WebApp Sec mailing list archives

Re: Article - A solution to phishing

From: Saqib Ali <docbook.xml () gmail com>
Date: Thu, 14 Jul 2005 11:38:27 -0700

How is this better than a graphic of a piece of distorted text ?

how can a piece of distorted text authenticate a website???

A non technical user won't know this ACuTrust thing from an animated GIF.

Actually an animated GIF will be timing based, and not controlled by
what is entered in the password field. i.e. with animated GIF will
seem to decrypt even if the user types in wrong passphrase. Which
should make the user a little bit suspicious :)

Acutrust is a great technology for tackling the phishing problem. But
it has the problem of the MIM attack. Attacker can create a webpage
that acts as proxy between the acutrust protected site, and the user's
desktop. This way the attacker can capture the user's password,
without the user knowing. The user will still see the decrypted token,
as he/she enters the password. For e.g. see below:

http://www.xml-dev.com/xml/phishing/acutrust.html 
passphrase: password

try 'password' as the passphrase, and the token will still decrypt.
and the user can not tell that  they are at a phishing site.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/

Current thread:

Re: Re: Article - A solution to phishing jcjhilvfgvqcf (Jul 14)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)
  - Re: Article - A solution to phishing Saqib Ali (Jul 14)
- Re: Article - A solution to phishing Frank O'Dwyer (Jul 14)
- Re: Re: Article - A solution to phishing bluewizard83-de4gahsh (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 14)
  - Re: Re: Article - A solution to phishing RSnake (Jul 18)
    - Re: @CHECK Re: Re: Article - A solution to phishing Dennis W. Kennedy (Jul 18)
- <Possible follow-ups>
- Re: Article - A solution to phishing mike (Jul 14)
- RE: Re: Article - A solution to phishing Simon Zuckerbraun (Jul 14)
  - RE: Re: Article - A solution to phishing Leandro Meiners (Jul 15)