Re: Implementing a Public Key Infrastructure

[Eric Brewer <ebrewer () EMAIL SMITH EDU>]

Unfortunately, the way they request you to create your phrase doesn't give 
you any idea in advance WHY they are asking.  Otherwise users *might* 
actually choose a non-obvious phrase.  
(Personal experience here -  I thought they were asking for something 
unique that I'd have to remember well enough to type in myself each time.)

-- Eric


> > > Valdis.Kletnieks () VT EDU 2/20/2006 1:43:27 PM >>>
On Mon, 20 Feb 2006 10:01:12 PST, "Cary, Kim" said:

> In response to submitting your userid you are shown two tokens on the
> resulting password input page:
> 1) A picture you chose from their set of pictures.
> 2) A phrase you previously input describing the picture.
> They tell you not to put in your password unless you see the picture and
> phrase you were expecting.
>
> So, if someone is phish-ing, they have to guess my ID, snarf & load my
> tokens into the phishing site in order to properly impersonate the site.

The first part is easily enumerable - all they have to do is set up a
throw-away account once.  It's probably pretty easy to guess likely
phrases - if the picture consists of 2 donkeys and a giraffe, likely guesses
are "giraffe and donkeys", "donkeys and giraffe", "horses and giraffe", and
"giraffe and zebras" (some users are dense and/or weird.. ;)

Then spamming out several *million* copies with different pictures and
phrases, they're likely to get at least *a few* right..  

The only way this actually *protects* against phishing (rather than just making
it a bit harder) is if there is a clear way for customers to report a suspected
phish, and action is taken fast enough to get it closed down before a correct
random combo of picture and phrase land with a user that falls for it.

Of course, the *next* tactic will be including a "report a phish" link in
the e-mail, which goes to a page that purportedly reports a phish, but in
fact is a phish itself... ;)