funsec mailing list archives
RE: The end of Phishing in sight?
From: "Henderson, Dennis K." <Dennis.Henderson () umb com>
Date: Tue, 18 Oct 2005 17:23:35 -0500
What Mark says is technically true.
Statistically, though the risk is much lower as the user who enters pins
will not be at the +10 mark of the opportunity, but right in the middle.
The phisher can simply keep telling the user to enter next token codes.
With 3 sequential codes entered, the phisher will have about 7 minutes
to attempt to use all three pins to get past 2 next token code requests
from the legitimate server.
With a 30 second token, this window would be reduced by 1/2.
All in all, this represents a huge reduction in the risk compared to a
static weak password. Plus the additional support and complexity
required on the phisher's part will reduce the population of those who
are willing to attempt this.
E-trade, on the other hand is not helping by screaming at the top of its
lungs that it will provide 2 factor auth for customers with > 50K of
funds....
Once again, just my opinion based on my experience with a userbase of
55K, not BOA, but not that small either.
_____
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On Behalf Of Henderson, Dennis K.
Sent: Tuesday, October 18, 2005 12:36 PM
To: Security Lists
Cc: funsec () linuxbox org
Subject: RE: [funsec] The end of Phishing in sight?
I have a call into RSA. I'll try to get a clueful person that
can answer our questions precisely.
Good discussion
_____
From: Security Lists
[mailto:securitylists () uniontown com]
Sent: Tuesday, October 18, 2005 11:57 AM
To: Henderson, Dennis K.
Cc: funsec () linuxbox org
Subject: Re: [funsec] The end of Phishing in sight?
Please correct me if I'm wrong, but I think the Phisher
has more time than that (if I am understanding the SecurID resync
process correctly).
I think normally a user can enter a token code that can
be 1 token too old, or 1 token too new, and the ACE server just takes it
and transparently resyncs up/down 1 minute accordingly (I think). This
is the normal day-to-day resyncing, and this is why heavy users usually
don't fade out of sync and never see resync prompts.
But, when a token that's entered outside a much larger
timeframe (+/- 10 minutes comes to mind for some reason), that user gets
placed in "next token mode" where they need to enter a second subsequent
token. These users are familiar with SecurID are also probably familiar
with this procedure. This lets the SecurID server resync with a bigger
jump than the +/- 1 minute default (the 3 minute window) for the user
who only uses the token twice a year ( I THINK).
So, a Phisher simulates the "next token mode" for EVERY
victim they hit on their spoofed page, this effectively gives them a 20
minute window of opportunity(?) of +/- 10 minutes for each victim...?
I did a quick google and couldn't find the actual
numbers or to confirm that this is how they work, that 10 minute thing
just rings a bell to me from troubleshooting way back a few years ago, I
might be WAY off on that number. If someone has some real numbers I'd
really like to know what they really are. +/- even 5 minutes would
certainly be an eternity to a Phisher.
-Mark Coleman
Henderson, Dennis K. wrote:
When you use a securid token, the number
displayed is only good for a
short period of time, like 2-3 minutes. After
that it is not valid.
Once you use it, its not valid ever again. So if
the number was entered
at a phishing site, the fraudster would have to
use it within 1-2
minutes tops.
I guess a site could be set up to automatically
attempt login on a real
site upon harvest of the credential. The
fraudster would have to be
notified in real time and be able to take
advantage of the event right
as it occurred.
I think this reduces, but does not eliminate the
odds. Most modern
online banking pages will have a timeout, so the
perp needs to be on the
ball to take advantage. No setting up the site,
partying the night away,
waking up and looking at the list of passwords.
This attack would
require eyeballs on the screen.
All these things increase the cost to the perp
of doing business, thus
reducing the likelihood that this type of attack
vector would happen
successfully.
My opinion, of course...
-----Original Message-----
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On
Behalf Of Richard M. Smith
Sent: Monday, October 17, 2005 5:32 PM
To: funsec () linuxbox org
Subject: RE: [funsec] The end of
Phishing in sight?
So this will guard against a Securid
stolen by spyware, but
not by phishing, right?
Richard
________________________________
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On
Behalf Of Henderson, Dennis K.
Sent: Monday, October 17, 2005 6:26 PM
To: Security Lists; funsec () linuxbox org
Subject: RE: [funsec] The end of
Phishing in sight?
Securid's pins are consumed as they are
used, pin sync or
login. Log it all you want.... no dice.
________________________________
From:
funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On
Behalf Of Security Lists
Sent: Monday, October 17, 2005
3:39 PM
To: funsec () linuxbox org
Subject: Re: [funsec] The end of
Phishing in sight?
I believe a SecurID token has a
full 3-minute window of
opportunity (more if you can get the
user to enter two
subsequent token #'s I believe, that's
what's needed for
token resync sequence), Phisher could
simply script an
instant automated MITM that would log
them in on-the-fly, PIN and all.
-Mark C
Dave Killion wrote:
On 10/17/05, Paul
Schmehl <pauls () utdallas edu> <mailto:pauls () utdallas edu> wrote:
OK, I'll bite.
Are the banks going to
be forced to provide the readers?
Or is online
banking going to become a
thing of the past?
ETrade is already
providing certain select
customers with SecurID tokens.
--
Dave Killion, CISSP
Contributing Author,
Configuring NetScreen Firewalls
PGP Key Fingerprint:
E477 488D 4340 D04F DD94
2A65 048C B376 D50B 45C8
________________________________
_______________________________________________
Fun and Misc security
discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public
and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The end of Phishing in sight?, (continued)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Jeff Rosowski (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- Re: The end of Phishing in sight? Tom Van Vleck (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Fergie (Paul Ferguson) (Oct 18)
- Re: Re[4]: The end of Phishing in sight? Dr. Neal Krawetz (Oct 19)
- Re[6]: The end of Phishing in sight? Pierre Vandevenne (Oct 19)
- The end of Phishing in sight? Gary Warner (Oct 18)