Re: [WEB SECURITY] MachineID fingerprinting

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 8/8/07, GadgetTrak <info@xxxxxxxxxxxxxxx> wrote:
> I believe that the BofA is using an image based authentication product; ala,
> pick the picture that you've established as your "special" 2nd factor
> identifier.

The "second factor" for BofA isn't the image.  The image exists to
help end-users identify the site they are on.

Other factors considered by PassMark include a flash cookie, and
secret questions.  I suspect the backend servers in PassMark also pay
attention to things like IP and user-agent as input to risk
evaluation, but I don't know the details.

The flash cookie is interesting.  Clearing your browsers cookies
doesn't clear the flash cookie, so it tends to persist longer than a
normal cookie does.  Also, I'm pretty sure their own .swf files don't
send the flash cookie back to the server in the clear.  Instead, they
use a challenge-response protocol to verify the user-agent has the
flash cookie.  Last time I looked at their .swf files, though, they
were setting the flash cookie without the ActionScript equivalent of
the "Secure" flag.  It seems like an active attacker spoofing
http://www.bankofamerica.com could steal the cookie.  (Disclaimer: I
don't know much ActionScript, I might have misunderstood what their
.swf was doing.  Not having the Secure flag set on that cookie seems
like such an obvious issue I'd be surprised if they missed it.)

Cheers,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]