What is Digg?35 Comments
- inactive, on 10/12/2007, -1/+9Clearly, it's time for the online security experts to have the "Revelation" that we need to move to THREE-factor authentication: A code from the keyfob, a user's password, and a universal mark on the forehead and/or hand, without which one may not buy or sell.
- flaws, on 10/12/2007, -0/+7You obviously don't get many phishing emails. The typos are the early days, they have evolved and are extremely successful.
- saqib, on 10/12/2007, -0/+6TPM is the missing piece.
I know I will get flamed by privacy advocates for this, but it is the truth.
The reason that this attack was possible is that user authentication is in place, but no machine authentication.
BofA uses Passmark (see http://www.bankofamerica.com/privacy/passmark/). The security concerns of Passmark was discussed on Full disclosure see:
http://seclists.org/lists/fulldisclosure/2005/May/0629.html
Passmark technology tries to solve the machine authentication problem using encrypted cookies. The idea looks good, but I don't know how safe it is.
I would personally wait till Passmark and similar technologies utilize TPM (Trusted Platform Module) to perform a mutual authentication before I can consider replacing physical hardware tokens with
Passmark.
A TPM does NOT replace a USB cryptographic key device / token. They complement each other.
"A USB token/smart card authenticates the user whereas a TPM authenticates a machine".
I guess use of "passmark 2FactorAuth" versus "TPM 2FactorAuth" will depend on the security needs of the system..... - jmichaelg, on 10/12/2007, -0/+4This attack doesn't need TPM to be defeated.
The attack can be defeated by people paying attention. The phishing attacks I've seen have had at least three warning flags attached:
1) I didn't expect the bank to contact me by email about a security breach. The bank would have phoned.
2) My email client (Eudora) raises a warning saying the url is suspicous. Usually the message is something like "This url appears to be from Citibank but actually goes to another site."
3) The front part of the url is always wrong.
Teach folks what to watch for and to think - just a little bit, we're not talking relativity here - and they'll be fine. Better we use education than TPM if for no other reason that there will be times that you need the liberty to speak anonymously and TPM will defeat that possibility. - diggingaway, on 10/12/2007, -0/+3If you're stupid enough to fall a victim to these things then you didn't deserve your money in the first place. Hell, if you weren't phished you'd probably manage to lose it some other way. So how about the banks stop pampering these people and next time a customer gives up his login info it's on the customer - haven't the banks have been educating people about phishing long enough for them to get it?
I'm personally sick of people going on about this, not to even mention implementing technology like TPM just because some people didn't heed the warnings or were just plain stupid.
Plain and simple: if you're dumb enough to get phished then you had it coming.
Now, let's have them thumbs down... - flaws, on 10/12/2007, -0/+3The issue today with passmark and secure tokens is botnets. They can session ride this activity trivially and distribute mass IP's against the system.
- inactive, on 10/12/2007, -2/+42 factor does nothing if people are stupid enough to put in their 2 password.. ffs if you give them the passwords of course they will take your money.
these emails will stop when people stop being stupid enough to think banks will email you asking you to login.
we could probably dos these website easily, just auto submit/fill their forms with random junk so the pishers have 100000000 fake accounts to try. it'll most likely repvent them ever getting a real one. the irony of fighting spam with spam. - rkuchiki, on 10/12/2007, -0/+2The problem with the 'man-in-the-middle' proxy is that it would be pretty hard to defeat it. For all the banking machine knows, you are just at a terminal in Russia logging in. The only thing I can think of off the top of me head to prevent this kind of crap, aside from *proper education of users* would be an IP white list configurable from your account.
Thus if you accidentally hit a phishing site, the proxy would not be in the white list. Then again, anyone smart enough to set up a white list would also be smart enough to not fall for a phishing site. - bsoric, on 10/12/2007, -2/+4Phishers- from what I can tell, are idiots. The only phishing email I have received had typos, and an obviously fake URL.
- pkkid, on 10/12/2007, -0/+2Easiest Solution when logging into your bank..
NEVER click on links to your bank or any online store.
ALWAYS type in the URL yourself. - sh0gun, on 10/12/2007, -0/+2Yes, people are dumb, but its also the responsibility for sites like citibank to ensure their pages (especially their token-id entry pages) aren't susceptible to cross site scripting flaws which make it trivial for phishers to set up legitimate looking sites, like this one.
- stesun, on 10/12/2007, -0/+2How hard is it to add a challenge-response authentication also when the user makes a transfer. Rendering all these attacks useless.
- br0ck, on 10/12/2007, -0/+2I don't see how the picture adds any protection agains this attack. The attacking site asks for your name and password, which they submit to the bank. The bank sends them the picture and the attacker simply displays to you the picture that the bank sent them. You then enter the keyfob and now the attacker can use that to access the account.
- itanshi, on 10/12/2007, -0/+2i think i read a post like yours a few times. yes people are stupid, but some of the phishing is quality work. it's illegal and should be attacked.
i'm more worried about dataleaks and companies selling my identification than phishing, but action needs to be done on all 3 regaurdless how much you feel its the stupidity that matters only. - Bradl3y, on 10/12/2007, -0/+2Most phishing emails I have received here at our eBay based company our spam filter picks up. The look and appear to be from paypal, but the headers usually tell a different story and is easily detected by our blockers.
- PrplHaze, on 10/12/2007, -0/+1I agree, it all comes down to the primary login rule number 1 - Dont login upon request. And if you do make sure you go type in the freakin URL or use your own bookmark, not any link in an e-mail. If people only remember that 1 password would work.
