At Thu, 13 Sep 2007 12:21:48 +0100, <michael.dillon@xxxxxx> wrote: > > > > and IMHO, any solution that doesn't let the user type his password > > > into some Web form is a non-starter, both for reasons of backward > > > compatibility and because sites (quite > > > legitimately) want to provide a > > > visually attractive interface to users which is consistent > > across all > > > platforms (for support reasons). > > > > This may well be true. > > > > However, I'm not aware of any technique which both meets this > > constraint and is phishing resistant. > > Bank issues a SecurID token (or SD chip with onetime pad) and requires a > six-digit PIN to be entered which cannot be reused. In order to get to > the bank in the first place, user must enter a URL that is printed on > their monthly statement. It changes every month and you may not use any > other URL. Sorry, my fault for remembering to mention the constraint that you also don't have to carry a token around. Obviously, if people are prepared to carry tokens the problem is much easier. That said, this scheme is actually not very secure because it's susceptible to active MITM attacks on the connection to the bank. The schemes I mentioned are substantially more secure. > So much for typing. How about selecting password letters from dropdown > boxes, or from an image map with scrambled letters that was sent to the > browser. Sorry, what about these? They have essentially the same security properties as cleartext passwords. > My bank requires my surname, a customer number that is not the account > number, a 5 digit pin code typed in, and a challenge response where the > challenge is two random letter positions from my secret word, and the > response is two letter selections from two dropdown boxes. This is complicated, but actually not particularly phishing resistant-- something that is true of a lot of the mechanisms banks are currently adopting. First, it's vulnerable to the MITM attack mentioned above. Second, it doesn't take that many phishing attacks to extract most of the secret word. -Ekr _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf