RE: The end of Phishing in sight?

["Henderson, Dennis K." <Dennis.Henderson () umb com>]

> -----Original Message-----
> From: Mark C [mailto:securitylists () uniontown com] 
> Sent: Monday, October 17, 2005 9:54 PM
> To: Henderson, Dennis K.
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] The end of Phishing in sight?
>
> Not sure I follow you... I phish someone to my site and I 
> convince them to enter their SecurID PIN/Token on my fake 
> page, where my script promptly and almost instantly uses 
> their credentials to log into victim's bank on the fly.  Bank 
> sees one entry-- the Phisher's.  
>
> SecurID makes it a little tougher, but certainly nowhere near 
> the point of being "Secure" IMO, especially since I have a 
> full 3 minutes to complete this sequence.  
>
> I might even be able to make my script forward a second token 
> verification request to the victim as I am logging into their 
> bank, and have them enter the second sequential token, which 
> I think then buys me a much larger window of opportunity (if 
> I correctly understand how these tokens resync themselves to 
> the central ACE server.)

Doesn't work this way. You have to wait for the token to roll to the
next pin. It has the same "window of opportunity" as any other pin. You
really don't have a full 3 minutes, since you don't know how much time
has elapsed when the pin was entered, you know its somewhere
statistically around the 30 second mark of the displayed number. But 3
minutes is probably a fair number for discussion.

So yes you could theoretically instantly log in. The economics of this
approach are very costly to the fraudster. I've responded just a little
earlier with the same info.








_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.