[WEB SECURITY] Phishing attacks circumventing two-factor auth

dpw dainw at fsr.com
Mon Jul 10 17:49:57 EDT 2006


For any mission critical applications, lately I have been using a
server-side generated "magic hash" key that I generate when the form is
loaded, and which gets posted along with my forms. 

When the application requests posted information from the form I compare the
key I get with another generated key and authenticate that the form that
posted back to the application is part of the application, and approved to
post. For real sensitive apps, I introduce a time-specific factor into the
form's key, so that it must be posted within 5 minutes of loading or the key
is no longer valid. 

This is just stupid simple to do, and I can't imagine these folks not having
something way more advanced in place for their application...

Dain White
 
Senior Developer / Webmaster
First Step Internet - www.fsr.com
208-882-8869 ext. 440
 


-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: Monday, July 10, 2006 2:13 PM
To: Web Security
Subject: [WEB SECURITY] Phishing attacks circumventing two-factor auth


Brian Krebs (washingtonpost.com) has a good write up about a recent  
phishing attack specifically designed circumvent two-factor  
authentication. The technique used a fake web page acting as a man-in- 
the-middle between the user and the real website. A simple hack  
proving a good point. How can a user defend themselves with any kind  
of solution if they can't tell whether or not a website is real?

Citibank Phish Spoofs 2-Factor Authentication
http://blog.washingtonpost.com/securityfix/2006/07/ 
citibank_phish_spoofs_2factor_1.html

"Security experts have long touted the need for financial Web sites  
to move beyond mere passwords and implement so-called "two-factor  
authentication" -- the second factor being something the user has in  
their physical possession like an access card -- as the answer to  
protecting customers from phishing attacks that use phony e-mails and  
bogus Web sites to trick users into forking over their personal and  
financial data."



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list