Security Incidents mailing list archives

RE: Discovering and Stopping Phishing/Scam Attacks

From: "Michael J. Pomraning" <mjp-incidents-ml () securepipe com>
Date: Thu, 28 Apr 2005 11:37:13 -0500 (CDT)

On Thu, 28 Apr 2005, Alex wrote:

Under your scheme, Phishers would only need to spoof an "unblock" email to
the user.

How many users are actually going to invent a NEW password and a NEW 3rd
item? They are just going to re-enter their current ones and give these to
the Phisher.

Most people don't even bother making unique passwords for each service.

It's still not clear what the utility of the 3rd field is -- seems
equivalent to a longer password.


Nuno is proposing that the 3rd item authenticate the website to the
end-user, not the other way around.  As you and Randy point out, however,
other parts of the system could be attacked.  The spoofed login page could
simply claim that the login site had undergone dramatic overhaul --
nevermind, please log in anyway!

Moreover, in the original proposal, IIUC, the phishing site could simply use
the inputted username to itself proxy the user-defined token back to the
phished victim, simulating a real login.  (Additionally, an attacker could
enumerate end-user's "secret questions to themselves" simply by knowing or
guessing their usernames.)

I think a better way to stop phishing is simple education. People are used
to verifying physical ID (i.e. Driver's license) for many types of
transactions (bank, apartment lease, etc).  They need to get used to
verifying SSL certificates for login webpages.


Between browser bugs (like visual spoofing), CA fallibility, and the
unsettling practices of many online institutions ("You'll momentarily be
directed ssl-blah.your-institution.3rdparty.com for secure login!"), I
personally have little hope for this as a solution.  Site-to-user
authentication is still an intriguing area, however.

-Mike

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

RE: Discovering and Stopping Phishing/Scam Attacks, (continued)
- - RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
    - RE: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 28)
    - RE: Discovering and Stopping Phishing/Scam Attacks Nuno Costa (Apr 28)
    - Re: Discovering and Stopping Phishing/Scam Attacks Dave Greer (Apr 28)
    - Re: Discovering and Stopping Phishing/Scam Attacks Rainer Duffner (Apr 28)
    - Message not available
    - Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Daniel Hanson (Apr 28)
    - Re: Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Valdis . Kletnieks (Apr 29)
    - Re: Discovering and Stopping Phishing/Scam Attacks Steven (Apr 28)
    - RE: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 28)
    - RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
    - RE: Discovering and Stopping Phishing/Scam Attacks Michael J. Pomraning (Apr 28)
    - Re: Discovering and Stopping Phishing/Scam Attacks Andrew Kopp (Apr 28)
- Re: Re: Discovering and Stopping Phishing/Scam Attacks J. Oquendo (Apr 28)