26317?-2622
Like I said... Tough legislation and pro-active
prosecution will end
phishing scams, not simply using a new anti-phishing
scheme.
-----Original Message-----
From: Michael Silk [mailto:michaelsilk () gmail com]
Sent: Friday, November 26, 2004 3:23 AM
To: canovac () earthlink net; webappsec () securityfocus com
Subject: RE: Article - A solution to phishing
Hi Christopher,
Thanks for your feedback, let me address it.
First let me say that many people have raised
the issue (privately) of unecrypted emails not
being good enough - and they have a point. So
from now onwards let us assume that public
key/private key exchange system is used to
communicate the emails such that:
The user either provides their own public key
to the site ("Test-Bank") or is given one upon
registration.
Hence, emails between Test-Bank and Jones are
encrypted and cannot be decrypted until Jones
either:
a) Types in pass-phrase _TO THE EMAIL
CLIENT_.
b) Connects USB device holding private
key
to computer.
c) Something else you can dream up
involving
smart-cards.
The point is that the email is encrypted and can
only be decrypted until such time as Jones and
his password holding device (possibly his head)
are at the computer.
Let's now address your points.
> * The password timeout is too short. Consider
> that the default check frequency for most mail
> programs is 30 minutes. Of course, this could
be
> fixed by making a longer timeout.
Timeout isn't required anymore (or at least
isn't
required to be short - can be 1 day or more)
because
email interception has become useless.
> * "A little bit of education" is exactly what
> we need. If we had a "little bit of education"
> to go around, then we would all be savvy
users.
> You're assuming that a normal user would be
> interested in learning this method...
It is a simple method for them to adopt as
opposed
to reading warnings from Internet Explorer and
being
allowed to continue anyway ... or looking for a
padlock,
or looking at the address bar. In this case they
have
no choice but to accept the system, they cannot
-
without great and thought-out effort - pass the
password
to someone else before they use it.
> * Consider that the average time for a user to
> become disinterested in the website they are
> visiting is measured in seconds or minutes. If
> this system was implemented in a site that
provided
> online merchandise, this lag would be
unacceptable
> for most, if not all, merchandisers. If the
users
> are waiting around for an email, the chances
are
> dramatically increased that they will move to
a
> different site that doesn't have this method
> implemented.
The solution isn't appropriate for every site
out there.
A merchandiser wasn't my target. But you are
correct,
it is more bulky then a common login screen.
> * It is not secure. The email would need to be
> encrypted. The encryption requires another
password.
> All the phisher would have to do is pose as
someone
> requiring the password for the encrypted email
as
> opposed to the password for the website. Of
course,
> this could cause the user to become
> more suspicious.
The email is encrypted now. The phisher would
not
have the possibility to ask for the password as
the
user does not enter the password onto any
website
when they use it. It is used fully within their
email
client, or, ideally - it is used without them
even
being really aware, via usb or palm pilot or, as
Pete Simpson mention [1] mobile phone.
> * Easier methods for one-time passwords are
already
> being used, and have been for some time. For
example,
> I remember at my work that we had this program
which
> would generate 5 random words for every login
we attempt.
> The program would accept a secret passphrase
that only
> the user knew and would only be installed on
the
> local system of the user. It would generate
the five
> words and the server would accept that
passphrase only
> once. Once the session is ended, that
passphrase is no
> longer available. This effectively eliminates
the
> requirement for waiting for an email.
I don't quite understand this description.
Are you saying the user has a passphrase which
they enter
into a program installed on their local system
which would
then generate 5 "random" words ?
It sounds a little different to the common web
login
scenario. Can you explain more ?
Could the user be tricked into typing his/her
password
somewhere other then the secure site ? It sounds
like it
- unless the program installed on the client
computer
performs the login function.
If it does, then it sounds almost identical to
my system
except that instead of requiring a tool
installed on the
clients computer we make use of their email
system.
How does your communicate to the server to get
the 5 random
words ? Or are the words generated on the basis
of some
algorithm which the server decodes to realise
that it is a
certain user ?
> * However, even if you did implement a one
time
> password policy, so what? Phishing is a social
attack.
> It's not a passphrase attack.
Well actually it is. All phishing attemts I've
seen, lately,
try and grab your password. Perhaps there are
others that
try and grab other information but that is not
to say that
password-gathering "fake" websites don't exist -
they do, and
they are an issue. This system attempts to
address that.
> Phishing doesn't
> only gather passphrases, it can gather social
security
> numbers, credit card information, birth dates,
etc. You're
> not fixing anything by implementing a new,
less effective
> method for password generation.
We're fixing the fact that the user now has no,
greatly
useful, information to give away to the phisher
- hence the
phisher has nothing to phish for. No phish.
> So you are assuming LOTS of things in your
blog, and the
> worst assumption you make is that your system
will work.
