time code to type in. Finally, card reader devices appeared, where users connects the card to the device, enter his PIN, and a one-time code is displayed.
The unifying idea for all of these solutions is that there is a one-time password, which changes next time you want to do something, and you cannot obtain this one-time password, unless you have the second factor - your unique device, whether OTP token, bank card or a phone. Since traditional phishing aimed only at collecting username and password information, it does indeed prevent it, since by the time the one-time password is collected, it is deemed useless due to timeout or because it was valid for only one transaction.
In response to these protection methods, the Man-In-The-Middle attack appeared. Although it does sound quite different, in reality this is just a simple improvement on the basic phishing attack - if you cannot get a one-time password and use it later, then use it immediately. You don't even need a person to work 24 hours a day, although it is also a viable option, because automated websites can be easily created. To make it easier to understand, we will show a concrete example, how an OTP token protection fails.
Let's go back to classical phishing - the user is lured to the attackers website, which the user believes to be authentic. The user authenticates as usual, and when asked provides his username, password and the one-time password, obtained from the OTP token. All this information arrives to the attacker's website. The attacker goes to the true website, provides this information and gets complete access after which any malicious operations can be performed. If several one-time passwords are required - no problem, just ask the user for several.
As you can see, it is phishing all over again, just under a different name. The key problem is that the user needs to check, to whom the information is sent. Naturally attempts have been made to educate users and to make this process easier.
Issue of SSL certificates for websites is reasonably regulated, making it hard to obtain to anyone but the true organization. Unfortunately most users do not know what it is or how to verify them, so the attacker can get away in most cases with presenting any fake SSL certificate or even none at all. Extended validation (EV) SSL certificates in new broswers display the organization name and a green address bar, to make it easier for users to identify fake ones. Does it help? A bit. Does it solve the issue? Not at all. Regardless of how much you try to educate all the users, untill each and every one of them becomes a security expert, there will be always a way to trick most of the users.
Phishing of personal biometric data
Changing one-time passwords for personal biometrics makes matters actually worse, not better. Suppose we use fingerprints as your biometrics. After your fingerprint has been obtained it is sent, just like a password, to the authentication server, which means it is vulnerable to the same kind of phishing as an ordinary password. To make matters worse, you have at most 10 different fingerprints, and most users prefer to use just one particular finger. This means that once an attacker has got your fingerprint, he can get access to your accounts, any time of the day. For this reason, a lot of people considered multi-factor authentication a dead-end approach ... until SafeTok.
How SafeTok prevents Man-In-The-Middle
SafeTok is quite different in design as compared to the predecessor technologies described above. SafeTok does not require the user to type in any one-time passwords - all authentication is performed automatically. Not only it is faster and more convenient for the user, it opens the possibility of reliably checking where the information will be sent using cryptographical methods and also encrypt the authentication information, so that even if the information is intercepted, no one apart from the SafeTok authentication server can decrypt it or use it. Unlike a person, the cryptographical methods used to verify the authenticity of the website cannot be fooled and are mathematically proven. They rely on modern open standards, which have been in use successfully by millions of users over the past decade.
If someone does try a Man-In-The-Middle attack on SafeTok, apart from the fact that it will not work no matter what, since the software will bluntly refuse to provide any authentication data, the user will be immediately notified about it, and so will be the administrators of the true page.