You are currently browsing the category archive for the 'Phishing' category.
iPhone – Phishing Vulnerabilities
I am not going to rush to the store to get the iPhone. My Nokia E62 is not even close to have the same coolness factor, but at least it does email pretty well . . . except of course, if a message has a link, the Nokia browser will not kick in if I click on the embedded link. I used to get annoyed, but consider the same functionality on the iPhone.
John Leyden writes for TheRegister.com on the shortcomings of the iPhone in terms of vulnerabilities in phishing attacks:
• The iPhone’s email client only displays the first few characters of a weblink, which makes it easier to hide a fraudulent URL at the end of a link without arousing suspicion.
• The mechanism the iPhone uses to link between web browser and telephone functions also makes it easier to embed scam telephone numbers within sites, which a user may be prompted to dial.
Other researchers found a number of additional vulnerabilities which could uncover passwords hiding in Apple software.
“In early June, the RSA Anti Fraud Command Center (AFCC) discovered a new type of phishing kit. The kit is actually a single file which creates an entire phishing site on a compromised server when “double-clicked” on, similar to “.exe” installation files. The kit was discovered through phishing forensics work by the AFCC forensics lab.
The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site. Within seconds after running the file, a complete phishing site is “live”. During testing of the kit in the RSA phishing lab, a phishing site was installed within approximately two seconds.”
For further information: RSA June 2007 Report.
What is the future of authentication? Looking at all the available technologies in the consumer authentication market, it is possible to see two general trends, which seem to be going in somewhat different directions:
1) The first approach is to keep the old passwords, but build around them a layered protection mechanism. The key driver is the fear that the user will not want to accept any change in the way they authentication.
2) Another approach is to admit that passwords are the weakest link (really the passwords + users). This perspective calls for a paradigm shift in the way we use passwords in general. Rather than applying more and more patches on an inherently insecure authentication approach, why not look for an effective and simple way to adopt a new generation of passwords – Passwords 2.0? I guess the best illustration of this approach is to think of the car keys. We had keys because we have house keys and that’s what we know to be secure. Now, the newest cars have a “Start” button, while the “key” is reduced to a token device which in close proximity to the car acts as owner identification and allows the car to start. In a similar fashion, what worked for the mainframe in closed networks is obviously not working for the 21st century WWW and requires a paradigm shift – a new kind of “keys”.
Comments anyone?
But what are the key elements in the “next generation”, or Passwords 2.0 world of authentication? Dr. Norman Fraser (CEO of Tricerion) just published a white paper which addresses the issues of “guessability” and “shareability” of regular passwords, protecting against against these vulnerabilities without compromising usability. (I think I just set my personal record for the number of “-bilities” in once sentence).
