← Back to context

Comment by charcircuit

25 days ago

How does it solve MITM? You type your hardware token in and then an attacker uses it to send money out of your account.

>What exactly is the concern here?

Stealer malware. Or even RATs where attackers get notified when you open a sensitive app and they can take over after you have authenticated.

4 comments

charcircuit

Reply
fc417fc802  25 days ago

Could you please spell out the specifics of this scenario?

MitM via an evil (ie incorrect) domain name is prevented because U2F (and now webauthn or CTAP2) are origin bound.

RATs? On stock android? How does that work? And how are the things you describe not also threats for online banking via a browser? It's certainly not how the vast majority of attacks take place in the wild. Can you provide any examples of such an attack (ie malware as opposed to phishing) that was widespread? Otherwise I assume we're writing a script for Hollywood here.

Even then, a RAT could be trivially defeated by requiring a second one-off token authentication for any transaction that would move money around. I doubt there'd be much objection to such a policy. If people really hate it let them opt out below an amount of their choosing by signing a liability waiver.

  • charcircuit  25 days ago

    >are origin bound.

    This is assuming the user's device is not compromised.

    >How does that work?

    Priviledge escalation on an old OS version allows an attacker to get root access. Then with that they can bypass any sandboxing. Or they could get access to some android permission intended for system apps that they should not have access to and use that to do malicous things.

    I don't closely follow malware outbreaks for android so I can't point to specific examples, but malware does exist.

    • fc417fc802  25 days ago

      So the attacker compromises the user's device ... and then sets up a MitM? This is making about as much sense as the typical Hollywood plot that involves computers so I guess that means we're on track.

      > Priviledge escalation on an old OS version allows an attacker to get root access.

      At which point hardware attestation accomplishes nothing. Running in an enclave might but attesting the OS image that was used to boot most certainly won't.

      Many consumers use older devices. Any banking app is forced to support them or they will lose customers. There's no way around that. (It doesn't matter anyway because these sorts of attacks simply aren't commonplace.)

      > but malware does exist.

      I didn't ask for an example of malware. I asked you to point to an example of a widespread attack against secured accounts using malware as a vector. You have invented some utterly unrealistic scenario that simply isn't a concern in the real world for a consumer banking interaction.

      You're describing the sort of high effort targeted attack utilizing one or more zero days that a high level government official might be subject to.

      1 reply →