Re: The end of Phishing in sight?

[Security Lists <securitylists () uniontown com>]

Please correct me if I'm wrong, but I think the Phisher has more time 
than that (if I am understanding the SecurID resync process correctly).

I think normally a user can enter a token code that can be 1 token too 
old, or 1 token too new, and the ACE server just takes it and 
transparently resyncs up/down 1 minute accordingly (I think).  This is 
the normal day-to-day resyncing, and this is why heavy users usually 
don't fade out of sync and never see resync prompts.

But, when a token that's entered outside a much larger timeframe (+/- 10 
minutes comes to mind for some reason), that user gets placed in "next 
token mode" where they need to enter a second subsequent token.  These 
users are familiar with SecurID are also probably familiar with this 
procedure.  This lets the SecurID server resync with a bigger jump than 
the +/- 1 minute default (the 3 minute window) for the user who only 
uses the token twice a year ( I THINK).

So, a Phisher simulates the "next token mode" for EVERY victim they hit 
on their spoofed page, this effectively gives them a 20 minute window of 
opportunity(?) of +/- 10 minutes for each victim...?

I did a quick google and couldn't find the actual numbers or to confirm 
that this is how they work, that 10 minute thing just rings a bell to me 
from troubleshooting way back a few years ago, I might be WAY off on 
that number.  If someone has some real numbers I'd really like to know 
what they really are.  +/- even 5 minutes would certainly be an eternity 
to a Phisher.

-Mark Coleman



Henderson, Dennis K. wrote:

> When you use a securid token, the number displayed is only good for a
> short period of time, like 2-3 minutes. After that it is not valid.
>
> Once you use it, its not valid ever again. So if the number was entered
> at a phishing site, the fraudster would have to use it within 1-2
> minutes tops. 
>
> I guess a site could be set up to automatically attempt login on a real
> site upon harvest of the credential. The fraudster would have to be
> notified in real time and be able to take advantage of the event right
> as it occurred. 
>
> I think this reduces, but does not eliminate the odds. Most modern
> online banking pages will have a timeout, so the perp needs to be on the
> ball to take advantage. No setting up the site, partying the night away,
> waking up and looking at the list of passwords. This attack would
> require eyeballs on the screen.
>
> All these things increase the cost to the perp of doing business, thus
> reducing the likelihood that this type of attack vector would happen
> successfully.
>
> My opinion, of course...
>
>
>
>  
>
> > -----Original Message-----
> > From: funsec-bounces () linuxbox org 
> > [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith
> > Sent: Monday, October 17, 2005 5:32 PM
> > To: funsec () linuxbox org
> > Subject: RE: [funsec] The end of Phishing in sight?
> >
> > So this will guard against a Securid stolen by spyware, but 
> > not by phishing, right?
> >
> > Richard
> >
> > ________________________________
> >
> > From: funsec-bounces () linuxbox org 
> > [mailto:funsec-bounces () linuxbox org] On Behalf Of Henderson, Dennis K.
> > Sent: Monday, October 17, 2005 6:26 PM
> > To: Security Lists; funsec () linuxbox org
> > Subject: RE: [funsec] The end of Phishing in sight?
> >
> >
> > Securid's pins are consumed as they are used, pin sync or 
> > login. Log it all you want.... no dice.
> >
> >
> >
> >
> > ________________________________
> >
> > 	From: funsec-bounces () linuxbox org 
> > [mailto:funsec-bounces () linuxbox org] On Behalf Of Security Lists
> >         Sent: Monday, October 17, 2005 3:39 PM
> >         To: funsec () linuxbox org
> >         Subject: Re: [funsec] The end of Phishing in sight?
> >         
> >         
> > 	I believe a SecurID token has a full 3-minute window of 
> > opportunity (more if you can get the user to enter two 
> > subsequent token #'s I believe, that's what's needed for 
> > token resync sequence), Phisher could simply script an 
> > instant automated MITM that would log them in on-the-fly, PIN and all.
> >         
> >         -Mark C
> >         
> >         
> > 	Dave Killion wrote: 
> >
> >
> >
> > 		On 10/17/05, Paul Schmehl <pauls () utdallas edu> wrote: 
> >
> >
> > 			OK, I'll bite.  Are the banks going to 
> > be forced to provide the readers?
> > 			Or is online banking going to become a 
> > thing of the past?
> >                         
> >
> >
> > 		ETrade is already providing certain select 
> > customers with SecurID tokens.
> >                 
> > 		-- 
> > 		Dave Killion, CISSP
> >                 Contributing Author, Configuring NetScreen Firewalls
> > 		PGP Key Fingerprint: 
> > 		E477 488D 4340 D04F DD94 2A65 048C B376 D50B 45C8 
> > 		
> > ________________________________
> >
> >
> >                 _______________________________________________
> >                 Fun and Misc security discussion for OT posts.
> >                 https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> >                 Note: funsec is a public and open mailing list.
> >
> >
> >
> >    
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
>  

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.