[LINK] PayPal to combat phishing with key fobs

Jan Whitaker jwhit at melbpc.org.au
Sun Jan 14 16:14:38 AEDT 2007

At 03:08 PM 14/01/2007, Rick Welykochy wrote:
>My conclusion is that without an independent authentication path (i.e. not
>web based) phishing will continue to be a successful way to divest the
>uninformed consumer of their savings. Give me any web-only authentication
>system and I can show you how a phisher can duplicate that system to fool
>all but the expert user - they just have to clone and corrupt the original
>technology, which is the easy part. Harder is the social engineering. But
>I think they are getting better at it. It's all in the wording they chose.

A few ideas come to mind.

1. There is also the psychology of the consumer with regard to 
interacting with any site. The power relationship lies with the 
'bank', so the individual will? might? look at the situation only 
from their need to convince the remote site they are who they say 
they are as the customer. The thought that the remote site would be 
required to provide the same assurance in reverse is less likely to 
occur to the individual. After all, the individual initiated the 
contact, not the other way around. The customer may also see that 
'power' ratio as a good thing because it would be interpreted as a 
stronger security from other who may wish to 'break into' their account.

2. nonces and key fobs are seen to the general public as another 
'black magic' technology. Wouldn't have a clue how it works. I don't! 
For example, is it necessary for there to be some relationship to 
location for a PayPal fob to work accurately? Are they international 
or only local? Don't bother explaining, I really wouldn't care. The 
'trust the issuer' aspect comes into play. I have one for an old 
Westpac account. I closed that account. Is it of any value any more? 
is it only attached to the account I used to have and for which I 
never used it because it was only required for large dollar amounts?

3. My email program, Eudora, alerts me when I hover on an embedded 
link if the visible URL is different from the underlying URL to which 
the user will be sent. It's interesting how many times the phishing 
emails include legitimate links to things like security and privacy 
areas from the supposed sender, but redirects to sites in the actual 
spoof intention like changing a password or updating details.

4. What is the real value of certificates? I've received several 
alerts where the certificate has expired, do I want to go ahead. I 
generally do because the page I'm going to access is something I 
anticipate to be only flat code, nothing that weird. But in terms of 
this discussion, is there any place for a rigorous implementation of 
third party certification of site identity and security? When I 
started seeing the expiry problem, I figured it may have gone past 
its use date in the security space.


Jan Whitaker
JLWhitaker Associates, Melbourne Victoria
jwhit at janwhitaker.com
business: http://www.janwhitaker.com
personal: http://www.janwhitaker.com/personal/
commentary: http://janwhitaker.com/jansblog/

'Seed planting is often the most important step. Without the seed, 
there is no plant.' - JW, April 2005
_ __________________ _

More information about the Link mailing list