[FoRK] Poisoned DNS and informal certificates
silky
<michaelslists at gmail.com> on
Wed Feb 20 01:49:42 PST 2008
On Feb 20, 2008 8:29 PM, Justin Mason <jm at jmason.org> wrote:
>
> silky writes:
> > On Feb 20, 2008 10:46 AM, Tom Higgins <tomhiggins at gmail.com> wrote:
> > > In a more perfect world bank access would be done via one time use pads.
> >
> > Accessing a bank is trivially solved with a "offline" contact model
> > that you use. I once suggested that the bank would email you your "one
> > time" password when you requested to log in. Then you just use that
> > within a time period to get in; there is no chance of you being
> > phished for information under that model, because you can't get any
> > useful information out. The banks email would not display to you,
> > even, the password, it would just generate a link which you click.
>
> Two-channel authentication. Gets the thumbs up from Ross Anderson, which
> is a big deal:
>
> http://www.lightbluetouchpaper.org/2007/06/13/phishing-students-and-cheating-at-the-lottery/
>
> I seem to recall hearing about a bank which does indeed do this; it sends
> a text to your registered mobile phone number, which you need to enter to
> authenticate. (ah, Bank of America, thanks sdw ;)
>
> On the other hand -- the image thing was tested and found to have a truly
> atrocious 96.66% failure rate:
>
> http://robert.accettura.com/archives/2007/06/05/9666-fell-for-phishing/
>
> > Maybe you could, if prompted, copy that link into the MITM site; but
> > it does sufficiently, I think, lower the minimum stupidity level
> > required to be successfully phished .
>
> Possibly. Recent cases, including one in Sweden, indicates that modern
> phishing malware is designed to perform extremely sophisticated MITM
> attacks to defeat challenge/response one-time passwords:
>
> http://www.schneier.com/blog/archives/2007/01/huge_online_ban.html
>
> There appears to be no defense apart from increasing user intelligence.
no. increasing user intelligence is _NEVER_ the answer. the system I
describe prevents the user from giving anything away [they don't know
it].
now yes a trojan running on their computer could intercept that email
and then utilise it. sure, but then the answer is something more
complex; not user education.
user education is never the answer to any security system, and if any
secure system relies on it, they're screwed.
> --j.
--
http://lets.coozi.com.au/
A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
More information about the FoRK
mailing list