Re: AOL Help : About AOL® PassCode
Joerg Schneider wrote: So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet ... By this you mean a dynamic, immediate MITM where the attacker proxies through to the website in real time? Just as a point of terms clarification, I would say that if the attacker collects all the information by using a copy of the site, and then logs in later at leisure to the real site, that's an MITM. (If he were to use that information elsewhere, so for example creating a new credit arrangement at another bank, then that technically wouldn't be an MITM.) Perhaps we need a name for this: real time MITM versus delayed time MITM? Batch time MITM? Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks? The user+client has to authenticate the server. Everything that I've seen over the last two years seems to fall into that one bucket. Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind... Maybe. But that only addresses the MITM, not the theft of user information. -- News and views on what matters in finance+crypto: http://financialcryptography.com/
Re: AOL Help : About AOL® PassCode
Florian Weimer wrote: I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens à la SecurID can only help if Indeed. the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet - if somebody has, I'd be interested to hear about), because it has some advantages for the attacker: * he doesn't have to bother to (partially) copy the target web site * easy to implement - plug an off-the-shelf mod_perl module for reverse proxy into your apache and add 10 minutes for configuration. You'll find the passwords in the log file. Add some simple filters to attack PassCode. * more stealthy, because users see exactly, what they are used to, e.g. for online banking they see account balance etc. To attack money transfers protected by PassCode, the attacker could substitute account and amount and manipulate the server response to show what was entered by user. Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks? Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind...
Re: AOL Help : About AOL® PassCode
* Ian G.: R.A. Hettinga wrote: http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: . If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens à la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.)
Re: AOL Help : About AOL® PassCode
On Tue, Jan 04, 2005 at 08:44:11PM +, Ian G wrote: | R.A. Hettinga wrote: | | http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 | Have questions? Search AOL Help articles and tutorials: | . | If you no longer want to use AOL PassCode, you must release your screen | name from your AOL PassCode so that you will no longer need to enter a | six-digit code when you sign on to any AOL service. | | To release your screen name from your AOL PassCode | 1. Sign on to the AOL service with the screen name you want to | release from your AOL PassCode. | | | OK. So all I have to do is craft a good reason to | get people to reset their PassCode, craft it into | a phishing mail and send it out? Nope! All you have to do is exploit your attack and steal money in realtime. A securid has no way to authenticate its server, and what's really needed to stop phishing is server auth. Adam
Re: AOL Help : About AOL® PassCode
R.A. Hettinga wrote: http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: . If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? -- News and views on what matters in finance+crypto: http://financialcryptography.com/