RE: Proposal to anti-phishing

[Sam Koh <kohgimleng () yahoo com>]

The scheme described by Frank is more of MACing
instead of OTP, meaning its uses the unique secret key
to perform the MAC (message authentication code)
against the field entered by the token holder. Not all
tokens is able to do this....at least I know RSA
SecureID is not able to do this. So the problem
describe by Lyal is still applicable if OTP token
(other than those from Vasco) is only use for user
authentication.


Regards
Sam


--- Frank Knobbe <frank () knobbe us> wrote:

> On Sun, 2005-01-16 at 17:38 +1100, Lyal Collins
> wrote:
> > To eapnd on this, there is nothing the stop the
> phisher capturing the entire
> > session (i.e MITM tunneling), even using a valid
> OTP token to logon, and
> > even a second OTP token to 'authenticate' a
> transaciton.
> > With tunneling the entire session, the attacker
> can easily present the user
> > with screens saying "transfer $200 to mum" while
> telling the banking site to
> > 'transfer $1000 to joe () hacking site.somewhere"
>
> Not quite correct. Obviously you haven't used these
> token schemes.
>
> Most transactions that are authenticated/confirmed
> by tokens do include
> the values themselves. For example:
> Src Acct: 123-456
> Dst Acct: 333-222
> Amount: $1,000,000
> AuthCode: (to be entered by user from token)
>
> The user receives/enters the values above, enters
> these into his token
> which will present a unique value (auth code) tied
> to his token, but
> also to the values. That means if a MITM hacker
> changes an account
> number or other value, the authentication code would
> different. Since
> the attacker does not have access to the users
> token, he can not
> generate a correct authentication code, and thus the
> transaction is
> invalid.
>
> Vasco's tokens are widely used amongst the financial
> industry (perhaps
> more so in Europe then the US). Back in the mid-late
> nineties when I
> worked with these tokens, they had a nice demo on
> their website that
> would explain/test the process. It could be used
> with their physical
> demo tokens, or the virtual token online. If you
> like further info on
> this process and a demo, see their web page. Maybe
> the demo is still
> online.
>
>
> In summary: Tokens don't just authenticate the user
> or the session, they
> are also used to authenticate *transactions*, which
> is exactly how MITM
> attacks are defeated. An attacker intercepting the
> transaction can not
> change values without invalidating the
> authentication code.
>
> Regards,
> Frank

> ATTACHMENT part 2 application/pgp-signature
name=signature.asc




                
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail