Discussion:
Request for comments: anti-phishing storefront approach
(too old to reply)
Doug Ross
2005-06-03 23:37:28 UTC
Permalink
Given the recent PR regarding Bank of America's SiteKey (which seems
to me to be susceptible to MIM attacks), I'd appreciate any feedback
on this anti-phishing approach:

http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html

--doug
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Dan Margolis
2005-06-04 06:33:30 UTC
Permalink
Post by Doug Ross
Given the recent PR regarding Bank of America's SiteKey (which seems
to me to be susceptible to MIM attacks), I'd appreciate any feedback
http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html
Your example includes the notion of a CAPTCHA-style warning image that
says "...If any of the three items aren't true or don't look right,
DON'T SIGN IN." Couldn't one just as easily--and just as
falsely--expect customers to obey a warning that says "If you don't see
a valid SSL 'lock' icon in your browser window, DON'T SIGN IN?" Both
cases are essentially identical, only the former requires more work by
me to verify--I have no idea what the last check number I wrote was,
and depending on my ISP, it's likely that I'll appear to be connecting
from some place 300 miles from my current location, yet with verifying
SSL, all I have to do is check to see if a little icon is up in the
window.

As you say Bank of America needs to use SSL on their login page. But if
you're talking about training users--and that's necessary, because
otherwise, phishers can just remove the warning reminder bit from their
fake login pages--you may as well just train them to look for valid SSL
certs.

On a side note, I have to wonder how much of this appears to be magic
to the ordinary user, to the extent that you could make all sorts of
statements in the name of security and the user would buy it. For
instance, a phisher could put a fake Verisign button on his site that,
when clicked, does something different than the real Verisign ones do.
Or, better yet, a box that says "If the above image does not read
'AUTHENTIC,' do not sign in." Users would assume that some sort of
verification were going on. Never mind the mechanism.
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Mike N
2005-06-04 20:32:30 UTC
Permalink
Post by Doug Ross
Given the recent PR regarding Bank of America's SiteKey (which seems
to me to be susceptible to MIM attacks), I'd appreciate any feedback
http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html
Checklist item 2 is susceptible to wireless Evil Twin attack since the MIM
is in the same geographic location:
http://www.cnn.com/2005/TECH/internet/01/20/evil.twins/
Depending on the ISP, a particular IP address within a class C netblock
can be assigned anywhere in a 10-city area - possibly leading to false
customer suspicions.

Checklist item 1 is susceptible to type-alikes and font-alike attacks.
It's easy to construct a scenario where a victim of the Evil Twin attack
above types 'www.bankofamerica.com' into their browser and ends up at
https://www.banckofamerica.com . The victim is not likely to notice the
extra 'c'.

Expanding on the previous scenario, the Evil Twin will not be able to get
the secure cookie and display the check number. However, the habitual
'cookie dumper' is used to signing in from an unrecognized PC and would
probably proceed with a challenge-response. All the MIM would need to do
is echo the BofA screens directly and lift the login information.

So we're pretty much back to
1.) Use SSL throughout the site as you suggest.
2.) Train users to recognize the proper site - how to look for and
interpret the padlock information to validate that they're really talking to
their bank.
3.) Book mark the SSL site to prevent typos taking them to a secure but
type-alike phisher site.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Mike N
2005-06-04 20:34:54 UTC
Permalink
I can see many users falling for the scenario below - it *sounds* realistic
since they don't understand the underlying mechanism.

----- Original Message -----
Post by Dan Margolis
Or, better yet, a box that says "If the above image does not read
'AUTHENTIC,' do not sign in." Users would assume that some sort of
verification were going on. Never mind the mechanism.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...