[WEB SECURITY] Phishing attacks circumventing two-factor auth

Nick Owen nowen at wikidsystems.com
Tue Jul 11 11:39:42 EDT 2006


sarah mann wrote:
> Two factor authentication is about improving consumer trust of the web
> so that projected economic growth of the medium can get back on track.
> If this is the objective that it sets out to achieve then it looks like
> it will be successful. It will be the next 'SSL' - the thing that makes
> the web secure!
> 
> If that is where the buy-in comes from - so be it. Our job is to make
> the most of the opportunity and try to protect the end user from being
> sucked in by the 'silver bullet' hype.
> 
> This incident a timely reminder that you can't throw tech at every
> problem. In many ways it is the tech that helped this scam to succeed -
> If they had followed all the rules and adapted a security approach that
> was clear, consistent and easy to understand, many people probably
> wouldn't have fallen victim to this scam.
> 
> Consumers are starting to understand through our efforts in raising
> awareness that they need to look at the domain name. This attack - with
> it's Russian domain address - was no different except that the users
> were under a false sense of security from their high tech two factor
> authentication solution!

Of course, looking at the domain name isn't always enough.
> 
> Point of distribution for tokens is an ideal opportunity to deliver
> honest, straight security advise to end users. I hope that it doesn't
> get wasted.

Agreed.  Perhaps an approach like  'help us keep our costs down by
following our security recommendations' would be better than 'look for
the little lock and you're  secured'.


> 
> 
> --------------------------------------------------------------------------------
> 
> From: Nick Owen [mailto:nowen at wikidsystems.com]
> Sent: Tue 11/07/2006 00:43
> To: 'Jeremiah Grossman'; 'Web Security'
> Subject: RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
> 
> 
>> -----Original Message-----
>> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
>> Sent: Monday, July 10, 2006 5:13 PM
>> To: Web Security
>> Subject: [WEB SECURITY] Phishing attacks circumventing two-factor auth
>>
>> Brian Krebs (washingtonpost.com) has a good write up about a
>> recent phishing attack specifically designed circumvent
>> two-factor authentication. The technique used a fake web page
>> acting as a man-in- the-middle between the user and the real
>> website. A simple hack proving a good point. How can a user
>> defend themselves with any kind of solution if they can't
>> tell whether or not a website is real?
>>
>> Citibank Phish Spoofs 2-Factor Authentication
>> http://blog.washingtonpost.com/securityfix/2006/07/
>> citibank_phish_spoofs_2factor_1.html
>>
>> "Security experts have long touted the need for financial Web
>> sites to move beyond mere passwords and implement so-called
>> "two-factor authentication" -- the second factor being
>> something the user has in their physical possession like an
>> access card -- as the answer to protecting customers from
>> phishing attacks that use phony e-mails and bogus Web sites
>> to trick users into forking over their personal and financial data."
> 
> I think the 2FA for financial sites "debate" has suffered from a lack of
> definition of the tasks at hand and that thinking in terms of session,
> host/mutual and transaction authentication can provide a more useful
> framework for solving problems such as MITM, session hijackers, etc.
> Unfortunately, there is no easy answer or magic bullet (as usual), but
> clearly there are ways to reduce fraud to acceptable/insurable levels.
> 
> My .02,
> 
> nick
> 
> -- 
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983 (desk)
> 404.542.9453 (cell)
> http://www.wikidsystems.com
> Open source: http://sourceforge.net/projects/wikid-twofactor/
> 
> 
> ----------------------------------------------------------------------------
> 
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 
> 
> ----------------------------------------------------------------------------
> 
> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list