WebApp Sec mailing list archives
RE: Proposal to anti-phishing
From: Sam Koh <kohgimleng () yahoo com>
Date: Sat, 22 Jan 2005 00:41:11 -0800 (PST)
The scheme described by Frank is more of MACing instead of OTP, meaning its uses the unique secret key to perform the MAC (message authentication code) against the field entered by the token holder. Not all tokens is able to do this....at least I know RSA SecureID is not able to do this. So the problem describe by Lyal is still applicable if OTP token (other than those from Vasco) is only use for user authentication. Regards Sam --- Frank Knobbe <frank () knobbe us> wrote:
On Sun, 2005-01-16 at 17:38 +1100, Lyal Collins wrote:To eapnd on this, there is nothing the stop thephisher capturing the entiresession (i.e MITM tunneling), even using a validOTP token to logon, andeven a second OTP token to 'authenticate' atransaciton.With tunneling the entire session, the attackercan easily present the userwith screens saying "transfer $200 to mum" whiletelling the banking site to'transfer $1000 to joe () hacking site.somewhere"Not quite correct. Obviously you haven't used these token schemes. Most transactions that are authenticated/confirmed by tokens do include the values themselves. For example: Src Acct: 123-456 Dst Acct: 333-222 Amount: $1,000,000 AuthCode: (to be entered by user from token) The user receives/enters the values above, enters these into his token which will present a unique value (auth code) tied to his token, but also to the values. That means if a MITM hacker changes an account number or other value, the authentication code would different. Since the attacker does not have access to the users token, he can not generate a correct authentication code, and thus the transaction is invalid. Vasco's tokens are widely used amongst the financial industry (perhaps more so in Europe then the US). Back in the mid-late nineties when I worked with these tokens, they had a nice demo on their website that would explain/test the process. It could be used with their physical demo tokens, or the virtual token online. If you like further info on this process and a demo, see their web page. Maybe the demo is still online. In summary: Tokens don't just authenticate the user or the session, they are also used to authenticate *transactions*, which is exactly how MITM attacks are defeated. An attacker intercepting the transaction can not change values without invalidating the authentication code. Regards, Frank
ATTACHMENT part 2 application/pgp-signature
name=signature.asc __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
Current thread:
- Proposal to anti-phishing Rafael San Miguel (Jan 14)
- RE: Proposal to anti-phishing Don Tuer (Jan 14)
- Re: Proposal to anti-phishing Rishi Pande (Jan 15)
- RE: Proposal to anti-phishing RSnake (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- RE: Proposal to anti-phishing Frank Knobbe (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- RE: Proposal to anti-phishing Sam Koh (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Don Tuer (Jan 14)
- RE: Proposal to anti-phishing WebAppSecurity [Technicalinfo.net] (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)