WebApp Sec mailing list archives
RE: Article - A solution to phishing
From: "Christopher Canova" <canovac () earthlink net>
Date: Fri, 26 Nov 2004 00:35:53 -0800
This is an interesting read, but, yes, it has already been thought about. A few problems with your method: * The password timeout is too short. Consider that the default check frequency for most mail programs is 30 minutes. Of course, this could be fixed by making a longer timeout. * "A little bit of education" is exactly what we need. If we had a "little bit of education" to go around, then we would all be savvy users. You're assuming that a normal user would be interested in learning this method... * Consider that the average time for a user to become disinterested in the website they are visiting is measured in seconds or minutes. If this system was implemented in a site that provided online merchandise, this lag would be unacceptable for most, if not all, merchandisers. If the users are waiting around for an email, the chances are dramatically increased that they will move to a different site that doesn't have this method implemented. * It is not secure. The email would need to be encrypted. The encryption requires another password. All the phisher would have to do is pose as someone requiring the password for the encrypted email as opposed to the password for the website. Of course, this could cause the user to become more suspicious. * Easier methods for one-time passwords are already being used, and have been for some time. For example, I remember at my work that we had this program which would generate 5 random words for every login we attempt. The program would accept a secret passphrase that only the user knew and would only be installed on the local system of the user. It would generate the five words and the server would accept that passphrase only once. Once the session is ended, that passphrase is no longer available. This effectively eliminates the requirement for waiting for an email. * However, even if you did implement a one time password policy, so what? Phishing is a social attack. It's not a passphrase attack. Phishing doesn't only gather passphrases, it can gather social security numbers, credit card information, birth dates, etc. You're not fixing anything by implementing a new, less effective method for password generation. So you are assuming LOTS of things in your blog, and the worst assumption you make is that your system will work. It's got lots of holes and doesn't focus on the fact that HUMANS are susceptible to phishing, not password systems. I don't mean to sound rude or upfront. I'm just trying to warn anyone who may attempt your system that it may fail, easily. Phishing cannot be solved. It is an ancient art of exploiting social order. One method for minimizing the effects of phishing is education. Another would be enforceable punishment for attackers who use this for committing a crime. Another way is to develop applications which take secure transaction into consideration. Actually, the fact that you are proposing a "solution" to this phenomenon with the implementation of your system is scary to me. It is a very narrowly-focused view of security. You need to refocus on the basics of information security, I've outlined some of that above. But the lesson you should take from this is: social engineering attacks cannot be solved by a magic bullet. All a phisher would need to do is find the weakest link: an uninformed user (or administrator). Again, my apologies for sounding upfront. I just want to show you the seriousness of making these assumptions. Please feel free to contact me directly. -- Christopher Canova, Student canovac () earthlink net http://home.earthlink.net/~canovac -----Original Message----- From: Michael Silk [mailto:michaels () phg com au] Sent: Monday, November 22, 2004 7:41 PM To: webappsec () securityfocus com Subject: Article - A solution to phishing Hi, Just a quick little article about a login system that, should (i think :)), prevent phishing attempts on your site. http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm l Have a look at it and let me know what you think ... and apologies to anyone if an idea like this is already out there :) -- Michael ********************************************************************** This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons. **********************************************************************
Current thread:
- Article - A solution to phishing Michael Silk (Nov 25)
- Re: Article - A solution to phishing Saqib . N . Ali (Nov 27)
- RE: Article - A solution to phishing Christopher Canova (Nov 27)
- Re: Article - A solution to phishing Andi McLean (Nov 27)
- Re: Article - A solution to phishing ZedGama3 (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 27)
- Re: Article - A solution to phishing Peter Conrad (Nov 27)
- Re: Article - A solution to phishing John West (Nov 27)
- Re: Article - A solution to phishing Paul Johnston (Nov 27)
- <Possible follow-ups>
- RE: Article - A solution to phishing Damhuis Anton (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
(Thread continues...)