funsec mailing list archives
RE: The end of Phishing in sight?
From: "Henderson, Dennis K." <Dennis.Henderson () umb com>
Date: Tue, 18 Oct 2005 09:20:45 -0500
When you use a securid token, the number displayed is only good for a short period of time, like 2-3 minutes. After that it is not valid. Once you use it, its not valid ever again. So if the number was entered at a phishing site, the fraudster would have to use it within 1-2 minutes tops. I guess a site could be set up to automatically attempt login on a real site upon harvest of the credential. The fraudster would have to be notified in real time and be able to take advantage of the event right as it occurred. I think this reduces, but does not eliminate the odds. Most modern online banking pages will have a timeout, so the perp needs to be on the ball to take advantage. No setting up the site, partying the night away, waking up and looking at the list of passwords. This attack would require eyeballs on the screen. All these things increase the cost to the perp of doing business, thus reducing the likelihood that this type of attack vector would happen successfully. My opinion, of course...
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Monday, October 17, 2005 5:32 PM To: funsec () linuxbox org Subject: RE: [funsec] The end of Phishing in sight? So this will guard against a Securid stolen by spyware, but not by phishing, right? Richard ________________________________ From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Henderson, Dennis K. Sent: Monday, October 17, 2005 6:26 PM To: Security Lists; funsec () linuxbox org Subject: RE: [funsec] The end of Phishing in sight? Securid's pins are consumed as they are used, pin sync or login. Log it all you want.... no dice. ________________________________ From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Security Lists Sent: Monday, October 17, 2005 3:39 PM To: funsec () linuxbox org Subject: Re: [funsec] The end of Phishing in sight? I believe a SecurID token has a full 3-minute window of opportunity (more if you can get the user to enter two subsequent token #'s I believe, that's what's needed for token resync sequence), Phisher could simply script an instant automated MITM that would log them in on-the-fly, PIN and all. -Mark C Dave Killion wrote: On 10/17/05, Paul Schmehl <pauls () utdallas edu> wrote: OK, I'll bite. Are the banks going to be forced to provide the readers? Or is online banking going to become a thing of the past? ETrade is already providing certain select customers with SecurID tokens. -- Dave Killion, CISSP Contributing Author, Configuring NetScreen Firewalls PGP Key Fingerprint: E477 488D 4340 D04F DD94 2A65 048C B376 D50B 45C8 ________________________________ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Re[2]: The end of Phishing in sight?, (continued)
- RE: Re[2]: The end of Phishing in sight? Blanchard_Michael (Oct 17)
- Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- RE: Re[2]: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
- Re: The end of Phishing in sight? Mark C (Oct 17)
- Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: Re[4]: The end of Phishing in sight? Marius Gheorghescu (Oct 17)
- Re: Re[4]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Security Lists (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
(Thread continues...)
- RE: Re[2]: The end of Phishing in sight? Blanchard_Michael (Oct 17)