> It's got lots of holes and doesn't focus on
the fact that
> HUMANS are susceptible to phishing,
Actually it does. Like I mentioned ahove the
goal of the
article was to take away from the user any
information
they could provide to the phisher (accidently).
And we have
done that.
> Actually, the fact that you are proposing a
"solution"
> to this phenomenon with the implementation of
your system
> is scary to me. It is a very narrowly-focused
view of security.
I don't see how I am being narrowly focused.
> You need to refocus on the basics of
> information security, I've outlined some of
that above.
> But the lesson you should take from this is:
social
> engineering attacks cannot be solved by a
magic bullet.
Quite frankly I think if we can take away the
sensitive
information that a user can give to a phisher
phishing has
been solved. Of course, in practical terms the
user is going
to need to know something the phisher doesn't
and hence has
the ability to give this information away. But
if we
reduce/remove the information _inside the
phishers domain
(i.e: the web)_ then they can't get at it.
For example: It is far less likely for me to
type my NT
password into a website then it is for me to
type my Hotmail
password into one.
> All a phisher would need to do is find the
weakest link: an
> uninformed user (or administrator).
Well sure, but why not remove as many weak links
as we
can ? It can only help.
> Again, my apologies for sounding upfront.
No need to apologise, just don't be upset if you
get the same back
:)
-- Michael
PS: I realised maybe the title is suggesting something
along the lines of:
"You will be 100% secure if you use this!!!". I, of
course, don't mean to
imply this - sorry if it came across that way.
[1]
http://www.clearswift.com/library/blogs/entry.aspx?ID=39
-----Original Message-----
From: Christopher Canova [mailto:canovac () earthlink net]
Sent: Fri 26/11/2004 7:35 PM
To: Michael Silk; webappsec () securityfocus com
Cc:
Subject: RE: Article - A solution to phishing
This is an interesting read, but, yes, it has already
been thought about. A
few problems with your method:
* The password timeout is too short. Consider that the
default check
frequency for most mail programs is 30 minutes. Of
course, this could be
fixed by making a longer timeout.
* "A little bit of education" is exactly what we need.
If we had a "little
bit of education" to go around, then we would all be
savvy users. You're
assuming that a normal user would be interested in
learning this method...
* Consider that the average time for a user to become
disinterested in the
website they are visiting is measured in seconds or
minutes. If this system
was implemented in a site that provided online
merchandise, this lag would
be unacceptable for most, if not all, merchandisers. If
the users are
waiting around for an email, the chances are
dramatically increased that
they will move to a different site that doesn't have
this method
implemented.
* It is not secure. The email would need to be
encrypted. The encryption
requires another password. All the phisher would have
to do is pose as
someone requiring the password for the encrypted email
as opposed to the
password for the website. Of course, this could cause
the user to become
more suspicious.
* Easier methods for one-time passwords are already
being used, and have
been for some time. For example, I remember at my work
that we had this
program which would generate 5 random words for every
login we attempt. The
program would accept a secret passphrase that only the
user knew and would
only be installed on the local system of the user. It
would generate the
five words and the server would accept that passphrase
only once. Once the
session is ended, that passphrase is no longer
available. This effectively
eliminates the requirement for waiting for an email.
* However, even if you did implement a one time
password policy, so what?
Phishing is a social attack. It's not a passphrase
attack. Phishing doesn't
only gather passphrases, it can gather social security
numbers, credit card
information, birth dates, etc. You're not fixing
anything by implementing a
new, less effective method for password generation.
So you are assuming LOTS of things in your blog, and
the worst assumption
you make is that your system will work. It's got lots
of holes and doesn't
focus on the fact that HUMANS are susceptible to
phishing, not password
systems. I don't mean to sound rude or upfront. I'm
just trying to warn
anyone who may attempt your system that it may fail,
easily.
Phishing cannot be solved. It is an ancient art of
exploiting social order.
One method for minimizing the effects of phishing is
education. Another
would be enforceable punishment for attackers who use
this for committing a
crime. Another way is to develop applications which
take secure transaction
into consideration.
Actually, the fact that you are proposing a "solution"
to this phenomenon
with the implementation of your system is scary to me.
It is a very
narrowly-focused view of security. You need to refocus
on the basics of
information security, I've outlined some of that above.
But the lesson you
should take from this is: social engineering attacks
cannot be solved by a
magic bullet. All a phisher would need to do is find
the weakest link: an
uninformed user (or administrator).
Again, my apologies for sounding upfront. I just want
to show you the
seriousness of making these assumptions. Please feel
free to contact me
directly.
--
Christopher Canova, Student
canovac () earthlink net
http://home.earthlink.net/~canovac
-----Original Message-----
From: Michael Silk [mailto:michaels () phg com au]
Sent: Monday, November 22, 2004 7:41 PM
To: webappsec () securityfocus com
Subject: Article - A solution to phishing
Hi,
Just a quick little article about a login system
that, should (i think
:)), prevent phishing attempts on your site.
Intro
