funsec mailing list archives
RE: The end of Phishing in sight?
From: "Henderson, Dennis K." <Dennis.Henderson () umb com>
Date: Tue, 18 Oct 2005 09:29:29 -0500
-----Original Message----- From: Mark C [mailto:securitylists () uniontown com] Sent: Monday, October 17, 2005 9:54 PM To: Henderson, Dennis K. Cc: funsec () linuxbox org Subject: Re: [funsec] The end of Phishing in sight? Not sure I follow you... I phish someone to my site and I convince them to enter their SecurID PIN/Token on my fake page, where my script promptly and almost instantly uses their credentials to log into victim's bank on the fly. Bank sees one entry-- the Phisher's. SecurID makes it a little tougher, but certainly nowhere near the point of being "Secure" IMO, especially since I have a full 3 minutes to complete this sequence. I might even be able to make my script forward a second token verification request to the victim as I am logging into their bank, and have them enter the second sequential token, which I think then buys me a much larger window of opportunity (if I correctly understand how these tokens resync themselves to the central ACE server.)
Doesn't work this way. You have to wait for the token to roll to the next pin. It has the same "window of opportunity" as any other pin. You really don't have a full 3 minutes, since you don't know how much time has elapsed when the pin was entered, you know its somewhere statistically around the 30 second mark of the displayed number. But 3 minutes is probably a fair number for discussion. So yes you could theoretically instantly log in. The economics of this approach are very costly to the fraudster. I've responded just a little earlier with the same info. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Re[2]: The end of Phishing in sight?, (continued)
- RE: Re[2]: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
- Re: The end of Phishing in sight? Mark C (Oct 17)
- Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: Re[4]: The end of Phishing in sight? Marius Gheorghescu (Oct 17)
- Re: Re[4]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Security Lists (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Jeff Rosowski (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
(Thread continues...)