Re: Symptoms vs. Causes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At Thu, 13 Sep 2007 12:21:48 +0100,
<michael.dillon@xxxxxx> wrote:
> 
> > > and IMHO, any solution that doesn't let the user type his password 
> > > into some Web form is a non-starter, both for reasons of backward 
> > > compatibility and because sites (quite
> > > legitimately) want to provide a
> > > visually attractive interface to users which is consistent 
> > across all 
> > > platforms (for support reasons).
> > 
> > This may well be true. 
> > 
> > However, I'm not aware of any technique which both meets this 
> > constraint and is phishing resistant.
> 
> Bank issues a SecurID token (or SD chip with onetime pad) and requires a
> six-digit PIN to be entered which cannot be reused. In order to get to
> the bank in the first place, user must enter a URL that is printed on
> their monthly statement. It changes every month and you may not use any
> other URL.

Sorry, my fault for remembering to mention the constraint that
you also don't have to carry a token around. Obviously, if people
are prepared to carry tokens the problem is much easier. That
said, this scheme is actually not very secure because it's
susceptible to active MITM attacks on the connection to
the bank. The schemes I mentioned are substantially more
secure.


> So much for typing. How about selecting password letters from dropdown
> boxes, or from an image map with scrambled letters that was sent to the
> browser. 

Sorry, what about these? They have essentially the same security
properties as cleartext passwords.


> My bank requires my surname, a customer number that is not the account
> number, a 5 digit pin code typed in, and a challenge response where the
> challenge is two random letter positions from my secret word, and the
> response is two letter selections from two dropdown boxes.

This is complicated, but actually not particularly phishing resistant--
something that is true of a lot of the mechanisms banks are currently
adopting. First, it's vulnerable to the MITM attack mentioned above.
Second, it doesn't take that many phishing attacks to extract most
of the secret word.

-Ekr




_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]