RE: Article - A solution to phishing

["Christopher Canova" <canovac () earthlink net>]

http://www.snpx.com/cgi-bin/news5.cgi?target=www.newsnow.co.uk/cgi/NGoto/786
26317?-2622

Like I said... Tough legislation and pro-active prosecution will end
phishing scams, not simply using a new anti-phishing scheme.  

-----Original Message-----
From: Michael Silk [mailto:michaelsilk () gmail com] 
Sent: Friday, November 26, 2004 3:23 AM
To: canovac () earthlink net; webappsec () securityfocus com
Subject: RE: Article - A solution to phishing

Hi Christopher,

        Thanks for your feedback, let me address it.

        First let me say that many people have raised
        the issue (privately) of unecrypted emails not
        being good enough - and they have a point. So
        from now onwards let us assume that public
        key/private key exchange system is used to
        communicate the emails such that:

        The user either provides their own public key
        to the site ("Test-Bank") or is given one upon
        registration.

        Hence, emails between Test-Bank and Jones are
        encrypted and cannot be decrypted until Jones
        either:
                a) Types in pass-phrase _TO THE EMAIL CLIENT_.
                b) Connects USB device holding private key
                        to computer.
                c) Something else you can dream up involving
                        smart-cards.

        The point is that the email is encrypted and can
        only be decrypted until such time as Jones and
        his password holding device (possibly his head)
        are at the computer.


        Let's now address your points.


        > * The password timeout is too short. Consider
        > that the default check frequency for most mail
        > programs is 30 minutes. Of course, this could be
        > fixed by making a longer timeout.

        Timeout isn't required anymore (or at least isn't
        required to be short - can be 1 day or more) because
        email interception has become useless.


        > * "A little bit of education" is exactly what
        > we need. If we had a "little bit of education" 
        > to go around, then we would all be savvy users.
        > You're assuming that a normal user would be
        > interested in learning this method...

        It is a simple method for them to adopt as opposed
        to reading warnings from Internet Explorer and being
        allowed to continue anyway ... or looking for a padlock,
        or looking at the address bar. In this case they have
        no choice but to accept the system, they cannot - 
        without great and thought-out effort - pass the password
        to someone else before they use it.


        > * Consider that the average time for a user to
        > become disinterested in the website they are 
        > visiting is measured in seconds or minutes. If
        > this system was implemented in a site that provided
        > online merchandise, this lag would be unacceptable
        > for most, if not all, merchandisers. If the users
        > are waiting around for an email, the chances are
        > dramatically increased that they will move to a
        > different site that doesn't have this method
        > implemented.

        The solution isn't appropriate for every site out there.
        A merchandiser wasn't my target. But you are correct,
        it is more bulky then a common login screen.


        > * It is not secure. The email would need to be
        > encrypted. The encryption requires another password.
        > All the phisher would have to do is pose as someone
        > requiring the password for the encrypted email as
        > opposed to the password for the website. Of course,
        > this could cause the user to become
        > more suspicious.

        The email is encrypted now. The phisher would not
        have the possibility to ask for the password as the
        user does not enter the password onto any website
        when they use it. It is used fully within their email
        client, or, ideally - it is used without them even
        being really aware, via usb or palm pilot or, as 
        Pete Simpson mention [1] mobile phone.


        > * Easier methods for one-time passwords are already
        > being used, and have been for some time. For example,
        > I remember at my work that we had this program which
        > would generate 5 random words for every login we attempt.
        > The program would accept a secret passphrase that only
        > the user knew and would only be installed on the
        > local system of the user. It would generate the five
        > words and the server would accept that passphrase only
        > once. Once the session is ended, that passphrase is no
        > longer available. This effectively eliminates the
        > requirement for waiting for an email.

        I don't quite understand this description.

        Are you saying the user has a passphrase which they enter
        into a program installed on their local system which would
        then generate 5 "random" words ?

        It sounds a little different to the common web login
        scenario. Can you explain more ?

        Could the user be tricked into typing his/her password
        somewhere other then the secure site ? It sounds like it
        - unless the program installed on the client computer
        performs the login function.

        If it does, then it sounds almost identical to my system
        except that instead of requiring a tool installed on the 
        clients computer we make use of their email system.

        How does your communicate to the server to get the 5 random
        words ? Or are the words generated on the basis of some
        algorithm which the server decodes to realise that it is a
        certain user ?


        > * However, even if you did implement a one time
        > password policy, so what? Phishing is a social attack.
        > It's not a passphrase attack.

        Well actually it is. All phishing attemts I've seen, lately,
        try and grab your password. Perhaps there are others that
        try and grab other information but that is not to say that
        password-gathering "fake" websites don't exist - they do, and
        they are an issue. This system attempts to address that.


        > Phishing doesn't
        > only gather passphrases, it can gather social security
        > numbers, credit card information, birth dates, etc. You're
        > not fixing anything by implementing a new, less effective
        > method for password generation.

        We're fixing the fact that the user now has no, greatly
        useful, information to give away to the phisher - hence the
        phisher has nothing to phish for. No phish.


