WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: "Adam Tuliper" <adam () secure-coding com>
Date: Tue, 14 Dec 2004 13:43:13 -0500
I couldn't agree with Michael more. I look up the address of most scams that are sent to me and not one to date has been based a country that does anything about it. Even if it happens here in the USA its tough to get action. I had a case involving the IFCC (Internet Fraud Complaint Center) here and I had all the information on the suspect and it was difficult to get a good resolution to that case. There is so much other crime in some of these other countries they literally don't care. I had a client in Latvia purchase some software and my processing company wouldn't let it go through at first because they didnt trust any transaction that came from there until it was thoroughly verified. Its a long long way until other nations care. I'll go out on a limb and say.. not in my lifetime. If most nations do obey these laws, whats to stop someone from using an email address based in some other troubled region (about 20 come to mind instantly). Personally, I like stringing them on and giving them false information and wasting their time. Its fun, I recommend all of you try it : ) On Fri, 10 Dec 2004 17:22:32 +1100 Michael Silk <michaelsilk () gmail com> wrote:
Just like it's worked to stop crime. ... Don't kid yourself - for offenders to be prosecuted their relative countries would need to respect and implement the appropriate laws. I can't see this happening very soon. Not to mention that possible punishment isn't a very effective method to stop people perform this action ... people will continue to do it, no matter what the punishment, if the reward is great. Technological solutions should be considered and, as discussed in this thread, a few nice solutions exist ... client authenticated SSL, etc. -- Michael On Thu, 9 Dec 2004 20:13:00 -0800, Christopher Canova <canovac () earthlink net> wrote:
http://www.snpx.com/cgi-bin/news5.cgi?target=www.newsnow.co.uk/cgi/NGoto/786
26317?-2622 Like I said... Tough legislation and pro-activeprosecution will endphishing scams, not simply using a new anti-phishingscheme.-----Original Message----- From: Michael Silk [mailto:michaelsilk () gmail com] Sent: Friday, November 26, 2004 3:23 AM To: canovac () earthlink net; webappsec () securityfocus com Subject: RE: Article - A solution to phishing Hi Christopher, Thanks for your feedback, let me address it. First let me say that many people have raised the issue (privately) of unecrypted emails not being good enough - and they have a point. So from now onwards let us assume that public key/private key exchange system is used to communicate the emails such that: The user either provides their own public key to the site ("Test-Bank") or is given one upon registration. Hence, emails between Test-Bank and Jones are encrypted and cannot be decrypted until Jones either: a) Types in pass-phrase _TO THE EMAILCLIENT_.b) Connects USB device holding privatekeyto computer. c) Something else you can dream upinvolvingsmart-cards. The point is that the email is encrypted and can only be decrypted until such time as Jones and his password holding device (possibly his head) are at the computer. Let's now address your points. > * The password timeout is too short. Consider > that the default check frequency for most mail > programs is 30 minutes. Of course, this couldbe> fixed by making a longer timeout. Timeout isn't required anymore (or at leastisn'trequired to be short - can be 1 day or more)becauseemail interception has become useless. > * "A little bit of education" is exactly what > we need. If we had a "little bit of education" > to go around, then we would all be savvyusers.> You're assuming that a normal user would be > interested in learning this method... It is a simple method for them to adopt asopposedto reading warnings from Internet Explorer andbeingallowed to continue anyway ... or looking for apadlock,or looking at the address bar. In this case theyhaveno choice but to accept the system, they cannot-without great and thought-out effort - pass thepasswordto someone else before they use it. > * Consider that the average time for a user to > become disinterested in the website they are > visiting is measured in seconds or minutes. If > this system was implemented in a site thatprovided> online merchandise, this lag would beunacceptable> for most, if not all, merchandisers. If theusers> are waiting around for an email, the chancesare> dramatically increased that they will move toa> different site that doesn't have this method > implemented. The solution isn't appropriate for every siteout there.A merchandiser wasn't my target. But you arecorrect,it is more bulky then a common login screen. > * It is not secure. The email would need to be > encrypted. The encryption requires anotherpassword.