Tomasz Torcz wrote: > I meant push notification, when the message is sent through secure channel > to your smart phone and you get popup asking for authorization. The Swedish BankID cartel did that in their proprietary app, and thus enabled an outbreak of fraud. Here's how it works: 1: The fraudster calls the victim, posing as the bank or some authority figure, and tells some confidence-inspiring lies. Then the fraudster says that they need to ascertain the victim's identity. 2: The fraudster initiates a login to the victim's bank account. 3: The bank sends an authentication request to the victim's BankID app. A popup is displayed on the victim's smartphone. 4: The victim is expecting an authentication request from the person they're talking to, and sees a request that seems to match, so they grant the request. 5: The bank receives a correct authentication response. The fraudster is now logged in to the victim's account. The design flaw is that the authentication happens in a side channel, separate from the login session. The bank doesn't know whether the remote ends of the two channels are in the same place. Correct design is to do the authentication in the login session itself. For a workaround one can tie the two channels together somehow, and that's how the Swedish banks patched the flaw. They now display a QR code on the login page that the user must photograph with their smartphone, thereby tying the authentication channel to the login session. I hear the QR code is optional for websites, so anything that uses BankID authentication and doesn't use the QR code is still vulnerable. Now, if the side channel is only used as a second authentication, and the first authentication, with the passphrase, is done in the login session, then successful attacks will be less frequent, because then the attacker first needs the victim's passphrase. Side-channel authentication is a design flaw none the less. There's no point to having a second factor if it's so weak that the security depends mostly on the first factor. Björn Persson
Attachment:
pgpiqA81JWK_C.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
