Post by Doug RossGiven the recent PR regarding Bank of America's SiteKey (which seems
to me to be susceptible to MIM attacks), I'd appreciate any feedback
http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html
Your example includes the notion of a CAPTCHA-style warning image that
says "...If any of the three items aren't true or don't look right,
DON'T SIGN IN." Couldn't one just as easily--and just as
falsely--expect customers to obey a warning that says "If you don't see
a valid SSL 'lock' icon in your browser window, DON'T SIGN IN?" Both
cases are essentially identical, only the former requires more work by
me to verify--I have no idea what the last check number I wrote was,
and depending on my ISP, it's likely that I'll appear to be connecting
from some place 300 miles from my current location, yet with verifying
SSL, all I have to do is check to see if a little icon is up in the
window.
As you say Bank of America needs to use SSL on their login page. But if
you're talking about training users--and that's necessary, because
otherwise, phishers can just remove the warning reminder bit from their
fake login pages--you may as well just train them to look for valid SSL
certs.
On a side note, I have to wonder how much of this appears to be magic
to the ordinary user, to the extent that you could make all sorts of
statements in the name of security and the user would buy it. For
instance, a phisher could put a fake Verisign button on his site that,
when clicked, does something different than the real Verisign ones do.
Or, better yet, a box that says "If the above image does not read
'AUTHENTIC,' do not sign in." Users would assume that some sort of
verification were going on. Never mind the mechanism.
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/