> All the phisher would have to do is pose assomeone> requiring the password for the encrypted emailas> opposed to the password for the website. Ofcourse,> this could cause the user to become > more suspicious. The email is encrypted now. The phisher wouldnothave the possibility to ask for the password astheuser does not enter the password onto anywebsitewhen they use it. It is used fully within theirclient, or, ideally - it is used without themevenbeing really aware, via usb or palm pilot or, as Pete Simpson mention [1] mobile phone. > * Easier methods for one-time passwords arealready> being used, and have been for some time. Forexample,> I remember at my work that we had this programwhich> would generate 5 random words for every loginwe attempt.> The program would accept a secret passphrasethat only> the user knew and would only be installed onthe> local system of the user. It would generatethe five> words and the server would accept thatpassphrase only> once. Once the session is ended, thatpassphrase is no> longer available. This effectively eliminatesthe> requirement for waiting for an email. I don't quite understand this description. Are you saying the user has a passphrase whichthey enterinto a program installed on their local systemwhich wouldthen generate 5 "random" words ? It sounds a little different to the common webloginscenario. Can you explain more ? Could the user be tricked into typing his/herpasswordsomewhere other then the secure site ? It soundslike it- unless the program installed on the clientcomputerperforms the login function. If it does, then it sounds almost identical tomy systemexcept that instead of requiring a toolinstalled on theclients computer we make use of their emailsystem.How does your communicate to the server to getthe 5 randomwords ? Or are the words generated on the basisof somealgorithm which the server decodes to realisethat it is acertain user ? > * However, even if you did implement a onetime> password policy, so what? Phishing is a socialattack.> It's not a passphrase attack. Well actually it is. All phishing attemts I'veseen, lately,try and grab your password. Perhaps there areothers thattry and grab other information but that is notto say thatpassword-gathering "fake" websites don't exist -they do, andthey are an issue. This system attempts toaddress that.> Phishing doesn't > only gather passphrases, it can gather socialsecurity> numbers, credit card information, birth dates,etc. You're> not fixing anything by implementing a new,less effective> method for password generation. We're fixing the fact that the user now has no,greatlyuseful, information to give away to the phisher- hence thephisher has nothing to phish for. No phish. > So you are assuming LOTS of things in yourblog, and the> worst assumption you make is that your systemwill work.> It's got lots of holes and doesn't focus onthe fact that> HUMANS are susceptible to phishing, Actually it does. Like I mentioned ahove thegoal of thearticle was to take away from the user anyinformationthey could provide to the phisher (accidently).And we havedone that. > Actually, the fact that you are proposing a"solution"> to this phenomenon with the implementation ofyour system> is scary to me. It is a very narrowly-focusedview of security.I don't see how I am being narrowly focused. > You need to refocus on the basics of > information security, I've outlined some ofthat above.> But the lesson you should take from this is:social> engineering attacks cannot be solved by amagic bullet.Quite frankly I think if we can take away thesensitiveinformation that a user can give to a phisherphishing hasbeen solved. Of course, in practical terms theuser is goingto need to know something the phisher doesn'tand hence hasthe ability to give this information away. Butif wereduce/remove the information _inside thephishers domain(i.e: the web)_ then they can't get at it. For example: It is far less likely for me totype my NTpassword into a website then it is for me totype my Hotmailpassword into one. > All a phisher would need to do is find theweakest link: an> uninformed user (or administrator). Well sure, but why not remove as many weak linksas wecan ? It can only help. > Again, my apologies for sounding upfront. No need to apologise, just don't be upset if youget the same back:) -- Michael PS: I realised maybe the title is suggesting somethingalong the lines of:"You will be 100% secure if you use this!!!". I, ofcourse, don't mean toimply this - sorry if it came across that way. [1]http://www.clearswift.com/library/blogs/entry.aspx?ID=39-----Original Message----- From: Christopher Canova [mailto:canovac () earthlink net] Sent: Fri 26/11/2004 7:35 PM To: Michael Silk; webappsec () securityfocus com Cc: Subject: RE: Article - A solution to phishing This is an interesting read, but, yes, it has alreadybeen thought about. Afew problems with your method: * The password timeout is too short. Consider that thedefault checkfrequency for most mail programs is 30 minutes. Ofcourse, this could befixed by making a longer timeout. * "A little bit of education" is exactly what we need.If we had a "littlebit of education" to go around, then we would all besavvy users. You'reassuming that a normal user would be interested inlearning this method...