[LINK] Phishing past two-factor authentication

Rick Welykochy rick at praxis.com.au
Fri Apr 20 12:03:41 AEST 2007 

Richard Chirgwin wrote:

> If a two-factor method is insufficient to protect (stupid) customers, 
> then I guess it's quite unreasonable for any bank to "blame the customer".
> 
> http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication/ 

This is a blithe statement:

"Safe usage of home and office computers is an essential requirement for secure
  online banking, and we plan to remind our clients even more frequently and urgently
  than before of that fact."

Especially in light of this one:

"Hackers sent the customers emails falsely claiming to be from ABN Amro. If
  recipients opened an attachment, software was installed on their machines
  without their knowledge."

Anyone see a contradiction here? "Without their knowledge" implies that the
customers could be operating their systems as safely as their operating system
allows. That's all. They couldn't do any better.

The article also fails to address one important issue: which operating system
would allow software to be installed just by clicking on an email? We all
know this is only possible on Windows, but shouldn't the public be made aware
of this fact?

"Security experts have warned that such "man in the middle" attacks cannot be
  prevented by security tokens."

Aha! The dreaded man in the middle attack ... the software likely inserts itself
into the SSL TCP stream and intercepts all encrypted traffic, certs and handshaking.

I don't think these so-called "security experts" have done their research. It
took me 30 seconds to find these two references. Work *has been* done on secure
protocols that prevent both passive (eavesdropping) and active (interceptive)
man in the middle attacks, e.g. [both are links to PDF files]

http://www.cs.ucla.edu/~rafail/STUDENTS/katz-thesis.pdf
A Ph.D. thesis entitled "Efficient Cryptographic Protocols Preventing
'Man-in-the-Middle' Attacks"

http://www.dsssasia.com/htmdocs/company/news_events/Phishing_redefined_-_Preventing_Man-in-the-Middle_Attacks.pdf
*OR*
http://preview.tinyurl.com/2j3l7o

Bland usage of web-based SSL is prone to these attacks. More sophisticated
security protocols are required. Would it be onerous for banks and other orgs
requiring security to download and use a specially crafted browser that
implements more secure connection software to ensure customer safety?
The browser would only have to be implemented on Windows, Mac OS X and
Unix to cover 99.99999% of all possible users (or is that 100% now?)

Seems there is an emerging market for a super-secure web server (SSApache?)
and super-secure client (SSFireFox?) that eschews traditional HTTPS and
implements the securer protocols that have already been designed and
tested.


cheers
rickw

-- 
_________________________________
Rick Welykochy || Praxis Services

The Bible teaches how to go to heaven, not how the heavens go.
      -- Galileo

More information about the Link mailing list