funsec mailing list archives

RE: Re[2]: The end of Phishing in sight?

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 17 Oct 2005 17:04:49 -0400

It would also be bad if someone knew the algorithm for generating random
numbers from a device, right?

Richard 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Pierre Vandevenne
Sent: Monday, October 17, 2005 4:57 PM
To: Security Lists
Cc: funsec () linuxbox org
Subject: Re[2]: [funsec] The end of Phishing in sight?

Good Day,

Monday, October 17, 2005, 10:38:49 PM, you wrote:

SL>  I believe a SecurID token has a full 3-minute window of opportunity 
SL> (more if you can get the user to enter two subsequent

Correct, there is a window of opportunity - it leads to valid logins some
times being rejected btw. But, in the implementation I am using, signing an
operation (such as a payment to the outside world) leads you to yet another
challenge-response, dependent on the bank account one enters, the amount
paid and the device ID one uses. It is probably not totally impossible to do
a new MITM attack against it, but it raises the barrier a bit more. And
then, the pattern of possibly simultaneous hijacks an automated system
generates should be easier to spot for a bank once it knows or suspects a
phishing operation is occurring. If a phisher gets a non token protected ID,
he can use it whenever he pleases, possibly months after the hack, in a very
subtle way. He'll also have more time to empty the bank account he
transferred the money into.

More barriers, probably not perfect ones, but still - it does help.

--
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

The end of Phishing in sight? Fergie (Paul Ferguson) (Oct 17)
- Re: The end of Phishing in sight? Paul Schmehl (Oct 17)
  - Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
  - RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
    - RE: The end of Phishing in sight? Nick FitzGerald (Oct 17)
  - Re: The end of Phishing in sight? Dave Killion (Oct 17)
    - Re: The end of Phishing in sight? Security Lists (Oct 17)
    - Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
    - RE: Re[2]: The end of Phishing in sight? Richard M. Smith (Oct 17)
    - Re: Re[2]: The end of Phishing in sight? Valdis . Kletnieks (Oct 17)
    - Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
    - Speaking of phishing xyberpix (Oct 18)
    - Re: Speaking of phishing Richard Cox (Oct 18)
    - Re: Speaking of phishing xyberpix (Oct 19)
    - Re: The end of Phishing in sight? Blue Boar (Oct 17)
    - Re: The end of Phishing in sight? Justin Mason (Oct 17)
  - Re: The end of Phishing in sight? Chris Buechler (Oct 17)
    - Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 17)
    - Message not available
    - Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)

(Thread continues...)