funsec mailing list archives
Re: The end of Phishing in sight?
From: Security Lists <securitylists () uniontown com>
Date: Tue, 18 Oct 2005 12:56:52 -0400
Please correct me if I'm wrong, but I think the Phisher has more time than that (if I am understanding the SecurID resync process correctly).
I think normally a user can enter a token code that can be 1 token too old, or 1 token too new, and the ACE server just takes it and transparently resyncs up/down 1 minute accordingly (I think). This is the normal day-to-day resyncing, and this is why heavy users usually don't fade out of sync and never see resync prompts.
But, when a token that's entered outside a much larger timeframe (+/- 10 minutes comes to mind for some reason), that user gets placed in "next token mode" where they need to enter a second subsequent token. These users are familiar with SecurID are also probably familiar with this procedure. This lets the SecurID server resync with a bigger jump than the +/- 1 minute default (the 3 minute window) for the user who only uses the token twice a year ( I THINK).
So, a Phisher simulates the "next token mode" for EVERY victim they hit on their spoofed page, this effectively gives them a 20 minute window of opportunity(?) of +/- 10 minutes for each victim...?
I did a quick google and couldn't find the actual numbers or to confirm that this is how they work, that 10 minute thing just rings a bell to me from troubleshooting way back a few years ago, I might be WAY off on that number. If someone has some real numbers I'd really like to know what they really are. +/- even 5 minutes would certainly be an eternity to a Phisher.
-Mark Coleman Henderson, Dennis K. wrote:
When you use a securid token, the number displayed is only good for a short period of time, like 2-3 minutes. After that it is not valid. Once you use it, its not valid ever again. So if the number was entered at a phishing site, the fraudster would have to use it within 1-2minutes tops.I guess a site could be set up to automatically attempt login on a real site upon harvest of the credential. The fraudster would have to be notified in real time and be able to take advantage of the event rightas it occurred.I think this reduces, but does not eliminate the odds. Most modern online banking pages will have a timeout, so the perp needs to be on the ball to take advantage. No setting up the site, partying the night away, waking up and looking at the list of passwords. This attack would require eyeballs on the screen. All these things increase the cost to the perp of doing business, thus reducing the likelihood that this type of attack vector would happen successfully. My opinion, of course...-----Original Message-----From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. SmithSent: Monday, October 17, 2005 5:32 PM To: funsec () linuxbox org Subject: RE: [funsec] The end of Phishing in sight?So this will guard against a Securid stolen by spyware, but not by phishing, right?Richard ________________________________From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Henderson, Dennis K.Sent: Monday, October 17, 2005 6:26 PM To: Security Lists; funsec () linuxbox org Subject: RE: [funsec] The end of Phishing in sight?Securid's pins are consumed as they are used, pin sync or login. Log it all you want.... no dice.________________________________From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Security ListsSent: Monday, October 17, 2005 3:39 PM To: funsec () linuxbox org Subject: Re: [funsec] The end of Phishing in sight?I believe a SecurID token has a full 3-minute window of opportunity (more if you can get the user to enter two subsequent token #'s I believe, that's what's needed for token resync sequence), Phisher could simply script an instant automated MITM that would log them in on-the-fly, PIN and all.-Mark CDave Killion wrote:On 10/17/05, Paul Schmehl <pauls () utdallas edu> wrote:OK, I'll bite. Are the banks going to be forced to provide the readers? Or is online banking going to become a thing of the past?ETrade is already providing certain select customers with SecurID tokens.-- Dave Killion, CISSPContributing Author, Configuring NetScreen FirewallsPGP Key Fingerprint: E477 488D 4340 D04F DD94 2A65 048C B376 D50B 45C8________________________________ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list._______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re[4]: The end of Phishing in sight?, (continued)
- Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- RE: Re[2]: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
- Re: The end of Phishing in sight? Mark C (Oct 17)
- Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: Re[4]: The end of Phishing in sight? Marius Gheorghescu (Oct 17)
- Re: Re[4]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Security Lists (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
(Thread continues...)