Sunday, December 26, 2004

Man in the middle phishing attacks

I posted before about phishing being the next big security problem, after viruses, worms and spyware. Protecting against viruses and worms has become a billion dollar a year industry, and now anti-spyware companies are being snapped up by Microsoft and other acquirers. I mentioned before that there is no easy solution to the phishing problem. This NYTimes article describes some anti-phishing measures being tested by banks, such as RSA's SecurID key fob. SecurID uses a cryptographic one-time password (OTP), which is synchronized between the chip on the fob and the algorithm running on the authentication server.

But, this method has an obvious vulnerability. The fake bank site that the phisher redirects the user to could easily proxy the real site:

User ------ phish proxy ------ real bank site

in which case, the OTP is simply passed through when the user types it in. Once the authentication is complete the phisher drops the connection to the user and continues with the banking session. The only drawback is that the phisher has to execute this attack in real time - he sits by his machine, which beeps when a new account is compromised. He has only one login session to do his dirty work, since he can only get the OTP by proxying.


Anonymous said...

Better yet, the phisher proxies the user's entire session, only taking over the session at logout or just before the server would time out the session, so the user is never aware of a problem.

However, banks have one other trick up their sleeve -- any high-risk transaction will require the user re-authenticate. A user who is just checking their balance might wonder why they suddenly get an extra authentication request popup in the middle of their session.

Proxying sessions is technically much more difficult, and riskier. Since any legit banking site is going to use SSL, the phisher will need to either entirely co-opt the user's browser to fake out the SSL session, or use a real certificate.

This, along with the need to complete all their nefarious activities in realtime, makes the whole attack much less likely to be successfully executed.

Anonymous said...

Then, is the point simply to avoid on line financial transactions? This is not assuring.


Anonymous said...

Do you have advice, for those of us who worry even though cautious?


Blog Archive