* Consider that the average time for a user to becomedisinterested in thewebsite they are visiting is measured in seconds orminutes. If this systemwas implemented in a site that provided onlinemerchandise, this lag wouldbe unacceptable for most, if not all, merchandisers. Ifthe users arewaiting around for an email, the chances aredramatically increased thatthey will move to a different site that doesn't havethis methodimplemented. * It is not secure. The email would need to beencrypted. The encryptionrequires another password. All the phisher would haveto do is pose assomeone requiring the password for the encrypted emailas opposed to thepassword for the website. Of course, this could causethe user to becomemore suspicious. * Easier methods for one-time passwords are alreadybeing used, and havebeen for some time. For example, I remember at my workthat we had thisprogram which would generate 5 random words for everylogin we attempt. Theprogram would accept a secret passphrase that only theuser knew and wouldonly be installed on the local system of the user. Itwould generate thefive words and the server would accept that passphraseonly once. Once thesession is ended, that passphrase is no longeravailable. This effectivelyeliminates the requirement for waiting for an email. * However, even if you did implement a one timepassword policy, so what?Phishing is a social attack. It's not a passphraseattack. Phishing doesn'tonly gather passphrases, it can gather social securitynumbers, credit cardinformation, birth dates, etc. You're not fixinganything by implementing anew, less effective method for password generation. So you are assuming LOTS of things in your blog, andthe worst assumptionyou make is that your system will work. It's got lotsof holes and doesn'tfocus on the fact that HUMANS are susceptible tophishing, not passwordsystems. I don't mean to sound rude or upfront. I'mjust trying to warnanyone who may attempt your system that it may fail,easily.Phishing cannot be solved. It is an ancient art ofexploiting social order.One method for minimizing the effects of phishing iseducation. Anotherwould be enforceable punishment for attackers who usethis for committing acrime. Another way is to develop applications whichtake secure transactioninto consideration. Actually, the fact that you are proposing a "solution"to this phenomenonwith the implementation of your system is scary to me.It is a verynarrowly-focused view of security. You need to refocuson the basics ofinformation security, I've outlined some of that above.But the lesson youshould take from this is: social engineering attackscannot be solved by amagic bullet. All a phisher would need to do is findthe weakest link: anuninformed user (or administrator). Again, my apologies for sounding upfront. I just wantto show you theseriousness of making these assumptions. Please feelfree to contact medirectly. -- Christopher Canova, Student canovac () earthlink net http://home.earthlink.net/~canovac -----Original Message----- From: Michael Silk [mailto:michaels () phg com au] Sent: Monday, November 22, 2004 7:41 PM To: webappsec () securityfocus com Subject: Article - A solution to phishing Hi, Just a quick little article about a login systemthat, should (i think:)), prevent phishing attempts on your site.
http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
l Have a look at it and let me know what you think ...and apologies toanyone if an idea like this is already out there :) -- Michael
--------------------------------------------------------------------- Web mail provided by NuNet, Inc. The Premier National provider. http://www.nni.com/
Current thread:
- Re: Article - A solution to phishing, (continued)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 29)
- Re: Article - A solution to phishing Michael Silk (Nov 29)
- Re: Article - A solution to phishing Rogan Dawes (Nov 30)
- Re: Article - A solution to phishing Adam Shostack (Dec 01)
- Re: Article - A solution to phishing Rogan Dawes (Dec 03)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Dec 14)
- Re: Article - A solution to phishing Adam Tuliper (Dec 15)
- Re: Article - A solution to phishing Ian (Dec 16)
- Re: Article - A solution to phishing exon (Dec 20)
- Re: Article - A solution to phishing Joseph Miller (Dec 20)
- Re: Article - A solution to phishing exon (Dec 22)
- Re: Article - A solution to phishing Rogan Dawes (Dec 22)
- RE: Article - A solution to phishing Mark Curphey (Nov 29)
- RE: Article - A solution to phishing focus (Nov 29)
- Re: Article - A solution to phishing Tran Viet Phuong (Nov 29)