The Future of Phishing
by Dr. Jonathan Tuliani - UK Technical Manager for Cryptomathic Ltd. - Monday, 5 April 2004.
To combat this threat, it is necessary to move away from session-based security (based on a secure log-in), to message-based security (based on explicit authentication of individual transactions). Indeed, the APACS/MasterCard scheme permits the authentication of individual transactions. However, the man-in-the-middle is still able to substitute false transactions for authorisation, unbeknownst to the user, since the authorisation process is typically based on a'challenge' derived from the transaction and not the explicit transaction details themselves. Whilst offering a very useful interim defence against current attacks, in the longer term an alternative approach will be required.

Several vendors already offer the option of one-time-password distribution via SMS as a cost-effective alternative topassword-generating tokens. Whilst it is neither authenticated nor encrypted, it is in practice infeasible for an attacker to compromise both the SSL/TLS channel and the SMS channel to a particular user simultaneously. This independent channel also offers a way around the man-in-the-middle.

In this scenario, the user would log on using his username and password, exactly as he does today. For each transaction entered, a summary would be returned to the user together with a one-time-password, in the form of an SMS. For example, 'Pay 50 to British Gas a/c 12345? Confirm: ADJPEQ'. Any tampering with the transaction details would be evident at this point. Assuming all is correct, the user enters the one-time-password into his PC to confirm the transaction.

As well as thwarting man-in-the-middle attacks, this approach defends against another significant emerging threat, namely malicious 'Trojans' on the user's PC. Apart from being used in direct attacks, a user may claim infection in an attempt to repudiate a legitimate transaction. The mobile phone is a separate user interface, independent of the (possibly infected) PC, thereby effectively closing this vulnerability.

Adoption of SMS-based security measures must be carefully managed, particularly the procedures used for registering and maintaining records of users' mobile phone numbers. The benefits, however, are great: there is no other cost-effective system offering defence against phishing, man-in-the-middle and Trojan attacks whilst maintaining a simple and intuitive user experience.


Chrome extension thwarts user profiling based on typing behavior

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Jul 29th