On 02/28/2012 07:34 AM, The Fungi wrote:
"Your login was successful, but due to recent security concerns we
also require a one-time verification of your personal information.
Please now enter the following...
Yes, but all of this falls in the category of "user authenticates the
website".
So sure, maybe not socially engineered out of his online banking
credentials,
Well that counts as progress, right? :-)
Another thing it does is allow the website security architecture to
eliminate a Trustwave-style MitM on connections to their actual servers.
Recall that I said 2/26/2012:
The only point here is that banking and other web sites aren't using
every tool in the box of supported and available cryptographic
protocols.
It's a pretty weak claim.
On 02/28/2012 07:34 AM, The Fungi wrote:
just possibly everything else the attacker might want in lieu of
access to the banking portal itself. Mutual authentication could
thwart this if implemented well in a way which was very visible to
the user, but also might not if implemented poorly (and it's not like
banks are leading the way in well-thought-out authentication
technologies, after all).
Think about an anti-phishing technology like Passmark/Sitekey. Once the
user gives their username, the site shows the user's "personal image"
(e.g. a rubber duck, a boat, a car, whatever). The idea is that a simple
phishing site won't know the user's personal image and the user is given
an opportunity to notice that something is amiss. If the user is alert
this will deter simple phishing. (This is a big 'if' of course, and
there are some discouraging user studies on it, but let's assume for now
it works.)
But the phishing site can relay the username to the actual bank and then
show the image to the user. Heck, the phishing site could be mostly just
a proxy to the legit site. So, at best, this system in its current form
converts an offline attack to an online attack.
However, the online phishing attack may be more difficult for other
reasons. The legitimate site now gets to see a source IP and other
parameters of the attacker's connection. This metadata can feed logging,
alerting, and other fraud detection systems.
By forcing the phishing attack to involve the legitimate site, it does
one other thing: it puts the site in a position to require strong mutual
authentication. TLS client certs could thus reliably defeat the active
variant of phishing a Passmark/Sitekey-like system.
Also working against this is that it's more expensive for banks to
step up authentication past the level which government regulators
consider to no longer be grossly negligent. Beyond there it's likely
cheaper in the long run for banks to refund disputed transactions and
replace compromised accounts (or wait for victims to get frustrated
and give up/leave in disgust).
I think that was certainly true just a few years ago. But today I see a
sincere and growing interest by financial institutions in improving real
security for their online users.
- Marsh
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
