[LINK] PayPal to combat phishing with key fobs

Rick Welykochy rick at praxis.com.au
Sun Jan 14 15:08:01 AEDT 2007

Alan L Tyree wrote:

> What other technical methods might be used to prevent (or at least
> curtail) phishing? Is there some sort of challenge/response approach
> using software supplied by the Banks or other targets? I need to look
> at some positive suggestions for this EFT Code review.

There needs to be an additional form of authentication that has absolutely
nothing to do with the website.

Thus we have ideas like nonce generators which create a unique token that
must be passed back to the server for matching. But what about a phishing
attempt that just asks for a username and password, and offers no nonce
authentication. At most, the hapless user might notice that the server
did not ask for a nonce and think little of it as they provide their
username and password to the phishing site. Another suggestion has been
to send the nonce to a mobile phone, but that process can be mimicked by
a phisher. Yes the phisher has to obtain the mobile phone number, but
that is just an extra step in the phishing process.

One might think that a digital cert would do the trick. But with a phishing
attack, there is no requirement for authentication, and thus the cert
would not even be sent by the browser.

Java apps and applets have been tried, much to the frustration and inconvenience
of customers who might not be running a system that is 100% compatible with
the Java code bein sent out by the back. But a phisher could easily provide
an erzatz java app that mimics the behaviour of the real thing and trick
the user once more.

Phishing is very difficult to curtail with just technology, since it is
a problem rooted in social engineering more than anything else. The user
is fooled into thinking that http://westpac-access-check.com/ is a bonfide
Westpac website. And worse, the email in which the phish is sent shows
a valid Westpac link (as text) but the hidden hyperlink is to a bogus
site. Hapless victims have no idea that they should (a) never click on
links in emails unless they trust them 110% and (b) always verify the
hostname in a URL.

My conclusion is that without an independent authentication path (i.e. not
web based) phishing will continue to be a successful way to divest the
uninformed consumer of their savings. Give me any web-only authentication
system and I can show you how a phisher can duplicate that system to fool
all but the expert user - they just have to clone and corrupt the original
technology, which is the easy part. Harder is the social engineering. But
I think they are getting better at it. It's all in the wording they chose.


P.S. google define:nonce produces: "A randomly chosen value, different from
      previous choices, inserted in a message to protect against replays."

Rick Welykochy || Praxis Services

Almost every man wastes part of his life attempting to display qualities
which he does not possess.
      -- Samuel Johnson

More information about the Link mailing list