Michael,
I think this attack might even make life easier for phishers. By now,
most people have learned to distrust emails claiming to be from their
bank and containing a link to what is supposedly the bank's web site.
Your method is resistant against phishing, but it could have the
side-effect that people will begin trusting links in emails. It is very
easy to forge the "from" address in an email and put in a dodgy link.
It would still be possible for phishers to simulate the entire login
process, including sending you an email (since they will typically have
this information), allowing them to steal identiy information after you
follow their login link.
Also, you may have closed one door, but you have opened another - and
it's a big one. Email is a very insecure delivery method. There are
many points on the way where mails can be intercepted. All I need is
one of these mails sending a password to someone and I'm in. To make
this secure you would need to encrypt the emails. But if you have the
capability to send encrypted emails then you may as well use a less
convoluted method such as client authenticated SSL.
The concept of sending an OTP over a second channel is a good one
though. One scheme that has been used is to send an SMS to a nominated
telephone. This provided very good security but was unworkable due to
SMS delivery sometimes being slow or unreliable. A scheme that is
becoming popular now is the use of tokens such as RSA SecurID tokens,
which provide a pseudo-random number which changes every 30 seconds or
so and is synchronised with a server which knows how to generate the
same number given the time of day and token id.
One thing I have not seen much of in discussions of phishing is the
man-in-the-middle attack. I believe that these will become more common
and they are still relatively easy to execute. All I need to do is
relay messages between the client and server until sufficient
authorisation has been established and then take over. Even OTP methods
such as RSA SecurID tokens provide no protection against this type of
attack.
Robin
-----Original Message-----
From: Michael Silk [mailto:michaels@phg.com.au]
Sent: Tuesday, 23 November 2004 2:41 PM
To: webappsec@securityfocus.com
Subject: Article - A solution to phishing
Hi,
Just a quick little article about a login system that, should (i
think :)), prevent phishing attempts on your site.
http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
l
Have a look at it and let me know what you think ... and apologies
to anyone if an idea like this is already out there :)
-- Michael
**********************************************************************
This email message and accompanying data may contain information that is
confidential and/or subject to legal privilege. If you are not the
intended recipient, you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you
have received this email message in error, please notify us immediately
and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any
information contained herein for contractual or legal purposes. You
should only rely on information and/or instructions in writing and on
company letterhead signed by authorised persons.
**********************************************************************
