[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth

From: "dpw" <dainw@xxxxxxx>
Subject: RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Date: Mon, 10 Jul 2006 14:49:57 -0700

For any mission critical applications, lately I have been using a
server-side generated "magic hash" key that I generate when the form is
loaded, and which gets posted along with my forms. 

When the application requests posted information from the form I compare the
key I get with another generated key and authenticate that the form that
posted back to the application is part of the application, and approved to
post. For real sensitive apps, I introduce a time-specific factor into the
form's key, so that it must be posted within 5 minutes of loading or the key
is no longer valid. 

This is just stupid simple to do, and I can't imagine these folks not having
something way more advanced in place for their application...

Dain White
 
Senior Developer / Webmaster
First Step Internet - www.fsr.com
208-882-8869 ext. 440
 


-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@xxxxxxxxxxxxxxx] 
Sent: Monday, July 10, 2006 2:13 PM
To: Web Security
Subject: [WEB SECURITY] Phishing attacks circumventing two-factor auth


Brian Krebs (washingtonpost.com) has a good write up about a recent  
phishing attack specifically designed circumvent two-factor  
authentication. The technique used a fake web page acting as a man-in- 
the-middle between the user and the real website. A simple hack  
proving a good point. How can a user defend themselves with any kind  
of solution if they can't tell whether or not a website is real?

Citibank Phish Spoofs 2-Factor Authentication
http://blog.washingtonpost.com/securityfix/2006/07/ 
citibank_phish_spoofs_2factor_1.html

"Security experts have long touted the need for financial Web sites  
to move beyond mere passwords and implement so-called "two-factor  
authentication" -- the second factor being something the user has in  
their physical possession like an access card -- as the answer to  
protecting customers from phishing attacks that use phony e-mails and  
bogus Web sites to trick users into forking over their personal and  
financial data."



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: Brian Eaton

References:
- [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: Jeremiah Grossman

Prev by Date: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Next by Date: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Previous by thread: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Next by thread: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org