[FoRK] Poisoned DNS and informal certificates
Justin Mason
<jm at jmason.org> on
Wed Feb 20 01:29:38 PST 2008
silky writes:
> On Feb 20, 2008 10:46 AM, Tom Higgins <tomhiggins at gmail.com> wrote:
> > In a more perfect world bank access would be done via one time use pads.
>
> Accessing a bank is trivially solved with a "offline" contact model
> that you use. I once suggested that the bank would email you your "one
> time" password when you requested to log in. Then you just use that
> within a time period to get in; there is no chance of you being
> phished for information under that model, because you can't get any
> useful information out. The banks email would not display to you,
> even, the password, it would just generate a link which you click.
Two-channel authentication. Gets the thumbs up from Ross Anderson, which
is a big deal:
http://www.lightbluetouchpaper.org/2007/06/13/phishing-students-and-cheating-at-the-lottery/
I seem to recall hearing about a bank which does indeed do this; it sends
a text to your registered mobile phone number, which you need to enter to
authenticate. (ah, Bank of America, thanks sdw ;)
On the other hand -- the image thing was tested and found to have a truly
atrocious 96.66% failure rate:
http://robert.accettura.com/archives/2007/06/05/9666-fell-for-phishing/
> Maybe you could, if prompted, copy that link into the MITM site; but
> it does sufficiently, I think, lower the minimum stupidity level
> required to be successfully phished .
Possibly. Recent cases, including one in Sweden, indicates that modern
phishing malware is designed to perform extremely sophisticated MITM
attacks to defeat challenge/response one-time passwords:
http://www.schneier.com/blog/archives/2007/01/huge_online_ban.html
There appears to be no defense apart from increasing user intelligence.
--j.
More information about the FoRK
mailing list