RE: The end of Phishing in sight?

["Henderson, Dennis K." <Dennis.Henderson () umb com>]

When you use a securid token, the number displayed is only good for a
short period of time, like 2-3 minutes. After that it is not valid.

Once you use it, its not valid ever again. So if the number was entered
at a phishing site, the fraudster would have to use it within 1-2
minutes tops. 

I guess a site could be set up to automatically attempt login on a real
site upon harvest of the credential. The fraudster would have to be
notified in real time and be able to take advantage of the event right
as it occurred. 

I think this reduces, but does not eliminate the odds. Most modern
online banking pages will have a timeout, so the perp needs to be on the
ball to take advantage. No setting up the site, partying the night away,
waking up and looking at the list of passwords. This attack would
require eyeballs on the screen.

All these things increase the cost to the perp of doing business, thus
reducing the likelihood that this type of attack vector would happen
successfully.

My opinion, of course...

 

> -----Original Message-----
> From: funsec-bounces () linuxbox org 
> [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith
> Sent: Monday, October 17, 2005 5:32 PM
> To: funsec () linuxbox org
> Subject: RE: [funsec] The end of Phishing in sight?
>
> So this will guard against a Securid stolen by spyware, but 
> not by phishing, right?
>  
> Richard
>
> ________________________________
>
> From: funsec-bounces () linuxbox org 
> [mailto:funsec-bounces () linuxbox org] On Behalf Of Henderson, Dennis K.
> Sent: Monday, October 17, 2005 6:26 PM
> To: Security Lists; funsec () linuxbox org
> Subject: RE: [funsec] The end of Phishing in sight?
>
>
> Securid's pins are consumed as they are used, pin sync or 
> login. Log it all you want.... no dice.
>  
>  
>
>
> ________________________________
>
>       From: funsec-bounces () linuxbox org 
> [mailto:funsec-bounces () linuxbox org] On Behalf Of Security Lists
>       Sent: Monday, October 17, 2005 3:39 PM
>       To: funsec () linuxbox org
>       Subject: Re: [funsec] The end of Phishing in sight?
>       
>       
>       I believe a SecurID token has a full 3-minute window of 
> opportunity (more if you can get the user to enter two 
> subsequent token #'s I believe, that's what's needed for 
> token resync sequence), Phisher could simply script an 
> instant automated MITM that would log them in on-the-fly, PIN and all.
>       
>       -Mark C
>       
>       
>       Dave Killion wrote: 
>
>
>
>               On 10/17/05, Paul Schmehl <pauls () utdallas edu> wrote: 
>
>
>                       OK, I'll bite.  Are the banks going to 
> be forced to provide the readers?
>                       Or is online banking going to become a 
> thing of the past?
>                       
>
>
>               ETrade is already providing certain select 
> customers with SecurID tokens.
>               
>               -- 
>               Dave Killion, CISSP
>               Contributing Author, Configuring NetScreen Firewalls
>               PGP Key Fingerprint: 
>               E477 488D 4340 D04F DD94 2A65 048C B376 D50B 45C8 
>               
> ________________________________
>
>
>               _______________________________________________
>               Fun and Misc security discussion for OT posts.
>               https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>               Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.