Penetration Testing mailing list archives
Re: Multifactor Authentication Account Harvesting
From: Vishal Garg <vishal () firstbase co uk>
Date: Thu, 05 Jul 2007 09:38:58 +0100
Hi,I have come across some web sites that take all the information from the users first and then return an error message if any one part of the information is not correct. So if the web site asks the user to supply a user name on the first screen and without comparing it with the valid user names in the database, goes on to the second screen where a user is asked to supply further information such as a passphrase or challenge-response questions or both. Once all this information is supplied by the user, web application compares the responses to see if this is a valid user or not. This way web site does not leak any information about valid user names and thus prevents harvesting of accounts.
Regards Vishal At 19:35 7/3/2007, Jeffory Atkinson wrote:
Good day all, I was wondering if anyone has come up for a solution for mitigating = account harvesting via multifactor authentication. It seems to combat phishing, = more and more sites are moving to multifactor authentication but, there is an inherent security flaw in the logic that in my mind out weighs potential phishing risk. In most instances that I have seen, multifactor authentication requires a user to supply their user ID on one page and = if the user is valid it will return a password page with an image = accompanied with a user set phrase or request additional security questions. This = logic allows anyone to attempt to harvest valid accounts. Due to the fact if = it is not a valid account the application will not return an image with a = phrase or the additional security questions. Any thoughts or possible solutions welcomed. Thanks for your time. JA ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
*************************************************************** Vishal Garg MSc CISSP Penetration Tester First Base Technologies Tel: +44 (0)1273 454525 www.fbtechies.co.uk www.white-hats.co.uk **************************************************************** ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
Current thread:
- Multifactor Authentication Account Harvesting Jeffory Atkinson (Jul 03)
- RE: Multifactor Authentication Account Harvesting Henderson, Dennis K. (Jul 05)
- RE: Multifactor Authentication Account Harvesting Cory . Bys (Jul 09)
- Re: Multifactor Authentication Account Harvesting Vishal Garg (Jul 05)
- RE: Multifactor Authentication Account Harvesting Henderson, Dennis K. (Jul 05)