WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Rob Skedgell <rob () nephelococcygia demon co uk>
Date: Sun, 16 Jan 2005 19:33:43 +0000
On Friday 14 Jan 2005 16:05 pm, Rogan Dawes wrote:
Rafael San Miguel wrote:Hi all, I am currently working on a security design that involves an innovative strategy to combat phishing. I have something in mind that seems to work allright. The solution is based in a hardware token that is delivered to every customer. This token includes the true certificate that should be presented by the bank when a customer access his/her account, and a program that checks if the certificate presented by the webpage is consistent with the first one. The program is in read-only memory so that it can't be modified by anything external to it. The customer will not be able to access his/her account if the token is not plugged in, or if the check fails. Note that it is the token who sends credentials, not the client. Also, the token is PIN-protected to prevent unauthorized use. I don't see any obvious disadvantages to this solution. Hope this helps other people researching for anti-phishing techniques. Greetings, Rafael San Miguel CarrascoHow is this any better than using a SSL client certificate? Please take a look at the thread that starts http://seclists.org/lists/webappsec/2004/Oct-Dec/0291.html and especially <http://seclists.org/lists/webappsec/2004/Oct-Dec/0347.html> where I explain why I believe SSL client certificates are really the only practical solution to preventing phishing. In particular, with a client certificate, the user's credentials never leave the computer. There is nothing to type in, so there is nothing to phish. If you are concerned about your users uploading a certificate file to some phisher ("please go to Explorer, Tool/Internet Options/Content/Certificates/ . . . export your SSL cert into a PKCS#12 file, with no passphrase, then paste the location of that file into the following File Upload form" ;-) ), then use a hardware token that does the crypto operations in hardware. I don't see that your solution has ANY benefits over what SSL client certs offer. It sounds like it would be a) non-standard b) platform-specific c) browser-specific d) in need of replacement every year when the site's SSL certificate changes, because it is "read-only" memory. e) not peer-reviewed/scrutinised f) expensive (but perhaps not QUITE as expensive as a crypto token) g) user-unfriendly h) non-intuitive In addition, I'm not sure how you plan to have it run every time the site is visited. Have I missed anything? Regards, Rogan
One thing that occurred to me while discussing phishing and other risks of online banking with friends recently was that perhaps online banking services could use 2 levels of access: - a lower level, with userid and password authentication over SSL (as currently used by the UK banks whose services I have used), allowing enquiries (balance, history), transfers of funds / bill payments only where the authority has been set up previously, and 'harmless' requests like having a statement mailed to the customer's address. No access - not even read-only would be provided for the customer's address etc, nor any more than the names of payment instructions (so you might have 'My VISA a/c', but not be able to see the details like destination account number and reference). This would hopefully let people use internet cafes etc to pay their bills and check balances without their balance ending up in Lagos. - a higher level, additionally requiring both a client-side certificate *and* a valid IP address range from the customer's nominated ISP which would allow new payment instructions to be created and other details viewed/amended. These would of course only raise the bar, and UK banks appear to favour increasing *their* security, not the customer's. The current debate on chip-and-PIN in the UK and the handling of phantom ATM transactions (see http://www.cl.cam.ac.uk/~mkb23/phantom/ ) should give a flavour. Of course, if banks digitally signed their legitimate emails and had done so from the start... -- Rob Skedgell <rob () nephelococcygia demon co uk>
Attachment:
_bin
Description:
Current thread:
- RE: Proposal to anti-phishing, (continued)
- RE: Proposal to anti-phishing Sam Koh (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing WebAppSecurity [Technicalinfo.net] (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Rob Skedgell (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Data sanitization approaches in Java Stephen de Vries (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)