RE: Re: Article - A solution to phishing

[Leandro Meiners <lmeiners () cybsec com>]

simpler yet... send a phishing mail saying that you are updating (due to
security measures) the image presented to the user, and that he should
enter his old username + password to see the new image asigned to him so
he can rembember it for his next logon...."to authenticate the site"

think the user woun't fall prey? I think it just opens another excuse to
trick the user (aside from the other security problems due to design:
MITM, brute force, etc).

regards,

leandro


On Thu, 2005-07-14 at 11:12 -0500, Simon Zuckerbraun wrote: 
> I'd be really cautious about this one (ACUTrust). Two devastating 
> attacks occur to me right off the top of my head, and that's not a good 
> sign.
>
> DISCLAIMER: Do not take this email as a statement of fact!! I have NOT 
> experimented with ACUTrust and I have NO evidence to back up any claims 
> that I make here. All I'm doing in this email is raising some concerns 
> that occur to me after reading the content on the ACUTrust website.
>
> First, refer to their whitepaper for details of what ACUTrust does: 
> http://www.isblanket.com/cinfo/handouts/acutrust-whitepaper.pdf
>
> Attacks as follows:
>
> 1. After the encrypted token is downloaded to the client's machine, it 
> can be subjected to an offline dictionary attack against the user's 
> passphrase. Only the correct passphrase will decrypt the token into a 
> recognizable (low-entropy) image, so it is thereby possible for the 
> cleartext to be recognized by automated process. (Granted, automatic 
> recognition of the characters within the image may be harder, but it's 
> not at all necessary for the attack.) An attacker would be able to 
> determine a large percentage of users' passphrases in this way, starting 
> with only knowledge of the usernames, and there does not seem to be any 
> way for the server to defend itself or detect that an attack is underway.
>
> 2. The product doesn't seem that it can deliver the benefit it promises. 
> The benefit of ACUTrust that the whitepaper cites is that it gives the 
> end user a way to authenticate the website before he divulges his 
> password. However, in practice, the user does not receive any indication 
> of the website's authenticity until the user has already finished typing 
> his password! A fraudulent website could simply be programmed to capture 
> the characters that the user types in the password box. By the time the 
> user realizes that the website is fraudulent (because he doesn't see the 
> proper decrypted image), all the damage has already been done.
>
> Plus, I wonder how they plan to guard against MITM (i.e., the fraudulent 
> website, wishing to convince the user that it is genuine, could obtain a 
> proper encrypted token by submitting the user's username to the genuine 
> site. The fraudulent site could then serve up the token itself.) Any 
> warning to the user that the token is not coming from the proper site 
> would have to be delivered by client-side script/applet, and a 
> fraudulent site would just have it own script/applet that bypassed the 
> check.
>
> Conclusions:
> 1. I doubt that ACUTrust can deliver what it promises.
> 2. Read my disclaimer above.
>
> Simon
>
>
> > I have found a product that looks better then passmark.
> >
> > It is called ACUTrust (www.acutrust.com) and it uses a visualized
> > token to authenticate the website.  it does not use cookies and does
> > not require any client based software.  I also think that this would
> > help a non technical person identify the sight.
----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners () cybsec com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com