        > So you are assuming LOTS of things in your blog, and the
        > worst assumption you make is that your system will work.
        > It's got lots of holes and doesn't focus on the fact that
        > HUMANS are susceptible to phishing, 
        
        Actually it does. Like I mentioned ahove the goal of the
        article was to take away from the user any information
        they could provide to the phisher (accidently). And we have
        done that.


        > Actually, the fact that you are proposing a "solution"
        > to this phenomenon with the implementation of your system
        > is scary to me. It is a very narrowly-focused view of security.

        I don't see how I am being narrowly focused.


        > You need to refocus on the basics of
        > information security, I've outlined some of that above.
        > But the lesson you should take from this is: social
        > engineering attacks cannot be solved by a magic bullet.

        Quite frankly I think if we can take away the sensitive
        information that a user can give to a phisher phishing has
        been solved. Of course, in practical terms the user is going
        to need to know something the phisher doesn't and hence has
        the ability to give this information away. But if we
        reduce/remove the information _inside the phishers domain
        (i.e: the web)_ then they can't get at it.

        For example: It is far less likely for me to type my NT
        password into a website then it is for me to type my Hotmail 
        password into one.


        > All a phisher would need to do is find the weakest link: an
        > uninformed user (or administrator).

        Well sure, but why not remove as many weak links as we
        can ? It can only help.


        > Again, my apologies for sounding upfront. 

        No need to apologise, just don't be upset if you get the same back
:)

-- Michael

PS: I realised maybe the title is suggesting something along the lines of:
"You will be 100% secure if you use this!!!". I, of course, don't mean to
imply this - sorry if it came across that way.


[1] http://www.clearswift.com/library/blogs/entry.aspx?ID=39

-----Original Message-----
From: Christopher Canova [mailto:canovac () earthlink net]
Sent: Fri 26/11/2004 7:35 PM
To: Michael Silk; webappsec () securityfocus com
Cc: 
Subject: RE: Article - A solution to phishing

This is an interesting read, but, yes, it has already been thought about. A
few problems with your method:

* The password timeout is too short. Consider that the default check
frequency for most mail programs is 30 minutes. Of course, this could be
fixed by making a longer timeout.

* "A little bit of education" is exactly what we need. If we had a "little
bit of education" to go around, then we would all be savvy users. You're
assuming that a normal user would be interested in learning this method...

* Consider that the average time for a user to become disinterested in the
website they are visiting is measured in seconds or minutes. If this system
was implemented in a site that provided online merchandise, this lag would
be unacceptable for most, if not all, merchandisers. If the users are
waiting around for an email, the chances are dramatically increased that
they will move to a different site that doesn't have this method
implemented.

* It is not secure. The email would need to be encrypted. The encryption
requires another password. All the phisher would have to do is pose as
someone requiring the password for the encrypted email as opposed to the
password for the website. Of course, this could cause the user to become
more suspicious.

* Easier methods for one-time passwords are already being used, and have
been for some time. For example, I remember at my work that we had this
program which would generate 5 random words for every login we attempt. The
program would accept a secret passphrase that only the user knew and would
only be installed on the local system of the user. It would generate the
five words and the server would accept that passphrase only once. Once the
session is ended, that passphrase is no longer available. This effectively
eliminates the requirement for waiting for an email.

* However, even if you did implement a one time password policy, so what?
Phishing is a social attack. It's not a passphrase attack. Phishing doesn't
only gather passphrases, it can gather social security numbers, credit card
information, birth dates, etc. You're not fixing anything by implementing a
new, less effective method for password generation.

So you are assuming LOTS of things in your blog, and the worst assumption
you make is that your system will work. It's got lots of holes and doesn't
focus on the fact that HUMANS are susceptible to phishing, not password
systems. I don't mean to sound rude or upfront. I'm just trying to warn
anyone who may attempt your system that it may fail, easily.

Phishing cannot be solved. It is an ancient art of exploiting social order.
One method for minimizing the effects of phishing is education. Another
would be enforceable punishment for attackers who use this for committing a
crime. Another way is to develop applications which take secure transaction
into consideration.

Actually, the fact that you are proposing a "solution" to this phenomenon
with the implementation of your system is scary to me. It is a very
narrowly-focused view of security. You need to refocus on the basics of
information security, I've outlined some of that above. But the lesson you
should take from this is: social engineering attacks cannot be solved by a
magic bullet. All a phisher would need to do is find the weakest link: an
uninformed user (or administrator).

Again, my apologies for sounding upfront. I just want to show you the
seriousness of making these assumptions. Please feel free to contact me
directly.


--
Christopher Canova, Student
canovac () earthlink net
http://home.earthlink.net/~canovac

-----Original Message-----
From: Michael Silk [mailto:michaels () phg com au]
Sent: Monday, November 22, 2004 7:41 PM
To: webappsec () securityfocus com
Subject: Article - A solution to phishing

Hi,

    Just a quick little article about a login system that, should (i think
:)), prevent phishing attempts on your site.


http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
l

    Have a look at it and let me know what you think ... and apologies to
anyone if an idea like this is already out there :)

-- Michael