WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Article - A solution to phishing

From: "Adam Tuliper" <adam () secure-coding com>
Date: Tue, 14 Dec 2004 13:43:13 -0500
I couldn't agree with Michael more. 
I look up the address of most scams that are sent to me and
not one to date has been based a country that does anything
about it. Even if it happens here in the USA its tough to
get action. I had a case involving the IFCC (Internet Fraud
Complaint Center) here and I had all the information on the
suspect and it was difficult to get a good resolution to
that case. There is so much other crime in some of these
other countries they literally don't care. I had a client
in Latvia purchase some software and my processing company
wouldn't let it go through at first because they didnt
trust any transaction that came from there until it was
thoroughly verified. Its a long long way until other
nations care. I'll go out on a limb and say.. not in my
lifetime. If most nations do obey these laws, whats to stop
someone from using an email address based in some other
troubled region (about 20 come to mind instantly). 

Personally, I like stringing them on and giving them false
information and wasting their time. Its fun, I recommend
all of you try it : )


On Fri, 10 Dec 2004 17:22:32 +1100
 Michael Silk <michaelsilk () gmail com> wrote:

Just like it's worked to stop crime.

...

Don't kid yourself - for offenders to be prosecuted their
relative
countries would need to respect and implement the
appropriate laws. I
can't see this happening very soon.

Not to mention that possible punishment isn't a very
effective method
to stop people perform this action ... people will
continue to do it,
no matter what the punishment, if the reward is great.

Technological solutions should be considered and, as
discussed in this
thread, a few nice solutions exist ... client
authenticated SSL, etc.

-- Michael




On Thu, 9 Dec 2004 20:13:00 -0800, Christopher Canova
<canovac () earthlink net> wrote:





http://www.snpx.com/cgi-bin/news5.cgi?target=www.newsnow.co.uk/cgi/NGoto/786

26317?-2622

Like I said... Tough legislation and pro-active

prosecution will end

phishing scams, not simply using a new anti-phishing

scheme.




-----Original Message-----
From: Michael Silk [mailto:michaelsilk () gmail com]
Sent: Friday, November 26, 2004 3:23 AM
To: canovac () earthlink net; webappsec () securityfocus com
Subject: RE: Article - A solution to phishing

Hi Christopher,

       Thanks for your feedback, let me address it.

       First let me say that many people have raised
       the issue (privately) of unecrypted emails not
       being good enough - and they have a point. So
       from now onwards let us assume that public
       key/private key exchange system is used to
       communicate the emails such that:

       The user either provides their own public key
       to the site ("Test-Bank") or is given one upon
       registration.

       Hence, emails between Test-Bank and Jones are
       encrypted and cannot be decrypted until Jones
       either:
               a) Types in pass-phrase _TO THE EMAIL

CLIENT_.

               b) Connects USB device holding private

key

                       to computer.
               c) Something else you can dream up

involving

                       smart-cards.

       The point is that the email is encrypted and can
       only be decrypted until such time as Jones and
       his password holding device (possibly his head)
       are at the computer.

       Let's now address your points.

       > * The password timeout is too short. Consider
       > that the default check frequency for most mail
       > programs is 30 minutes. Of course, this could

be

       > fixed by making a longer timeout.

       Timeout isn't required anymore (or at least

isn't

       required to be short - can be 1 day or more)

because

       email interception has become useless.

       > * "A little bit of education" is exactly what
       > we need. If we had a "little bit of education"
       > to go around, then we would all be savvy

users.

       > You're assuming that a normal user would be
       > interested in learning this method...

       It is a simple method for them to adopt as

opposed

       to reading warnings from Internet Explorer and

being

       allowed to continue anyway ... or looking for a

padlock,

       or looking at the address bar. In this case they

have

       no choice but to accept the system, they cannot

-

       without great and thought-out effort - pass the

password

       to someone else before they use it.

       > * Consider that the average time for a user to
       > become disinterested in the website they are
       > visiting is measured in seconds or minutes. If
       > this system was implemented in a site that

provided

       > online merchandise, this lag would be

unacceptable

       > for most, if not all, merchandisers. If the

users

       > are waiting around for an email, the chances

are

       > dramatically increased that they will move to

a

       > different site that doesn't have this method
       > implemented.

