You are currently browsing the category archive for the 'Anti-Phishing Tools' category.
What is the future of authentication? Looking at all the available technologies in the consumer authentication market, it is possible to see two general trends, which seem to be going in somewhat different directions:
1) The first approach is to keep the old passwords, but build around them a layered protection mechanism. The key driver is the fear that the user will not want to accept any change in the way they authentication.
2) Another approach is to admit that passwords are the weakest link (really the passwords + users). This perspective calls for a paradigm shift in the way we use passwords in general. Rather than applying more and more patches on an inherently insecure authentication approach, why not look for an effective and simple way to adopt a new generation of passwords – Passwords 2.0? I guess the best illustration of this approach is to think of the car keys. We had keys because we have house keys and that’s what we know to be secure. Now, the newest cars have a “Start” button, while the “key” is reduced to a token device which in close proximity to the car acts as owner identification and allows the car to start. In a similar fashion, what worked for the mainframe in closed networks is obviously not working for the 21st century WWW and requires a paradigm shift – a new kind of “keys”.
Comments anyone?
But what are the key elements in the “next generation”, or Passwords 2.0 world of authentication? Dr. Norman Fraser (CEO of Tricerion) just published a white paper which addresses the issues of “guessability” and “shareability” of regular passwords, protecting against against these vulnerabilities without compromising usability. (I think I just set my personal record for the number of “-bilities” in once sentence).
Last year I got to see a prototype of the new OTP tokens which fits into a regular plastic credit card. I still wonder how they managed to put a battery there (and how long it will last). This is a very neat product. In terms of usability, this token has a higher chance of being popular with online bank users since we all carry at least one credit card at all times. It is easy to use and carry. The key is to make sure the battery lasts till the card exprires.
“VeriSign was expected to announce a deal with Innovative Card Technologies Inc. to outfit banks and e-commerce sites with cards that work with VeriSign’s password system.
With the card, consumers logging on to an online bank account, for instance, would type in their regular username and password, along with a six-digit code that appears on the card’s display window. That code constantly changes, meaning the customer needs to have possession of the card to access the account.”
Barclays bank seems to think that if chip-and-pin good enough for retail business, it’s good enough for online business. They are sending Pinsentry machines to 500,000 customers – machines that look like calculators and read chip-and-pin cards – generating one-time-passwords (OTPs). (Full article here)
So, here is the current multi-layered approach at Barclays:
• Debit Card (2nd factor)
• PIN number (1st factor)
• Pinsentry device (second 2nd factor)
• 8-digit one time password generated by the machine
Is this really a good design? The logistical support for this kind of system must be insane. How much does it cost to manage this operation? How long will the batteries last in those readers? Can I have one for my home and one for my office?
Besides, haven’t those guys heard of the Citibank phishing attack on their 2nd factor. Just look at this article in the Washington Post Blog.
Last year Bruce Schneier commented on Shell suspending Chip & Pin payments at their gas stations after losing £1m when fraudsters inserted little devices into the readers, which copied the cards’ magnetic strips and recorded customers’ pin numbers. Also, another article on hacking chip & pin here.
So, Chip & Pin is not safe, and hardware OTP systems are also vulnerable and costly. Why keep implementing these? Marketing perhaps? I am sure lots of people will feel better by having a bigger authentication device in their hands . . . size matters 
. Isn’t that the same argument that the MIT/Harvard study said about BofA implementation – “Sometimes the appearance of security is more important than security itself.”
Attackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions, Israeli vulnerability researcher Aviv Raff warned in a posting on his blog Wednesday. Microsoft said it is investigating his findings. (full article).
“In his blog, Raff said an attacker can create a specially crafted navcancl.htm local resource link with a script that will display [the] fake content of a trusted site, such as a bank, Paypal or MySpace URL. When the victim opens the link sent by the attacker, a “Navigation Canceled” page will be displayed and the victim will think there was a site error and try to refresh the page.
“Once he will click on the ‘Refresh the page’ link, the attacker’s provided content will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL,” Raff added in his blog.”
