Greater than 1: Defeating "strong" Authentication in Web Applications

Presented at DEF CON 15 (2007), Aug. 5, 2007, 1 p.m. (50 minutes).

With Phishing, Fraud, and Identity Theft at peak levels, banks, credit unions, credit card companies, and other financial institutions are enhancing the security of their website authentication. This talk will cover the new methods of authentication, such as mutual authentication, device fingerprinting, out of band authentication, one time passwords, and knowledge base archives. We will analyze how these controls are intended to function, what they're really doing, and how we can defeat them. We will also evaluate the effectiveness of specific technologies based on their stated purpose: stopping phishing, fraud, and identity theft.

Presenters:

• Brendan O'Connor
  Brendan O'Connor is a security engineer from the Midwest. He worked in security for a communications company for four years before switching to the financial sector in 2004. Brendan currently works as a Security Engineer for a financial services company, where his duties include vulnerability research, security architecture, and application security. He has several multi-letter acronyms after his name, drinks too much coffee, and plays an unhealthy amount of Warcraft.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#OConnor
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Brendan OConnor - Greater than 1 - Video.mp4
• https://www.youtube.com/watch?v=gMhfXNWbKkI

Similar Presentations:

• BSidesLV 2015 / No More Graphical Passwords
• DEF CON 19 (2011) / My password is: #FullOfFail! - The Core Problem with Authentication and How We Can Overcome It
• GrrCON 2018 / Over the Phone Authentication