funsec mailing list archives
RE: The end of Phishing in sight?
From: "Henderson, Dennis K." <Dennis.Henderson () umb com>
Date: Tue, 18 Oct 2005 12:36:02 -0500
I have a call into RSA. I'll try to get a clueful person that can answer
our questions precisely.
Good discussion
_____
From: Security Lists [mailto:securitylists () uniontown com]
Sent: Tuesday, October 18, 2005 11:57 AM
To: Henderson, Dennis K.
Cc: funsec () linuxbox org
Subject: Re: [funsec] The end of Phishing in sight?
Please correct me if I'm wrong, but I think the Phisher has more
time than that (if I am understanding the SecurID resync process
correctly).
I think normally a user can enter a token code that can be 1
token too old, or 1 token too new, and the ACE server just takes it and
transparently resyncs up/down 1 minute accordingly (I think). This is
the normal day-to-day resyncing, and this is why heavy users usually
don't fade out of sync and never see resync prompts.
But, when a token that's entered outside a much larger timeframe
(+/- 10 minutes comes to mind for some reason), that user gets placed in
"next token mode" where they need to enter a second subsequent token.
These users are familiar with SecurID are also probably familiar with
this procedure. This lets the SecurID server resync with a bigger jump
than the +/- 1 minute default (the 3 minute window) for the user who
only uses the token twice a year ( I THINK).
So, a Phisher simulates the "next token mode" for EVERY victim
they hit on their spoofed page, this effectively gives them a 20 minute
window of opportunity(?) of +/- 10 minutes for each victim...?
I did a quick google and couldn't find the actual numbers or to
confirm that this is how they work, that 10 minute thing just rings a
bell to me from troubleshooting way back a few years ago, I might be WAY
off on that number. If someone has some real numbers I'd really like to
know what they really are. +/- even 5 minutes would certainly be an
eternity to a Phisher.
-Mark Coleman
Henderson, Dennis K. wrote:
When you use a securid token, the number displayed is
only good for a
short period of time, like 2-3 minutes. After that it is
not valid.
Once you use it, its not valid ever again. So if the
number was entered
at a phishing site, the fraudster would have to use it
within 1-2
minutes tops.
I guess a site could be set up to automatically attempt
login on a real
site upon harvest of the credential. The fraudster would
have to be
notified in real time and be able to take advantage of
the event right
as it occurred.
I think this reduces, but does not eliminate the odds.
Most modern
online banking pages will have a timeout, so the perp
needs to be on the
ball to take advantage. No setting up the site, partying
the night away,
waking up and looking at the list of passwords. This
attack would
require eyeballs on the screen.
All these things increase the cost to the perp of doing
business, thus
reducing the likelihood that this type of attack vector
would happen
successfully.
My opinion, of course...
-----Original Message-----
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On Behalf
Of Richard M. Smith
Sent: Monday, October 17, 2005 5:32 PM
To: funsec () linuxbox org
Subject: RE: [funsec] The end of Phishing in
sight?
So this will guard against a Securid stolen by
spyware, but
not by phishing, right?
Richard
________________________________
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On Behalf
Of Henderson, Dennis K.
Sent: Monday, October 17, 2005 6:26 PM
To: Security Lists; funsec () linuxbox org
Subject: RE: [funsec] The end of Phishing in
sight?
Securid's pins are consumed as they are used,
pin sync or
login. Log it all you want.... no dice.
________________________________
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On Behalf
Of Security Lists
Sent: Monday, October 17, 2005 3:39 PM
To: funsec () linuxbox org
Subject: Re: [funsec] The end of
Phishing in sight?
I believe a SecurID token has a full
3-minute window of
opportunity (more if you can get the user to
enter two
subsequent token #'s I believe, that's what's
needed for
token resync sequence), Phisher could simply
script an
instant automated MITM that would log them in
on-the-fly, PIN and all.
-Mark C
Dave Killion wrote:
On 10/17/05, Paul Schmehl
<pauls () utdallas edu> <mailto:pauls () utdallas edu> wrote:
OK, I'll bite. Are the
banks going to
be forced to provide the readers?
Or is online banking
going to become a
thing of the past?
ETrade is already providing
certain select
customers with SecurID tokens.
--
Dave Killion, CISSP
Contributing Author, Configuring
NetScreen Firewalls
PGP Key Fingerprint:
E477 488D 4340 D04F DD94 2A65
048C B376 D50B 45C8
________________________________
_______________________________________________
Fun and Misc security discussion
for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and
open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: The end of Phishing in sight?, (continued)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
- Re: The end of Phishing in sight? Mark C (Oct 17)
- Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: Re[4]: The end of Phishing in sight? Marius Gheorghescu (Oct 17)
- Re: Re[4]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Security Lists (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Jeff Rosowski (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- Re: The end of Phishing in sight? Tom Van Vleck (Oct 18)
(Thread continues...)