       The solution isn't appropriate for every site

out there.

       A merchandiser wasn't my target. But you are

correct,

       it is more bulky then a common login screen.

       > * It is not secure. The email would need to be
       > encrypted. The encryption requires another

password.

       > All the phisher would have to do is pose as

someone

       > requiring the password for the encrypted email

as

       > opposed to the password for the website. Of

course,

       > this could cause the user to become
       > more suspicious.

       The email is encrypted now. The phisher would

not

       have the possibility to ask for the password as

the

       user does not enter the password onto any

website

       when they use it. It is used fully within their

email

       client, or, ideally - it is used without them

even

       being really aware, via usb or palm pilot or, as
       Pete Simpson mention [1] mobile phone.

       > * Easier methods for one-time passwords are

already

       > being used, and have been for some time. For

example,

       > I remember at my work that we had this program

which

       > would generate 5 random words for every login

we attempt.

       > The program would accept a secret passphrase

that only

       > the user knew and would only be installed on

the

       > local system of the user. It would generate

the five

       > words and the server would accept that

passphrase only

       > once. Once the session is ended, that

passphrase is no

       > longer available. This effectively eliminates

the

       > requirement for waiting for an email.

       I don't quite understand this description.

       Are you saying the user has a passphrase which

they enter

       into a program installed on their local system

which would

       then generate 5 "random" words ?

       It sounds a little different to the common web

login

       scenario. Can you explain more ?

       Could the user be tricked into typing his/her

password

       somewhere other then the secure site ? It sounds

like it

       - unless the program installed on the client

computer

       performs the login function.

       If it does, then it sounds almost identical to

my system

       except that instead of requiring a tool

installed on the

       clients computer we make use of their email

system.


       How does your communicate to the server to get

the 5 random

       words ? Or are the words generated on the basis

of some

       algorithm which the server decodes to realise

that it is a

       certain user ?

       > * However, even if you did implement a one

time

       > password policy, so what? Phishing is a social

attack.

       > It's not a passphrase attack.

       Well actually it is. All phishing attemts I've

seen, lately,

       try and grab your password. Perhaps there are

others that

       try and grab other information but that is not

to say that

       password-gathering "fake" websites don't exist -

they do, and

       they are an issue. This system attempts to

address that.


       > Phishing doesn't
       > only gather passphrases, it can gather social

security

       > numbers, credit card information, birth dates,

etc. You're

       > not fixing anything by implementing a new,

less effective

       > method for password generation.

       We're fixing the fact that the user now has no,

greatly

       useful, information to give away to the phisher

- hence the

       phisher has nothing to phish for. No phish.

       > So you are assuming LOTS of things in your

blog, and the

       > worst assumption you make is that your system

will work.

       > It's got lots of holes and doesn't focus on

the fact that

       > HUMANS are susceptible to phishing,

       Actually it does. Like I mentioned ahove the

goal of the

       article was to take away from the user any

information

       they could provide to the phisher (accidently).

And we have

       done that.

       > Actually, the fact that you are proposing a

"solution"

       > to this phenomenon with the implementation of

your system

       > is scary to me. It is a very narrowly-focused

view of security.


       I don't see how I am being narrowly focused.

       > You need to refocus on the basics of
       > information security, I've outlined some of

that above.

       > But the lesson you should take from this is:

social

       > engineering attacks cannot be solved by a

magic bullet.


       Quite frankly I think if we can take away the

sensitive

       information that a user can give to a phisher

phishing has

       been solved. Of course, in practical terms the

user is going

       to need to know something the phisher doesn't

and hence has

       the ability to give this information away. But

if we

       reduce/remove the information _inside the

phishers domain

       (i.e: the web)_ then they can't get at it.

       For example: It is far less likely for me to

type my NT

       password into a website then it is for me to

type my Hotmail

       password into one.

       > All a phisher would need to do is find the

weakest link: an

       > uninformed user (or administrator).

