John Levine <> writes:
>> Clever though this scheme [kittens] is, man-in-the
>> middle attacks make it no better than a plain SSL
>> login screen.

Peter Gutmann wrote:
> You don't even need a MITM, just replace the site
> image on your phishing site with either a broken-
> image picture or a message that your award-winning
> site-image software is being upgraded and will be back
> soon and it's rendered totally ineffective.

Assume we have this great process, perhaps
password-authenticated key agreement, perhaps kitten
based, that guarantees we are phish proof it the user
actually uses it.

How do we make the workflow and user interface so that
if the user is asked to bypass our great process, he
hears alarm bells?

When it comes to workflows, the WoW interface seems to
work quite well

WoW accounts control WoW gold, typically $50 to $100
worth, so WoW accounts are a popular phish target:

        An investigation of your World of Warcraft
        account has found strong evidence that the
        account in question is being sold or traded. As
        you may not be aware of, this conflicts with
        Blizzard's EULA under section 4 Paragraph B
        which can be found here:
                WoW -> Legal -> End User License

        and Section 8 of the Terms of Use found here:
                WoW -> Legal -> Terms of Use
        The investigation will be continued by Blizzard
        administration to determine the action to be
        taken against your account. If your account is
        found violating the EULA and Terms of Use, your
        account can, and will be suspended/closed/or

        In order to keep this from occurring, you should
        immediately verify that you are the original
        owner of the account.

        To verify your identity please visit the
        following webpage:
        Only Account Administration will be able to
        assist with account retrieval issues. Thank you
        for your time and attention to this matter, and
        your continued interest in World of Warcraft.

This phish used a flaw in the official WoW website to
redirect an https login with WoW to an https login with
the scammer site.

The interesting thing is that it and similar phishes do
not seem to have been all that successful - few people
seemed to notice at all, the general reaction being to
simply hit the spam key reflexively, much as people
click away popup warnings reflexively, and are
unaware that there ever was a popup.

Most accounts are lost through keyloggers - rather
phishing, the attacker has to take over the end user's
computer completely.

Why the attack resistance?  I conjecture that:

1.  User normally enters his password in an environment
     that looks nothing like a web page, so being asked
     to do so in a web page automatically makes him
     suspicious - it is a deviation from normal workflow

2.  Blizzard never communicates by email, so receiving
     email from blizzard automatically makes the user

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to