Security Incidents mailing list archives
RE: Discovering and Stopping Phishing/Scam Attacks
From: "Michael J. Pomraning" <mjp-incidents-ml () securepipe com>
Date: Thu, 28 Apr 2005 11:37:13 -0500 (CDT)
On Thu, 28 Apr 2005, Alex wrote:
Under your scheme, Phishers would only need to spoof an "unblock" email to the user. How many users are actually going to invent a NEW password and a NEW 3rd item? They are just going to re-enter their current ones and give these to the Phisher. Most people don't even bother making unique passwords for each service. It's still not clear what the utility of the 3rd field is -- seems equivalent to a longer password.
Nuno is proposing that the 3rd item authenticate the website to the end-user, not the other way around. As you and Randy point out, however, other parts of the system could be attacked. The spoofed login page could simply claim that the login site had undergone dramatic overhaul -- nevermind, please log in anyway! Moreover, in the original proposal, IIUC, the phishing site could simply use the inputted username to itself proxy the user-defined token back to the phished victim, simulating a real login. (Additionally, an attacker could enumerate end-user's "secret questions to themselves" simply by knowing or guessing their usernames.)
I think a better way to stop phishing is simple education. People are used to verifying physical ID (i.e. Driver's license) for many types of transactions (bank, apartment lease, etc). They need to get used to verifying SSL certificates for login webpages.
Between browser bugs (like visual spoofing), CA fallibility, and the unsettling practices of many online institutions ("You'll momentarily be directed ssl-blah.your-institution.3rdparty.com for secure login!"), I personally have little hope for this as a solution. Site-to-user authentication is still an intriguing area, however. -Mike -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: Discovering and Stopping Phishing/Scam Attacks, (continued)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Nuno Costa (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Dave Greer (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Rainer Duffner (Apr 28)
- Message not available
- Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Daniel Hanson (Apr 28)
- Re: Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Valdis . Kletnieks (Apr 29)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Steven (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Michael J. Pomraning (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Andrew Kopp (Apr 28)