WebApp Sec mailing list archives
RE: Article - A solution to phishing
From: "Robin Balean" <Robin.Balean () cybertrust com>
Date: Fri, 26 Nov 2004 10:34:55 +1100
Michael, I think this attack might even make life easier for phishers. By now, most people have learned to distrust emails claiming to be from their bank and containing a link to what is supposedly the bank's web site. Your method is resistant against phishing, but it could have the side-effect that people will begin trusting links in emails. It is very easy to forge the "from" address in an email and put in a dodgy link. It would still be possible for phishers to simulate the entire login process, including sending you an email (since they will typically have this information), allowing them to steal identiy information after you follow their login link. Also, you may have closed one door, but you have opened another - and it's a big one. Email is a very insecure delivery method. There are many points on the way where mails can be intercepted. All I need is one of these mails sending a password to someone and I'm in. To make this secure you would need to encrypt the emails. But if you have the capability to send encrypted emails then you may as well use a less convoluted method such as client authenticated SSL. The concept of sending an OTP over a second channel is a good one though. One scheme that has been used is to send an SMS to a nominated telephone. This provided very good security but was unworkable due to SMS delivery sometimes being slow or unreliable. A scheme that is becoming popular now is the use of tokens such as RSA SecurID tokens, which provide a pseudo-random number which changes every 30 seconds or so and is synchronised with a server which knows how to generate the same number given the time of day and token id. One thing I have not seen much of in discussions of phishing is the man-in-the-middle attack. I believe that these will become more common and they are still relatively easy to execute. All I need to do is relay messages between the client and server until sufficient authorisation has been established and then take over. Even OTP methods such as RSA SecurID tokens provide no protection against this type of attack. Robin -----Original Message----- From: Michael Silk [mailto:michaels () phg com au] Sent: Tuesday, 23 November 2004 2:41 PM To: webappsec () securityfocus com Subject: Article - A solution to phishing Hi, Just a quick little article about a login system that, should (i think :)), prevent phishing attempts on your site. http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm l Have a look at it and let me know what you think ... and apologies to anyone if an idea like this is already out there :) -- Michael ********************************************************************** This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons. **********************************************************************
Current thread:
- Re: Article - A solution to phishing, (continued)
- Re: Article - A solution to phishing Saqib . N . Ali (Nov 27)
- RE: Article - A solution to phishing Christopher Canova (Nov 27)
- Re: Article - A solution to phishing Andi McLean (Nov 27)
- Re: Article - A solution to phishing ZedGama3 (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 27)
- Re: Article - A solution to phishing Peter Conrad (Nov 27)
- Re: Article - A solution to phishing John West (Nov 27)
- Re: Article - A solution to phishing Paul Johnston (Nov 27)
- RE: Article - A solution to phishing Damhuis Anton (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 29)
- Re: Article - A solution to phishing Michael Silk (Nov 29)
- Re: Article - A solution to phishing Rogan Dawes (Nov 30)
- Re: Article - A solution to phishing Adam Shostack (Dec 01)
- Re: Article - A solution to phishing Rogan Dawes (Dec 03)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Dec 14)
- Re: Article - A solution to phishing Adam Tuliper (Dec 15)
- Re: Article - A solution to phishing Ian (Dec 16)