Scribd
Upload
43 views4 pages

Am - Mass Lockouts

Mass lockouts of user accounts through failed login attempts is an effective denial-of-service attack if usernames can be easily guessed and accounts lock after a number of failed attempts. For example, eBay displayed highest bidders, allowing attackers to lock them out. Ownership authentication mechanisms include smart cards, dynamic passwords from tokens that provide one-time codes, and RFID tags that can be read without line of sight but have privacy concerns if read at a distance.

Uploaded by

crimwis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
43 views4 pages

Am - Mass Lockouts

Mass lockouts of user accounts through failed login attempts is an effective denial-of-service attack if usernames can be easily guessed and accounts lock after a number of failed attempts. For example, eBay displayed highest bidders, allowing attackers to lock them out. Ownership authentication mechanisms include smart cards, dynamic passwords from tokens that provide one-time codes, and RFID tags that can be read without line of sight but have privacy concerns if read at a distance.

Uploaded by

crimwis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Authentication Mechanisms: Mass Lockouts

Mass Lockouts
Mass lockouts of user accounts are an effective denial-of-service attack. If a malicious hacker
learns that you are using a standard “not unique” user name format, making the user names
for authentication easy to guess, and that your access control system will lock out a user
account after a given number of failed login attempts, it is a simple matter to quickly script an
attack that walks through a failed login attempt creating a locked-out account for each and
every user.

An example of this behavior can be found in the eBay Account Lockout Attack. At one time,
eBay displayed the user-id of the highest bidder for a given auction. In the final minutes of the
auction, an attacker who wanted to outbid the current highest bidder could attempt to
authenticate three times using the targeted account. After three deliberately incorrect
authentication attempts, eBay password throttling would lock out the highest bidder’s
account for a certain amount of time. An attacker could then make their own bid and the
legitimate user would not have a chance to place a counter-bid because the user would be
locked out of his/her account.

Ownership
Ownership is something the user has in his/her possession, such as a smart card or a token.

 Smart cards: Typically, smart cards are credit-card size, contain a tamper resistant
security system, are managed by a central administration system, and require a card
reader device, such as the typical card reader on an ATM or fuel pump at a gasoline
station. There are contact and contactless smart cards and readers.
■ A contact card reader requires physical contact with the card reader. There are two
primary methodologies for contact card readers. A landing contact requires physical contact
with the contacts (landing zone) on the card when it is placed within the reader. Typical
standards for landing contact readers include ISO 7816. Landing contact readers are popular
in physical access applications. A friction contact requires that the card landing contacts are
wiped against the contact reader. Typical friction card readers are those used in credit card
transactions at merchants.

■ Contactless card readers are quickly gaining in popularity and typically rely on
radiofrequency identification (RFID) technology to facilitate reading. The additional security
mechanisms found in contactless card applications can include challenge/response-based
encryption safeguards to reduce the risk of “card skimming” whereby the account
information is stolen in an otherwise legitimate transaction.
 Dynamic passwords: A dynamic password methodology, also known as a “one-time
password,” is typically implemented by utilizing hardware or software token
technology. The password is changed after each authentication session. This
effectively mitigates the risk of shoulder surfing or password sniffing as the password
is only valid for the one session and cannot be reused.
 Tokens: While tokens are available in many different form factors, there are two basic
types of tokens in use today: synchronous and asynchronous.
■With a synchronous token, time is synchronized between the token device and the
authentication server. The current time value is enciphered along with a secret key on the
token device and is presented to the access control subject for authentication. A popular
synchronous token from RSA called “SecureID” provides for a new six- to eightdigit code
every 60 seconds; it can operate for up to four years and can be programmed to cease
operation on a predetermined date. The synchronous token requires fewer steps by the
access control subject to successfully authenticate:

■ The access control subject reads the value from his or her token device.

■ The value from the token device is entered into the login window along with the access
control subject’s PIN.

■ The authentication server calculates its own comparative value based on the synchronized
time value and the respective access control subject’s PIN. If the compared values match,
access is granted.

■ An asynchronous token, such as the event-driven, asynchronous token from Secure


Computing called the SafeWord eToken PASS, provides a new one-time password with each
use of the token. While it can be configured to expire on a specific date, its lifetime depends
on its frequency of use. The token can last between five to 10 years and effectively extend the
time period typically used in calculating the total cost of ownership in a multifactor
authentication deployment. In the use of an asynchronous one-time password token, the
access control subject typically executes a five-step process to authenticate identity and have
access granted:

1. The authentication server presents a challenge request to the access control subject.

2. The access control subject enters the challenge into his/her token device.

3. The token device mathematically calculates a correct response to the authentication server
challenge.

4. The access control subject enters the response to the challenge along with a password or
PIN number.
5. The response and password or PIN number is verified by the authentication server and if
correct, access is granted. The use of a PIN together with the value provided from the token
helps to mitigate the risk of a stolen or lost token being used by an unauthorized person to
gain access through the access control system.

 Radio Frequency Identification (RFID): RFID is the wireless noncontact use of radio-
frequency electromagnetic fields to transfer data for the purposes of automatically
identifying and tracking tags attached to objects. The tags contain electronically
stored information. Some tags are powered and read at short ranges, typically a few
meters, via magnetic fields. Others use a local power source such as a battery or else
have no battery but collect energy from the interrogating EM field, and then act as a
passive transponder to emit microwaves or UHF radio waves. Batterypowered tags
may operate at hundreds of meters. Unlike a bar code, the tag does not necessarily
need to be within line of sight of the reader and may be embedded in the tracked
object.
Some common problems with RFID are reader collision and tag collision.

■ Reader collision occurs when the signals from two or more readers overlap. The tag is
unable to respond to simultaneous queries. Systems must be carefully set up to avoid this
problem; many systems use an anti-collision protocol (also called a singulation protocol).
Anti-collision protocols enable the tags to take turns in transmitting to a reader.

■ Tag collision occurs when many tags are present in a small area; but since the read time is
very fast, it is easier for vendors to develop systems that ensure that tags respond one at a
time.

Since the tags can be read without being swiped or obviously scanned (as is the case with
magnetic strips or barcodes), anyone with an RFID tag reader can read the tags embedded in
clothes and other consumer products without knowledge.

For example, a customer could be scanned before entering the store to see what he/she is
carrying. The customer might then be approached by a clerk who knows what is in the
customer’s backpack or purse, and the clerk can suggest accessories or other items. For
various reasons, RFID reader/tag systems are designed so that distance between the tag and
the reader is kept to a minimum. However, a high-gain antenna can be used to read the tags
from much further away, leading to privacy problems.

One of the main concerns with RFID tags is that their contents can be read by anyone with an
appropriately equipped scanner — even after it has been taken out of the store. One
technology that has been suggested is a zombie RFID tag, a tag that can be temporarily
deactivated when it leaves the store. The process would work like this: a customer brings a
purchase up to the register, the RFID scanner reads the item, the customer pays for it, and as
the customer leaves the store, he/she passes a special device that sends a signal to the RFID
tag to “die.” That is, it is no longer readable. The “zombie” element comes in when you bring
an item back to the store. A special device especially made for that kind of tag “re-animates”
the RFID tag, allowing the item to re-enter the supply chain.

You might also like