Re: The end of Phishing in sight?

[Blue Boar <BlueBoar () thievco com>]

Blanchard_Michael () emc com wrote:
>   If we, the security community, could design and build the securest online
> bank, what would we use?  

If I have to work within the limitation that end-users are pretty 
gullible, and will fall for things like phishing emails and bad or 
missing SSL, then I'm pretty screwed.

However, even with that, here's my best attempt given 60 seconds, off 
the top of my head:

Give the user a USB device that can do challenge-response, has the 
bank's cert built into it, and checks the signed challenge from the 
bank.  User has to hit a button or maybe provide a fingerprint to 
activate it.  Token has its own private key.  Maybe give it some extra 
brains, and have it be able to keep a counter as well, to preclude 
rollback attacks.  Maybe give it lots of brains, and have it do the 
processing in the token.

In other words, a cut-down in-token version of Palladium.  The key 
points are:

-Challenge-response (helps with some limited flavors of MITM)
-Checks SSL cert on its own (can't skip, or fake a different cert)
-Doesn't give the user a chance to click "yes, ignore the warning, let 
me see the dancing pigs"
-Requires physical user presence to activate (to guard against remote 
attacker-drive activation)
-Important calculations are done in a (hopefully) secure piece of hardware.

At this point, I *think* you have to compromise the user's box for a 
technical attack.  of course, a good local rootkit, and the user is 
still vulnerable to attack.

                                        Ryan
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.