WebApp Sec mailing list archives
RE: Article - A solution to phishing
From: "Christopher Canova" <canovac () earthlink net>
Date: Thu, 9 Dec 2004 20:13:00 -0800
http://www.snpx.com/cgi-bin/news5.cgi?target=www.newsnow.co.uk/cgi/NGoto/786 26317?-2622 Like I said... Tough legislation and pro-active prosecution will end phishing scams, not simply using a new anti-phishing scheme. -----Original Message----- From: Michael Silk [mailto:michaelsilk () gmail com] Sent: Friday, November 26, 2004 3:23 AM To: canovac () earthlink net; webappsec () securityfocus com Subject: RE: Article - A solution to phishing Hi Christopher, Thanks for your feedback, let me address it. First let me say that many people have raised the issue (privately) of unecrypted emails not being good enough - and they have a point. So from now onwards let us assume that public key/private key exchange system is used to communicate the emails such that: The user either provides their own public key to the site ("Test-Bank") or is given one upon registration. Hence, emails between Test-Bank and Jones are encrypted and cannot be decrypted until Jones either: a) Types in pass-phrase _TO THE EMAIL CLIENT_. b) Connects USB device holding private key to computer. c) Something else you can dream up involving smart-cards. The point is that the email is encrypted and can only be decrypted until such time as Jones and his password holding device (possibly his head) are at the computer. Let's now address your points. > * The password timeout is too short. Consider > that the default check frequency for most mail > programs is 30 minutes. Of course, this could be > fixed by making a longer timeout. Timeout isn't required anymore (or at least isn't required to be short - can be 1 day or more) because email interception has become useless. > * "A little bit of education" is exactly what > we need. If we had a "little bit of education" > to go around, then we would all be savvy users. > You're assuming that a normal user would be > interested in learning this method... It is a simple method for them to adopt as opposed to reading warnings from Internet Explorer and being allowed to continue anyway ... or looking for a padlock, or looking at the address bar. In this case they have no choice but to accept the system, they cannot - without great and thought-out effort - pass the password to someone else before they use it. > * Consider that the average time for a user to > become disinterested in the website they are > visiting is measured in seconds or minutes. If > this system was implemented in a site that provided > online merchandise, this lag would be unacceptable > for most, if not all, merchandisers. If the users > are waiting around for an email, the chances are > dramatically increased that they will move to a > different site that doesn't have this method > implemented. The solution isn't appropriate for every site out there. A merchandiser wasn't my target. But you are correct, it is more bulky then a common login screen. > * It is not secure. The email would need to be > encrypted. The encryption requires another password. > All the phisher would have to do is pose as someone > requiring the password for the encrypted email as > opposed to the password for the website. Of course, > this could cause the user to become > more suspicious. The email is encrypted now. The phisher would not have the possibility to ask for the password as the user does not enter the password onto any website when they use it. It is used fully within their email client, or, ideally - it is used without them even being really aware, via usb or palm pilot or, as Pete Simpson mention [1] mobile phone. > * Easier methods for one-time passwords are already > being used, and have been for some time. For example, > I remember at my work that we had this program which > would generate 5 random words for every login we attempt. > The program would accept a secret passphrase that only > the user knew and would only be installed on the > local system of the user. It would generate the five > words and the server would accept that passphrase only > once. Once the session is ended, that passphrase is no > longer available. This effectively eliminates the > requirement for waiting for an email. I don't quite understand this description. Are you saying the user has a passphrase which they enter into a program installed on their local system which would then generate 5 "random" words ? It sounds a little different to the common web login scenario. Can you explain more ? Could the user be tricked into typing his/her password somewhere other then the secure site ? It sounds like it - unless the program installed on the client computer performs the login function. If it does, then it sounds almost identical to my system except that instead of requiring a tool installed on the clients computer we make use of their email system. How does your communicate to the server to get the 5 random words ? Or are the words generated on the basis of some algorithm which the server decodes to realise that it is a certain user ? > * However, even if you did implement a one time > password policy, so what? Phishing is a social attack. > It's not a passphrase attack. Well actually it is. All phishing attemts I've seen, lately, try and grab your password. Perhaps there are others that try and grab other information but that is not to say that password-gathering "fake" websites don't exist - they do, and they are an issue. This system attempts to address that. > Phishing doesn't > only gather passphrases, it can gather social security > numbers, credit card information, birth dates, etc. You're > not fixing anything by implementing a new, less effective > method for password generation. We're fixing the fact that the user now has no, greatly useful, information to give away to the phisher - hence the phisher has nothing to phish for. No phish. > So you are assuming LOTS of things in your blog, and the > worst assumption you make is that your system will work. > It's got lots of holes and doesn't focus on the fact that > HUMANS are susceptible to phishing, Actually it does. Like I mentioned ahove the goal of the article was to take away from the user any information they could provide to the phisher (accidently). And we have done that. > Actually, the fact that you are proposing a "solution" > to this phenomenon with the implementation of your system > is scary to me. It is a very narrowly-focused view of security. I don't see how I am being narrowly focused. > You need to refocus on the basics of > information security, I've outlined some