Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth

[Nick Owen <nowen@xxxxxxxxxxxxxxxx>]

Josh L. Perrymon wrote:
> We do this type of directed phishing attack all the time for our
> global clients. Instead of having an automated MITM we have scripts
> that alert us when a user visits the site and we login to the real
> site once we recieve the first token code. Then wait as the user
> submits the second code and your in..
> 
> The only protection mechanism that helped out was digital client
> certs. But we still got into citrix and performed a local priv

FWIW, our token client can be set to validate the SSL certificate of the
target website based on a hash of the cert delivered with the OTP and to
launch the default browser to the correct SSL-encrypted URL or throw an
'ssh-esque' warning to the user.  This host/mutual authentication is
available in the open source version.  Some may see it is easier than
dealing with full digital client certs.

> escalation essentially controlling the internal domain. So 2 factor
> authentication isn't enough. Or in my mind. 2Factor auth doesn't
> protect a user much more than static passwords.

I think that 2FA is not a panacea, but a tool that when used properly
solves problems.  Hardware tokens aren't going to stop MITM attacks and
software tokens aren't going to stop session hijackers (if running on
the same device).

> It's all about userAwareness and Incident Response.

Aye. Defense in depth tuned by risk assessment.

nick

> 
> J. Perrymon
> CEO PacketFocus
> www.packetfocus.com
> 
> 
> 
> On 7/11/06, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:
>> On 7/10/06, dpw <dainw@xxxxxxx> wrote:
>> > however... the article does state that the MiTM form *posted* into the
>> > citibank application to authenticate the second factor.
>> >
>> > This is the part that I was responding to - regardless of the
>> phishing lure
>> > the user saw - the form shouldn't have been able to post back into the
>> > citibank authentication system successfully. It should have been DOA
>> trying
>> > something like that.
>>
>> Now you've got me wondering.  The article says,
>>
>> "That's because this site acts as the "man in the middle" -- it
>> submits data provided by the user to the actual Citibusiness login
>> site."
>>
>> That could mean either that the web page was submitting directly to
>> citibank, or that the web page submitted to the spoofed site which
>> then forwarded the submission.  One of the "features" of this phishing
>> site was that it could distinguish between legitimate business codes
>> and faked ones, which makes me think this was MITM.
>>
>> Regards,
>> Brian
>>
>> ----------------------------------------------------------------------------
>>
>> The Web Security Mailing List:
>> http://www.webappsec.org/lists/websecurity/
>>
>> The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>>
> 
> ----------------------------------------------------------------------------
> 
> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]