Re: AOL Help : About AOL® PassCode
In article [EMAIL PROTECTED], Joerg Schneider
[EMAIL PROTECTED] writes
Florian Weimer wrote:
I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site. Tokens à la SecurID can only help if
Indeed.
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption. Online
MITM attacks are not prevented.
So, PassCode and similar forms of authentication help against the
current crop of phishing attacks, but that is likely to change if
PassCode gets used more widely and/or protects something of interest to
phishers.
as in the story of the two hunters and the bear ... the banks only need
to outrun another vulnerable target:
http://www.netfunny.com/rhf/jokes/89q3/oldbear.555.html
so making passive password/PIN collection ineffective and requiring
phishers to operate in real-time may be a sufficient win.
Actually I have been waiting for phishing with MITM to appear for some
time (I haven't any yet - if somebody has, I'd be interested to hear
about),
I've been shown something similar last July ... which was, IIRC, a
PayPal phish where the web page you went to checked that the password it
was given was in fact valid. It wasn't a full-scale MITM attack, but it
did have some real-time elements.
I haven't been bothering to look at phishing sites recently, so I don't
know if the technology to do this has become the general state of the
art, or if it was just one gangs unique coding style ?
because it has some advantages for the attacker:
* he doesn't have to bother to (partially) copy the target web site
* easy to implement - plug an off-the-shelf mod_perl module for reverse
proxy into your apache and add 10 minutes for configuration. You'll find
the passwords in the log file. Add some simple filters to attack PassCode.
* more stealthy, because users see exactly, what they are used to, e.g.
for online banking they see account balance etc. To attack money
transfers protected by PassCode, the attacker could substitute account
and amount and manipulate the server response to show what was entered
by user.
this is the fundamental problem with using the passcode, the user is
signing just the single bit I authorise rather than the full bag of
bits {amount, payee, timestamp} ... as soon as you write out formally
what is going on the shortcoming is entirely obvious
Assuming that MITM phishing will begin to show up and agreeing that
PassCode over SSL is not the solution - what can be done to counter
those attacks?
Mutual authentication + establishment of a secure channel should do the
trick. SSL with client authentication comes to my mind...
The problem with that is that people want (or at least think they want)
to use their online banking from home, from work and from a cybercafe
whilst they are on holiday or a business trip. Carting around the
credentials (and a secure way of checking them) is a non-starter
However, the banks could do a lot by starting to distinguish between
run-of-the-mill transactions : pay my gas bill and more sensitive ones
such as set up a new payee (or indeed change my gas company to
Nigerian OilGas). Insisting that the sensitive ones were only done
from the secured (and credential rich) home site would help. They could
also check the IP address of the connection and form a view as to its
likely validity!
Yo rule out a MITM one might employ a secure side-channel (SMS text
message to one's mobile phone perhaps -- certainly a very plausible
approach in SMS-aware Europe) ... some banks are already using this; but
only as a cheap replacement for a SecureID :( ... so it's ineffective.
Now if Bill's browser could display the last six digits of the SSL key
then those could be compared with the SMS message and the customer would
know that they were safethe banks might even go for this
solution because it dumps the decision to go ahead (and hence the risk
as well) onto the customer :)
--
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AOL Help : About AOL® PassCode
Joerg Schneider wrote: So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet ... By this you mean a dynamic, immediate MITM where the attacker proxies through to the website in real time? Just as a point of terms clarification, I would say that if the attacker collects all the information by using a copy of the site, and then logs in later at leisure to the real site, that's an MITM. (If he were to use that information elsewhere, so for example creating a new credit arrangement at another bank, then that technically wouldn't be an MITM.) Perhaps we need a name for this: real time MITM versus delayed time MITM? Batch time MITM? Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks? The user+client has to authenticate the server. Everything that I've seen over the last two years seems to fall into that one bucket. Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind... Maybe. But that only addresses the MITM, not the theft of user information. -- News and views on what matters in finance+crypto: http://financialcryptography.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AOL Help : About AOL® PassCode
Florian Weimer wrote: I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens à la SecurID can only help if Indeed. the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet - if somebody has, I'd be interested to hear about), because it has some advantages for the attacker: * he doesn't have to bother to (partially) copy the target web site * easy to implement - plug an off-the-shelf mod_perl module for reverse proxy into your apache and add 10 minutes for configuration. You'll find the passwords in the log file. Add some simple filters to attack PassCode. * more stealthy, because users see exactly, what they are used to, e.g. for online banking they see account balance etc. To attack money transfers protected by PassCode, the attacker could substitute account and amount and manipulate the server response to show what was entered by user. Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks? Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AOL Help : About AOL® PassCode
* Ian G.: R.A. Hettinga wrote: http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: . If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens à la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
AOL Help : About AOL® PassCode
http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: How To: Billing Channels Communicating Online E-Mail More Subjects Products and Services AOL.COM AOL® Computer Check-Up AOL Deskbar AOL® Calendar AOL® File Backup AOL® PassCode AOL® Privacy Wall inStore Money Alerts Technical Support More Help: Help Tutorials Auto Fixes Pop-Up Controls Spam Mail Controls Anti-Virus Center AOL Help Community Safety, Security Privacy AOL Voice Services Products and Services AOL® PassCode About AOL® PassCode After purchasing and receiving your AOL® PassCode, go to AOL Keyword: PassCode and this screen appears, allowing you to secure your screen name to your AOL PassCode. On this screen you can also release your screen name from AOL PassCode, change service plans and order additional AOL PassCodes. Account Status This area lists your current AOL PassCode service plan, including the secured and unsecured screen names within the plan. If the maximum number of screen names in your service plan are secured to your AOL PassCode, the Manage Service Plan button will appear. View PassCode Account Activity Displays a screen listing a summary of your AOL PassCode account activity, such as the date you purchased your subscription, ordered AOL PassCode devices and details such as the price plan ordered and the quantity of AOL PassCodes ordered. Secure Screen Name To help protect your screen name with AOL PassCode, you need to secure your screen name to your specific AOL PassCode device. Each AOL PassCode has a unique serial number engraved on its back. By associating your screen name with a specific AOL PassCode serial number, the AOL service will know which six-digit number needs to be entered at each sign-on, helping to protect your screen name from unauthorized access. To secure a screen name to your AOL PassCode 1. Sign on to the AOL® service with the screen name you want to secure to your AOL PassCode. 2. Go to AOL Keyword: PassCode. 3. Click Secure Screen Name. 4. Type the eight-digit serial number engraved on the back of your AOL PassCode. 5. Type the six-digit number displayed on the front of your AOL PassCode. 6. Click Save. A confirmation screen appears. This change takes effect immediately and will be enforced the next time you sign on to the AOL service. Whenever you sign on to the AOL service using the screen name that you secured to AOL PassCode, you will be required to enter the six-digit number on the front of your AOL PassCode. Release Screen Name When the screen name you signed on to the AOL service with has already been secured to your AOL PassCode, the Secure Screen Name button changes to Release Screen Name. If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. 2. Go to AOL Keyword: PassCode. 3. Click Release Screen Name. The Secure Screen Name button changes to Release Screen Name when that particular screen name is secured to AOL PassCode. 4. Enter the answer to your account security question. For more information, see What is an Account Security Question. 5. Type the eight-digit serial number engraved on the back of your AOL PassCode. 6. Type the six-digit number displayed on the front of your AOL PassCode. 7. Click Save. This change takes effect immediately, and removes the AOL PassCode protection for subsequent sign-ons. Manage Service Plan Displays a screen with AOL PassCode service plan options, allowing you to change your current service plan. Order more PassCodes Displays a screen allowing you to order additional AOL PassCodes. Live Customer Support Contact AOL 24 hours a day, seven days a week! Chat With Us: Technical SupportBilling Support Call Us: Talk to an expert. AOL Help Main | Manage Your Account | Safety Security | Anti-Virus | Upgrade Center | Feedback | Privacy Policy Copyright © 2004 America Online, Inc. All rights reserved. Back to Top AOL 9.0 SE/LE Change Version -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AOL Help : About AOL® PassCode
R.A. Hettinga wrote: http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: . If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? -- News and views on what matters in finance+crypto: http://financialcryptography.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
