RE: Re[2]: The end of Phishing in sight?

[Blanchard_Michael () emc com]

 Someone please correct me if I'm wrong, but knowing the algorithm won't
help much, unless you can synch up your phoney fob to be identical to what
the bank think's the victim's is.
  You'll also need the PIN, UN and PW... Which I suppose are the easiest
items to get with a keylogger.

  Mike B


Michael P. Blanchard 
Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I 
Office of Information Security & Risk Management 
EMC ² Corporation 
4400 Computer Dr. 
Westboro, MA 01580 
email:  Blanchard_Michael () EMC COM 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Richard M. Smith
Sent: Monday, October 17, 2005 5:05 PM
To: funsec () linuxbox org
Subject: RE: Re[2]: [funsec] The end of Phishing in sight?

It would also be bad if someone knew the algorithm for generating random
numbers from a device, right?

Richard 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Pierre Vandevenne
Sent: Monday, October 17, 2005 4:57 PM
To: Security Lists
Cc: funsec () linuxbox org
Subject: Re[2]: [funsec] The end of Phishing in sight?

Good Day,

Monday, October 17, 2005, 10:38:49 PM, you wrote:

SL>  I believe a SecurID token has a full 3-minute window of opportunity 
SL> (more if you can get the user to enter two subsequent

Correct, there is a window of opportunity - it leads to valid logins some
times being rejected btw. But, in the implementation I am using, signing an
operation (such as a payment to the outside world) leads you to yet another
challenge-response, dependent on the bank account one enters, the amount
paid and the device ID one uses. It is probably not totally impossible to do
a new MITM attack against it, but it raises the barrier a bit more. And
then, the pattern of possibly simultaneous hijacks an automated system
generates should be easier to spot for a bank once it knows or suspects a
phishing operation is occurring. If a phisher gets a non token protected ID,
he can use it whenever he pleases, possibly months after the hack, in a very
subtle way. He'll also have more time to empty the bank account he
transferred the money into.

More barriers, probably not perfect ones, but still - it does help.




--
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.