WebApp Sec mailing list archives
RE: Proposal to anti-phishing
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Sun, 16 Jan 2005 17:38:54 +1100
To eapnd on this, there is nothing the stop the phisher capturing the entire session (i.e MITM tunneling), even using a valid OTP token to logon, and even a second OTP token to 'authenticate' a transaciton. With tunneling the entire session, the attacker can easily present the user with screens saying "transfer $200 to mum" while telling the banking site to 'transfer $1000 to joe () hacking site.somewhere" Lyal -----Original Message----- From: RSnake [mailto:rsnake () shocking com] Sent: Saturday, 15 January 2005 3:59 AM To: Don Tuer Cc: 'Rafael San Miguel'; webappsec () securityfocus com; Enrique.Diez () dvc es Subject: RE: Proposal to anti-phishing To expand on this, there is nothing to stop the phisher from saying "Our hardware token system is down, for the time being you need to enter your name, your social security number, bank account number, pin... for your security." This doesn't add much value when you're up against people who are gullible. Also, the obvious technical problem with the solution you proposed is that it requires software. Software can be broken into, and it's also highly unportable. I can't go to my friend's house and log in without installing something, nor can I use it at an airport kiosk or internet cafe, without installing something, opening yourself up to MITM attacks, if you are even allowed to do it, etc... You're on the right track, but we've researched these solutions extensively. For the most part it just isn't worth it, and the consumers aren't in love with it. AOL is in the midst of a token trial, and Credit Suisse has issued tokens for years. They are your basic RSA keyfobs, which don't require software integration. They seem to have some traction there. From a financial standpoint "giving" tokens away isn't fiscally responsible. An account takeover for AOL has got to cost them barely anything, so the capital outlay involved would be ridiculous to send tokens all over the world. That's why they charge. Therefor it's opt-in. This again, breaks your security model. For this to work it would require global federation from a large consortium of banks, hardware vendors, and e-commerce groups. Everyone would have to agree to allow one second factor authentication token to work on multiple sites. Otherwise we'll all end up with 50 tokens in our pockets as more and more things go online. One token works on multiple sites, and is 100% portable. That's the only way this idea will work for a large scale. Visa is doing something interesting with forcing banks in Europe to take on liability if they don't accept smart cards. Smart cards are an alright solution because of their ubiquity. The problem is that readers are sparse, and even the smallest reader I've seen is still about the size of an RSA token, and requires USB or some physical connection to a device, which won't work at airport kiosks, again. Anyway, keep thinking. If you solve the question, I'd be the first in line to order it. :) On Fri, 14 Jan 2005, Don Tuer wrote:
Two phased authentication is good for security but some obvious disadvantages include: - Cost of hardware tokens - Cost of distribution - Cost of managing hardware - Complexity and user training Also will the user need to return their token for replacement if they forget the PIN? Thanks Don -----Original Message----- From: Rafael San Miguel [mailto:smcsoc () yahoo es] Sent: Wednesday, January 12, 2005 4:37 AM To: webappsec () securityfocus com Cc: Enrique.Diez () dvc es Subject: Proposal to anti-phishing Hi all, I am currently working on a security design that involves an innovative strategy to combat phishing. I have something in mind that seems to work allright. The solution is based in a hardware token that is delivered to every customer. This token includes the true certificate that should be presented by the bank when a customer access his/her account, and a program that checks if the certificate presented by the webpage is consistent with the first one. The program is in read-only memory so that it can't be modified by anything external to it. The customer will not be able to access his/her account if the token is not plugged in, or if the check fails. Note that it is the token who sends credentials, not the client. Also, the token is PIN-protected to prevent unauthorized use. I don't see any obvious disadvantages to this solution. Hope this helps other people researching for anti-phishing techniques. Greetings, Rafael San Miguel Carrasco ------------------------------- Rafael San Miguel Carrasco Consultor Técnico rafael.sanmiguel () dvc es + 34 660 856 647 + 34 902 464 546 Davinci Consulting - www.dvc.es Oficina Madrid - Parque empresarial Alvento Via de los Poblados 1 Edificio A 6ª planta 28033 Madrid -------------------------------
-R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- Proposal to anti-phishing Rafael San Miguel (Jan 14)
- RE: Proposal to anti-phishing Don Tuer (Jan 14)
- Re: Proposal to anti-phishing Rishi Pande (Jan 15)
- RE: Proposal to anti-phishing RSnake (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- RE: Proposal to anti-phishing Frank Knobbe (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- RE: Proposal to anti-phishing Sam Koh (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Don Tuer (Jan 14)
- RE: Proposal to anti-phishing WebAppSecurity [Technicalinfo.net] (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)