Re: Article - A solution to phishing [Passmark]

[Jeremiah Grossman <jeremiah () whitehatsec com>]

Before I get into more nitty gritty technical details, let me be clear 
on a couple of things for the readers.
Im not affiliated with Passmark in any way. Also, I can only comment on 
my observations the best I can recall when I looked at it. Some of my 
details may be off.

Let us begin...


On Wednesday, December 1, 2004, at 12:05  PM, Adam Shostack wrote:

> Huh?  If "This cookie is acquired by the user early in the process by
> password verification,"  then how does passmark prevent me from
> phishing?  Does the user need two passwords to get in?

Thats a very good question, and I had the very same one. The first time 
a user authenticates  (username/password) , they must do so without any 
"image" validation. After which they get their persistent session 
cookie. I assume the first time you authenticate is a matter of trust. 
The same username and password is used on all future authentication 
attempts in combination with the session cookie. So, you could phish 
the user on the first attempt.

If the users IP changes at some point in the future, change comps, or 
blitz their cookies... then the process starts over. One weakness might 
be informing the user why they must authenticate again without an 
image. But this is the way things work best I can tell.

They have a demo you check out:
https://www.largebank.com/large_bank/reg_demo_1.do


> Also, what does it matter if the URLs are unguessable?  I need to show
> up at my bank and login.  At which point, the bank needs to show me
> some authentication.  If the bank has to show me an authenticator,
> then a phisher can steal that image.

The validation image URL needs to be unguessable because the Phishers 
page could include an image tag src to the remote URL. When the 
validation image is requested, passively through the Phishers page, the 
user's session cookie is sent along and then the image is properly 
displayed. I think this requirement basically tries to ensure the 
validation image only shows up on the proper pages and not off-domain.

> I'm perfectly willing to accept that there are clever ways to do this, 
> could you explain what they are?

You and me both. The Passmark system is clever, but does appear to have 
its inherent technical and social limitations. Trying to get all the 
details laid out and digestable for why these types of solutions works 
or doesnt is difficult.


Regards,

Jeremiah-