of that above. > But the lesson you should take from this is: social > engineering attacks cannot be solved by a magic bullet. Quite frankly I think if we can take away the sensitive information that a user can give to a phisher phishing has been solved. Of course, in practical terms the user is going to need to know something the phisher doesn't and hence has the ability to give this information away. But if we reduce/remove the information _inside the phishers domain (i.e: the web)_ then they can't get at it. For example: It is far less likely for me to type my NT password into a website then it is for me to type my Hotmail password into one. > All a phisher would need to do is find the weakest link: an > uninformed user (or administrator). Well sure, but why not remove as many weak links as we can ? It can only help. > Again, my apologies for sounding upfront. No need to apologise, just don't be upset if you get the same back :) -- Michael PS: I realised maybe the title is suggesting something along the lines of: "You will be 100% secure if you use this!!!". I, of course, don't mean to imply this - sorry if it came across that way. [1] http://www.clearswift.com/library/blogs/entry.aspx?ID=39 -----Original Message----- From: Christopher Canova [mailto:canovac () earthlink net] Sent: Fri 26/11/2004 7:35 PM To: Michael Silk; webappsec () securityfocus com Cc: Subject: RE: Article - A solution to phishing This is an interesting read, but, yes, it has already been thought about. A few problems with your method: * The password timeout is too short. Consider that the default check frequency for most mail programs is 30 minutes. Of course, this could be fixed by making a longer timeout. * "A little bit of education" is exactly what we need. If we had a "little bit of education" to go around, then we would all be savvy users. You're assuming that a normal user would be interested in learning this method... * Consider that the average time for a user to become disinterested in the website they are visiting is measured in seconds or minutes. If this system was implemented in a site that provided online merchandise, this lag would be unacceptable for most, if not all, merchandisers. If the users are waiting around for an email, the chances are dramatically increased that they will move to a different site that doesn't have this method implemented. * It is not secure. The email would need to be encrypted. The encryption requires another password. All the phisher would have to do is pose as someone requiring the password for the encrypted email as opposed to the password for the website. Of course, this could cause the user to become more suspicious. * Easier methods for one-time passwords are already being used, and have been for some time. For example, I remember at my work that we had this program which would generate 5 random words for every login we attempt. The program would accept a secret passphrase that only the user knew and would only be installed on the local system of the user. It would generate the five words and the server would accept that passphrase only once. Once the session is ended, that passphrase is no longer available. This effectively eliminates the requirement for waiting for an email. * However, even if you did implement a one time password policy, so what? Phishing is a social attack. It's not a passphrase attack. Phishing doesn't only gather passphrases, it can gather social security numbers, credit card information, birth dates, etc. You're not fixing anything by implementing a new, less effective method for password generation. So you are assuming LOTS of things in your blog, and the worst assumption you make is that your system will work. It's got lots of holes and doesn't focus on the fact that HUMANS are susceptible to phishing, not password systems. I don't mean to sound rude or upfront. I'm just trying to warn anyone who may attempt your system that it may fail, easily. Phishing cannot be solved. It is an ancient art of exploiting social order. One method for minimizing the effects of phishing is education. Another would be enforceable punishment for attackers who use this for committing a crime. Another way is to develop applications which take secure transaction into consideration. Actually, the fact that you are proposing a "solution" to this phenomenon with the implementation of your system is scary to me. It is a very narrowly-focused view of security. You need to refocus on the basics of information security, I've outlined some of that above. But the lesson you should take from this is: social engineering attacks cannot be solved by a magic bullet. All a phisher would need to do is find the weakest link: an uninformed user (or administrator). Again, my apologies for sounding upfront. I just want to show you the seriousness of making these assumptions. Please feel free to contact me directly. -- Christopher Canova, Student canovac () earthlink net http://home.earthlink.net/~canovac -----Original Message----- From: Michael Silk [mailto:michaels () phg com au] Sent: Monday, November 22, 2004 7:41 PM To: webappsec () securityfocus com Subject: Article - A solution to phishing Hi, Just a quick little article about a login system that, should (i think :)), prevent phishing attempts on your site. http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm l Have a look at it and let me know what you think ... and apologies to anyone if an idea like this is already out there :) -- Michael
Current thread:
- Re: Article - A solution to phishing, (continued)
- Re: Article - A solution to phishing Rogan Dawes (Nov 30)
- Re: Article - A solution to phishing Adam Shostack (Dec 01)
- Re: Article - A solution to phishing Rogan Dawes (Dec 03)
- Message not available
- Re: Article - A solution to phishing Michael Silk (Dec 14)
- Re: Article - A solution to phishing Adam Tuliper (Dec 15)
- Re: Article - A solution to phishing Ian (Dec 16)
- Re: Article - A solution to phishing exon (Dec 20)
- Re: Article - A solution to phishing Joseph Miller (Dec 20)
- Re: Article - A solution to phishing exon (Dec 22)
- Re: Article - A solution to phishing Rogan Dawes (Dec 22)
- RE: Article - A solution to phishing Mark Curphey (Nov 29)
- RE: Article - A solution to phishing focus (Nov 29)
- Re: Article - A solution to phishing Tran Viet Phuong (Nov 29)
- Re: Article - A solution to phishing Saqib . N . Ali (Nov 29)
- Re: Article - A solution to phishing Mark Burnett (Nov 29)
- RE: Article - A solution to phishing WebAppSecurity [Technicalinfo.net] (Nov 29)
- RE: Article - A solution to phishing WebAppSecurity [Technicalinfo.net] (Nov 29)