       Well sure, but why not remove as many weak links

as we

       can ? It can only help.

       > Again, my apologies for sounding upfront.

       No need to apologise, just don't be upset if you

get the same back

:)

-- Michael

PS: I realised maybe the title is suggesting something

along the lines of:

"You will be 100% secure if you use this!!!". I, of

course, don't mean to

imply this - sorry if it came across that way.

[1]

http://www.clearswift.com/library/blogs/entry.aspx?ID=39


-----Original Message-----
From: Christopher Canova [mailto:canovac () earthlink net]
Sent: Fri 26/11/2004 7:35 PM
To: Michael Silk; webappsec () securityfocus com
Cc:
Subject: RE: Article - A solution to phishing

This is an interesting read, but, yes, it has already

been thought about. A

few problems with your method:

* The password timeout is too short. Consider that the

default check

frequency for most mail programs is 30 minutes. Of

course, this could be

fixed by making a longer timeout.

* "A little bit of education" is exactly what we need.

If we had a "little

bit of education" to go around, then we would all be

savvy users. You're

assuming that a normal user would be interested in

learning this method...


* Consider that the average time for a user to become

disinterested in the

website they are visiting is measured in seconds or

minutes. If this system

was implemented in a site that provided online

merchandise, this lag would

be unacceptable for most, if not all, merchandisers. If

the users are

waiting around for an email, the chances are

dramatically increased that

they will move to a different site that doesn't have

this method

implemented.

* It is not secure. The email would need to be

encrypted. The encryption

requires another password. All the phisher would have

to do is pose as

someone requiring the password for the encrypted email

as opposed to the

password for the website. Of course, this could cause

the user to become

more suspicious.

* Easier methods for one-time passwords are already

being used, and have

been for some time. For example, I remember at my work

that we had this

program which would generate 5 random words for every

login we attempt. The

program would accept a secret passphrase that only the

user knew and would

only be installed on the local system of the user. It

would generate the

five words and the server would accept that passphrase

only once. Once the

session is ended, that passphrase is no longer

available. This effectively

eliminates the requirement for waiting for an email.

* However, even if you did implement a one time

password policy, so what?

Phishing is a social attack. It's not a passphrase

attack. Phishing doesn't

only gather passphrases, it can gather social security

numbers, credit card

information, birth dates, etc. You're not fixing

anything by implementing a

new, less effective method for password generation.

So you are assuming LOTS of things in your blog, and

the worst assumption

you make is that your system will work. It's got lots

of holes and doesn't

focus on the fact that HUMANS are susceptible to

phishing, not password

systems. I don't mean to sound rude or upfront. I'm

just trying to warn

anyone who may attempt your system that it may fail,

easily.


Phishing cannot be solved. It is an ancient art of

exploiting social order.

One method for minimizing the effects of phishing is

education. Another

would be enforceable punishment for attackers who use

this for committing a

crime. Another way is to develop applications which

take secure transaction

into consideration.

Actually, the fact that you are proposing a "solution"

to this phenomenon

with the implementation of your system is scary to me.

It is a very

narrowly-focused view of security. You need to refocus

on the basics of

information security, I've outlined some of that above.

But the lesson you

should take from this is: social engineering attacks

cannot be solved by a

magic bullet. All a phisher would need to do is find

the weakest link: an

uninformed user (or administrator).

Again, my apologies for sounding upfront. I just want

to show you the

seriousness of making these assumptions. Please feel

free to contact me

directly.

--
Christopher Canova, Student
canovac () earthlink net
http://home.earthlink.net/~canovac

-----Original Message-----
From: Michael Silk [mailto:michaels () phg com au]
Sent: Monday, November 22, 2004 7:41 PM
To: webappsec () securityfocus com
Subject: Article - A solution to phishing

Hi,

   Just a quick little article about a login system

that, should (i think

:)), prevent phishing attempts on your site.





http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm

l

   Have a look at it and let me know what you think ...

and apologies to

anyone if an idea like this is already out there :)

-- Michael




---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/
Previous By Date Next
Previous By Thread Next

Current thread: