Sunday, October 15, 2006

Closing the Gates on Phishing

Hopefully by now you know what phishing is and the sad results of those who have been duped by these scammers into providing personally identifiable information. (If not, see my writeup in "New Anti-Phishing Tool by TippingPoint".) The scariest and most serious phishing is when banking sites are the subject of the phish. According to "Banks give 'phishers' the hook" at, this problem may soon be alleviated in the United States -- or will it?
"Internet banking is about to get a bit more complicated - for legitimate customers as well as for crooks running "phishing" scams.

Federal regulators are requiring banks and thrifts to put systems in place that go beyond the standard security procedure in which customers type in a single password.

Banks, thrifts and credit unions have until the end of the year to implement security systems that include at least two different means of user authentication, a password plus some additional way to prove identity."
Two-factor authentication is a common practice in the corporate environment. It is full-filled by providing a response when logging in to the environment with "something you know" plus "something you have". The something you know is the logon password. The something you have is generally a number generated by a token. One example in the public sector of two-factor authentication is the ATM card. The card itself is what the user has and the pin number is something known.

The problem with online banking is that the information generated from the "something you have", such as a token issued by the bank, can also be obtained via a Man-in-the-Middle Attack or a Trojan Attack, as explained by Bruce Schneier in "The Failure of Two-Factor Authentication":

  • "Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
  • Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants."

As reported in The Register in "Phishers rip into two-factor authentication", a man-in-the middle attack against Citibank has already been used:

"A bogus security warning ostensibly from Citibank, and targeting customers of its Citibusiness service, urged prospective marks to visit a website and enter not only their account details and password (as with conventional phishing scams) but also the code generated by the customer's token. "


See How Not to Get Hooked by a ‘ Phishing’ Scam by the Federal Trade Commission.
Submit Phishing Scams to Castle Cops PIRT
Schneier On Security Trackback

No comments: