funsec mailing list archives
RE: Re[2]: The end of Phishing in sight?
From: Blanchard_Michael () emc com
Date: Mon, 17 Oct 2005 17:17:27 -0400
Someone please correct me if I'm wrong, but knowing the algorithm won't help much, unless you can synch up your phoney fob to be identical to what the bank think's the victim's is. You'll also need the PIN, UN and PW... Which I suppose are the easiest items to get with a keylogger. Mike B Michael P. Blanchard Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I Office of Information Security & Risk Management EMC ² Corporation 4400 Computer Dr. Westboro, MA 01580 email: Blanchard_Michael () EMC COM -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Monday, October 17, 2005 5:05 PM To: funsec () linuxbox org Subject: RE: Re[2]: [funsec] The end of Phishing in sight? It would also be bad if someone knew the algorithm for generating random numbers from a device, right? Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Pierre Vandevenne Sent: Monday, October 17, 2005 4:57 PM To: Security Lists Cc: funsec () linuxbox org Subject: Re[2]: [funsec] The end of Phishing in sight? Good Day, Monday, October 17, 2005, 10:38:49 PM, you wrote: SL> I believe a SecurID token has a full 3-minute window of opportunity SL> (more if you can get the user to enter two subsequent Correct, there is a window of opportunity - it leads to valid logins some times being rejected btw. But, in the implementation I am using, signing an operation (such as a payment to the outside world) leads you to yet another challenge-response, dependent on the bank account one enters, the amount paid and the device ID one uses. It is probably not totally impossible to do a new MITM attack against it, but it raises the barrier a bit more. And then, the pattern of possibly simultaneous hijacks an automated system generates should be easier to spot for a bank once it knows or suspects a phishing operation is occurring. If a phisher gets a non token protected ID, he can use it whenever he pleases, possibly months after the hack, in a very subtle way. He'll also have more time to empty the bank account he transferred the money into. More barriers, probably not perfect ones, but still - it does help. -- Best regards, Pierre mailto:pierre () datarescue com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The end of Phishing in sight?, (continued)
- Re: The end of Phishing in sight? Florian Weimer (Oct 17)
- Re: The end of Phishing in sight? Florian Weimer (Oct 17)
- Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- Re: The end of Phishing in sight? Florian Weimer (Oct 17)
- Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- Re: Re[2]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 17)
- Re: The end of Phishing in sight? Blue Boar (Oct 17)
- Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
- Re: The end of Phishing in sight? Mark C (Oct 17)
- Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- Re: Re[4]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)