|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Discovering and Stopping Phishing/Scam Attacks
From: Michael J. Pomraning (mjp-incidents-ml
securepipe.com)
Date: Thu Apr 28 2005 - 11:37:13 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 28 Apr 2005, Alex wrote:
> Under your scheme, Phishers would only need to spoof an "unblock" email to
> the user.
>
> How many users are actually going to invent a NEW password and a NEW 3rd
> item? They are just going to re-enter their current ones and give these to
> the Phisher.
>
> Most people don't even bother making unique passwords for each service.
>
> It's still not clear what the utility of the 3rd field is -- seems
> equivalent to a longer password.
Nuno is proposing that the 3rd item authenticate the website to the
end-user, not the other way around. As you and Randy point out, however,
other parts of the system could be attacked. The spoofed login page could
simply claim that the login site had undergone dramatic overhaul --
nevermind, please log in anyway!
Moreover, in the original proposal, IIUC, the phishing site could simply use
the inputted username to itself proxy the user-defined token back to the
phished victim, simulating a real login. (Additionally, an attacker could
enumerate end-user's "secret questions to themselves" simply by knowing or
guessing their usernames.)
> I think a better way to stop phishing is simple education. People are used
> to verifying physical ID (i.e. Driver's license) for many types of
> transactions (bank, apartment lease, etc). They need to get used to
> verifying SSL certificates for login webpages.
Between browser bugs (like visual spoofing), CA fallibility, and the
unsettling practices of many online institutions ("You'll momentarily be
directed ssl-blah.your-institution.3rdparty.com for secure login!"), I
personally have little hope for this as a solution. Site-to-user
authentication is still an intriguing area, however.
-Mike
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]