RE: Re: Article - A solution to phishing

[Simon Zuckerbraun <szucker () sst-pr-1 com>]

I'd be really cautious about this one (ACUTrust). Two devastating 
attacks occur to me right off the top of my head, and that's not a good 
sign.

DISCLAIMER: Do not take this email as a statement of fact!! I have NOT 
experimented with ACUTrust and I have NO evidence to back up any claims 
that I make here. All I'm doing in this email is raising some concerns 
that occur to me after reading the content on the ACUTrust website.

First, refer to their whitepaper for details of what ACUTrust does: 
http://www.isblanket.com/cinfo/handouts/acutrust-whitepaper.pdf

Attacks as follows:

1. After the encrypted token is downloaded to the client's machine, it 
can be subjected to an offline dictionary attack against the user's 
passphrase. Only the correct passphrase will decrypt the token into a 
recognizable (low-entropy) image, so it is thereby possible for the 
cleartext to be recognized by automated process. (Granted, automatic 
recognition of the characters within the image may be harder, but it's 
not at all necessary for the attack.) An attacker would be able to 
determine a large percentage of users' passphrases in this way, starting 
with only knowledge of the usernames, and there does not seem to be any 
way for the server to defend itself or detect that an attack is underway.

2. The product doesn't seem that it can deliver the benefit it promises. 
The benefit of ACUTrust that the whitepaper cites is that it gives the 
end user a way to authenticate the website before he divulges his 
password. However, in practice, the user does not receive any indication 
of the website's authenticity until the user has already finished typing 
his password! A fraudulent website could simply be programmed to capture 
the characters that the user types in the password box. By the time the 
user realizes that the website is fraudulent (because he doesn't see the 
proper decrypted image), all the damage has already been done.

Plus, I wonder how they plan to guard against MITM (i.e., the fraudulent 
website, wishing to convince the user that it is genuine, could obtain a 
proper encrypted token by submitting the user's username to the genuine 
site. The fraudulent site could then serve up the token itself.) Any 
warning to the user that the token is not coming from the proper site 
would have to be delivered by client-side script/applet, and a 
fraudulent site would just have it own script/applet that bypassed the 
check.

Conclusions:
1. I doubt that ACUTrust can deliver what it promises.
2. Read my disclaimer above.

Simon


> I have found a product that looks better then passmark.
>
> It is called ACUTrust (www.acutrust.com) and it uses a visualized
> token to authenticate the website.  it does not use cookies and does
> not require any client based software.  I also think that this would
> help a non technical person identify the sight.