RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth

[<Glenn.Everhart@xxxxxxxxx>]

With tokens there are better things that could be done too, but evidently
Citi has a very simple protocol.
Glenn Everhart

(everhart@xxxxxxx home)

-----Original Message-----
From: dpw [mailto:dainw@xxxxxxx]
Sent: Monday, July 10, 2006 5:50 PM
To: 'Web Security'
Subject: RE: [WEB SECURITY] Phishing attacks circumventing two-factor
auth


For any mission critical applications, lately I have been using a
server-side generated "magic hash" key that I generate when the form is
loaded, and which gets posted along with my forms. 

When the application requests posted information from the form I compare the
key I get with another generated key and authenticate that the form that
posted back to the application is part of the application, and approved to
post. For real sensitive apps, I introduce a time-specific factor into the
form's key, so that it must be posted within 5 minutes of loading or the key
is no longer valid. 

This is just stupid simple to do, and I can't imagine these folks not having
something way more advanced in place for their application...

Dain White
 
Senior Developer / Webmaster
First Step Internet - www.fsr.com
208-882-8869 ext. 440
 


-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@xxxxxxxxxxxxxxx] 
Sent: Monday, July 10, 2006 2:13 PM
To: Web Security
Subject: [WEB SECURITY] Phishing attacks circumventing two-factor auth


Brian Krebs (washingtonpost.com) has a good write up about a recent  
phishing attack specifically designed circumvent two-factor  
authentication. The technique used a fake web page acting as a man-in- 
the-middle between the user and the real website. A simple hack  
proving a good point. How can a user defend themselves with any kind  
of solution if they can't tell whether or not a website is real?

Citibank Phish Spoofs 2-Factor Authentication
http://blog.washingtonpost.com/securityfix/2006/07/ 
citibank_phish_spoofs_2factor_1.html

"Security experts have long touted the need for financial Web sites  
to move beyond mere passwords and implement so-called "two-factor  
authentication" -- the second factor being something the user has in  
their physical possession like an access card -- as the answer to  
protecting customers from phishing attacks that use phony e-mails and  
bogus Web sites to trick users into forking over their personal and  
financial data."



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************


----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]