Educause Security Discussion mailing list archives
Re: Implementing a Public Key Infrastructure
From: Eric Brewer <ebrewer () EMAIL SMITH EDU>
Date: Mon, 20 Feb 2006 14:11:38 -0500
Unfortunately, the way they request you to create your phrase doesn't give you any idea in advance WHY they are asking. Otherwise users *might* actually choose a non-obvious phrase. (Personal experience here - I thought they were asking for something unique that I'd have to remember well enough to type in myself each time.) -- Eric
Valdis.Kletnieks () VT EDU 2/20/2006 1:43:27 PM >>>
On Mon, 20 Feb 2006 10:01:12 PST, "Cary, Kim" said:
In response to submitting your userid you are shown two tokens on the resulting password input page: 1) A picture you chose from their set of pictures. 2) A phrase you previously input describing the picture. They tell you not to put in your password unless you see the picture and phrase you were expecting. So, if someone is phish-ing, they have to guess my ID, snarf & load my tokens into the phishing site in order to properly impersonate the site.
The first part is easily enumerable - all they have to do is set up a throw-away account once. It's probably pretty easy to guess likely phrases - if the picture consists of 2 donkeys and a giraffe, likely guesses are "giraffe and donkeys", "donkeys and giraffe", "horses and giraffe", and "giraffe and zebras" (some users are dense and/or weird.. ;) Then spamming out several *million* copies with different pictures and phrases, they're likely to get at least *a few* right.. The only way this actually *protects* against phishing (rather than just making it a bit harder) is if there is a clear way for customers to report a suspected phish, and action is taken fast enough to get it closed down before a correct random combo of picture and phrase land with a user that falls for it. Of course, the *next* tactic will be including a "report a phish" link in the e-mail, which goes to a page that purportedly reports a phish, but in fact is a phish itself... ;)
Current thread:
- Re: Implementing a Public Key Infrastructure, (continued)
- Re: Implementing a Public Key Infrastructure Steve Brukbacher (Feb 16)
- Re: Implementing a Public Key Infrastructure St Clair, Jim (Feb 16)
- Re: Implementing a Public Key Infrastructure Barbara Chung (DURTSCHI) (Feb 16)
- Re: Implementing a Public Key Infrastructure Pullman, Nick (Feb 16)
- Re: Implementing a Public Key Infrastructure Steve Worona (Feb 16)
- Re: Implementing a Public Key Infrastructure Theresa M Rowe (Feb 16)
- Re: Implementing a Public Key Infrastructure Barbara Chung (DURTSCHI) (Feb 16)
- Re: Implementing a Public Key Infrastructure Joe St Sauver (Feb 16)
- Re: Implementing a Public Key Infrastructure Cary, Kim (Feb 20)
- Re: Implementing a Public Key Infrastructure Valdis Kletnieks (Feb 20)
- Re: Implementing a Public Key Infrastructure Eric Brewer (Feb 20)