Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Security token
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Vulnerabilities == === Loss and theft === The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unaware, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by using [[two factor authentication]]. Commonly, in order to authenticate, a [[personal identification number]] (PIN) must be entered along with the information provided by the token the same time as the output of the token. === Attacking === Any system which allows users to authenticate via an untrusted network (such as [[Internet|the Internet]]) is vulnerable to [[man-in-the-middle attack]]s. In this type of attack, an attacker acts as the "go-between" of the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. In 2006, [[Citibank]] was the victim of an attack when its hardware-token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle [[phishing]] operation.<ref>{{Cite news|url=https://www.theregister.co.uk/2006/07/13/2-factor_phishing_attack/|title=Phishers rip into two-factor authentication |work=The Register |date=2006-07-13 |first=John |last=Leyden |access-date=2018-09-25|language=en}}</ref><ref>{{Cite news |url=http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html|archive-url=https://web.archive.org/web/20110703141728/http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html|url-status=dead|archive-date=July 3, 2011|title=Citibank Phish Spoofs 2-Factor Authentication|first=Brian |last=Krebs |author-link=Brian Krebs|date=July 10, 2006|newspaper=The Washington Post|access-date=2018-09-25}}</ref> === Breach of codes === In 2012, the Prosecco research team at INRIA Paris-Rocquencourt developed an efficient method of extracting the secret key from several [[PKCS 11|PKCS #11]] cryptographic devices.<ref> {{cite news | first = Somini | last = Sengupta | title = Computer Scientists Break Security Token Key in Record Time | url = http://bits.blogs.nytimes.com/2012/06/25/computer-scientists-break-security-token-key-in-record-time/ | work = [[New York Times]] | date = 2012-06-25 | access-date = 2012-06-25 }}</ref><ref> {{cite news | first = Nancy | last = Owano | title = Team Prosecco dismantles security tokens | url = http://phys.org/news/2012-06-team-prosecco-dismantles-tokens.html | work = [[Phys.org]] | date = 2012-06-27 | access-date = 2014-03-29 }}</ref> These findings were documented in INRIA Technical Report RR-7944, ID hal-00691958,<ref> {{cite web | url = http://prosecco.gforge.inria.fr/publications.php | title = Prosecco :: Publications | access-date = 2014-03-29 }}</ref> and published at CRYPTO 2012.<ref>{{cite web | title = Accepted Papers CRYPTO 2012 | url = https://www.iacr.org/conferences/crypto2012/acceptedpapers-2012.html | access-date = 2014-03-29 }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)