I've noticed that paypal no longer even puts a hyperlink in their legitimate e-mails. They just tell you to go log in if you want to see your statement etc... I think that is smart. Then the e-mails with links will start to look out of place, because they are. - doublebackslash, on 10/12/2007, -0/+1Three factor might not be as far fetched as the original poster thinks.
The third factor is a server confirmation.
You put in the user name/password and then the server displays a picture, one that you uploaded when you created your online account. If the picture matches the one you sent THEN it is safe to put in the code from the Key Fob. ING direct (apparently) has this in the works right now. - stupidStan, on 10/12/2007, -1/+2I disagree flaws, simply do not folllow links out of your email... problem solved
- natas06, on 10/12/2007, -2/+3phishers attack sophistication is about to go through the roof...
- siobudcire, on 10/12/2007, -0/+1Although I do most of my Banking On line. My bank doesn't have my email address. Any email received claiming to be from my Bank is therefore a Phishing email.
- djsnipa1, on 10/12/2007, -0/+1I get a lot of them and I live in front of a computer. A few years ago they even almost fooled me. I can see how people who don't spend a lot of time "online" could easily get confused.
- DigitAl56K, on 10/12/2007, -0/+1How does TPM buy you anything that a USB crypto key doesn't? They are both cryptographic hardware sitting wherever the user is sitting, and the attack is still on the network between the users computer and the bank, so although you've added another security factor by adding TPM you haven't actually brought anything new to the table with it.
Sure, now the computer the user logged in with can be identified, but even beforehand that was not the point. The point is that after authentication is complete the session is hijacked. - TrinitronX, on 01/21/2008, -0/+1Quite true. Too bad there's no patch for a PEBKAC
- gorkish, on 10/12/2007, -0/+1The real missing piece of the puzzle is that the end users do not have their own public keys. This is one-ended authentication. You have to authenticate to the bank but the bank does not have to authenticate to you. Web browsers support browser certificates but who uses them? Obviously not banks.
What's worse is that they come up with all these ridiculous methods like "We will show you a picture that only YOU have provided!" or some other ***** that will cave in under a MiM attack. Too much focus is being put on making sure the customer is talking to the bank when all that you have to do is put some responsibility on the bank to make sure they are talking to the customer... - edwardfrench, on 10/12/2007, -0/+1I don't get too many attacks where they ask me to "log-in to my bank" now, it's usually much more circumspect. The recent one I received purported to be a mail message through the eBay system complaining about my behaviour on eBay. I was indignant and very nearly clicked the link to email back that there was a mix-up and it wasn't my eBay ID that was causing the problems, when I checked the underlying URL and realised it was a phishing attempt.
This kind of creativity by the newer generation of phishing attacks goes directly for the weakest (human) link, and often seems to get through spam filters. - AZNL473ncy, on 10/12/2007, -0/+0There is no patch for human stupidity...
What we need to do is educate people, then phishers and pharmers cant steal money. They have to get more sophisticated.
The bank is the one that needs to make sure it's talking to the customer, anyone can say that their the customer.
some of the best can get tricked into getting phished, but it's much the same as viruses, you have to be wary of anything - chetanw, on 10/12/2007, -1/+1So much for security...
- CardCracker, on 06/29/2008, -0/+0The solution to the greatest problem may be very simple, perhaps if we focus on the origin of the entire financial system that is too much dependent on numbers, i.e. credit/debit card numbers. Instead of focusing on the numbers we are focusing on the means of securing the commuting and storing processes of these numbers. I guess it is the time to play with numbers :)
- again, on 10/12/2007, -0/+0There are three parts to the solution to this problem. The first is the existence of the SSL protocol which allows the authentication of remote hosts. This is the part of the solution that we already have. The second part is that we have to get the implementation of SSL correct both in terms of the browser interface (to make it as absolutely easy as possible for people to follow very simple and clear rules to work out whether or not they are dealing with a site they can trust) and in terms of the PKI infrastructure (to reduce as much as possible the opportunity for failure in this area). I think a lot of the elements of this part of the solution are already in place and there is work progressing on the others -- ultimately perhaps the thing which will slow this down the most is the deployment of browsers which implement these sorts of things and getting these out to enough people to actually make a difference. The third part of the solution is user education, specifically getting them to know how to interact with the browser in a reliable way and also to be able to verify the identity of the site they're dealing with by doing things such as checking the name of the site on the certificate. Of course, this third part of the solution has proven to be the most difficult but ultimately if people continue to lose money then perhaps they will eventually have enough incentive to take sufficient care!
- nowen, on 10/12/2007, -0/+0Phishing attacks can be broken down for analysis: stolen credentials, MITM & session hijackers. To thwart these categories you need strong session authentication, host/mutual authentication and transaction authentication. You may not need to all three, but you can start to analyze the attacks likely against your app and deploy accordingly. Host?mutual authentication, properly done will prevent MITM attacks, which are 99% of phishing attacks today.
- francyci, on 10/12/2007, -0/+0Of course you need to actually make damn sure you don't make any typo's when you are entering the URL. Or else you may just be giving your username/password to a typosquatter.
I almost wonder if there should be another DNS TLD with a much higher cost, and stricter guidlines, and a requirement for SSL only. This TLD would be used only for financial institutions... - NeilSkoglund, on 10/12/2007, -4/+2why not just get a spam blocker?
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is