×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Phishers Defeat Citibank's 2-Factor Authentication

timothy posted more than 7 years ago | from the time-is-of-the-essence dept.

233

An anonymous reader writes "Crypto experts and U.S. Government regulations (FFIEC) have been pushing the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" — the second factor being something the user has in their physical possession like a token — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data. According to a Washington Post Blog, 'SecurityFix,' phishers have now started phishing for the two-factor token ID from the user as well. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a man-in-the-middle attack against the victim and Citibank to log in via php and conduct money transfers immediately when logged in." (An update to the blog entry notes that the phishing site mentioned has since been shut down.)

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

233 comments

not new (0)

Anonymous Coward | more than 7 years ago | (#15696532)

it's a phishing site that submits your username/password to the real site to validate it. I know for a fact that was being done as early as 2003.

(Posting anonymously because *I* did that in 2003).

... and bad reporting to boot (1)

Potor (658520) | more than 7 years ago | (#15696726)

fta:
I forgot to mention that while this phishing site was active late last week and during the weekend, it has since been shut down.
Unbelievable!

Re:... and bad reporting to boot (0)

Anonymous Coward | more than 7 years ago | (#15696817)

So it's been shut down. What's relevant is that its possible, and where there's one they'll be more.

Re:not new (0)

Anonymous Coward | more than 7 years ago | (#15696798)

hehe
u just incriminated yourself
there is no such thing as anonymous on slashdot. look in your message box and you will find all your anonymous posts

-posting anonymous coz i want to

first (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15696537)

first

Good. (5, Interesting)

bytesex (112972) | more than 7 years ago | (#15696543)

My bank has had this for ages. How's about protecting you from the man in the middle attack by a little extra procedure, though ? Immediately after you've done the transactions through the web and you log out, the bank sends you an encrypted email with all your transactions in it. Those emails can be parseable for your own financial package as well. And it should give you some time to cancel all the transactions that are bogus. There can be no forgery involved, since the bank _always_ sends those mails. Just an idea, I know there's no cure for utter stupidity.

Re:Good. (1)

InsaneLampshade (890845) | more than 7 years ago | (#15696567)

Wouldn't the phishers then just change the email address once they've logged on?

Re:Good. (1)

bytesex (112972) | more than 7 years ago | (#15696678)

What makes you think that you can change any personal data online ? This is an online transaction enabling system - no bank would allow you to change your address, physical or otherwise without seeing authentication presented in vivo, right ?

Re:Good. (1)

everett (154868) | more than 7 years ago | (#15696939)

My bank allows me to change my email address online, but not my street address, perhaps the solution then is mailing the user a letter saying "Here's the confirmation of the transactions you completed online last week"

Re:Good. (2)

bytesex (112972) | more than 7 years ago | (#15697019)

Obviously your bank allows you to change you email address online, because they only think of email as a vehicle for their marketing efforts. If it were to be drawn in with the whole security setup, which is what we were talking about here, then I'm sure you'd not be able to change it online. Obviously.

Re:Good. (1)

Captain Zep (908554) | more than 7 years ago | (#15696864)

But surely if you tried to change email address, the bank would send an email to your existing one with a magic link to confirm that 1. you have access to the original account, and 2. you actually want to make this change.

Z.

No Good (1)

giafly (926567) | more than 7 years ago | (#15696578)

Immediately after you've done the transactions through the web and you log out, the bank sends you an encrypted email with all your transactions in it.
I regularly receive "encrypted emails", all apparantly malware. Unfortunately your idea will lead to more people clicking on "encrypted emails" and getting infected, rather then immediately binning them, thus replacing one problem by another.

Re:No Good (4, Informative)

maxwell demon (590494) | more than 7 years ago | (#15696622)

I don't think he meant "encrypted" to be "cryptic looking". Instead I think he was thinking of actal encryption, where the email appears to you in plaintext if your email program supports encryption (and you have the proper key, of course). Especially if you have to get a physical token anyway, it should be no problem to store a personal key on it as well.

Re:No Good (2, Interesting)

Tony Hoyle (11698) | more than 7 years ago | (#15696967)

Users know nothing about encryption... it's too easy to spoof.

eg. There's a virus going around that reads "This is an encryted email from AOL.. click on the attachment to read it".

Telling users that encryption is somehow better is just going to leave them open to that kind of attack.

Re:Good. (3, Interesting)

porlw (169848) | more than 7 years ago | (#15696618)

My bank sends me an SMS with a one-time password every time I do a transaction online. You have to type in the password on the web page to confirm the transaction.

Re:Good. (0)

Anonymous Coward | more than 7 years ago | (#15696921)

Sort of sucks if you don't use a mobile phone, though.

Re:Good. (1)

supersnail (106701) | more than 7 years ago | (#15696964)

So you just pass the password through to the "Man In The Middle"!

The MiM is the hardest security problem by far there are no easy answers.

It would make more sense for your bank to do it the other way around --
display a password on the screen which you send them via SMS, this provides
two checks -- the password and your mobile number.

Tough if you lose your mobile though -- you lose access to your account as well!

Re:Good. (2, Insightful)

porlw (169848) | more than 7 years ago | (#15697063)

Note quite.

1. The SMS only happens if you actually try to do a transaction.
2. The SMS also supplies destination account and amount.

So MIM would only work iff they intercepted an attempt by me to make a payment, and I didn't check the details in the SMS. If I get a transfer SMS out of the blue then I know something's up.

If I lose my mobile then I do what our stone-age ancestors did, and actually go to the physical bank building and fill out a transfer request.

If I make regular payments to a particular account I can also preset the details and avoid the SMS procedure. Requires some paperwork at the bank, though, so they can verify my identity then.

Re:Good. (4, Interesting)

stunt_penguin (906223) | more than 7 years ago | (#15696691)

You're right aboout there being no cure for stupidity- however a transaction recipt after every transaction might lead to people being phished using 'ZOMG SOMEONE JUST WITHDREW $1000 FROM YOUR ACCOUNT, CLICK HERE TO ENTER LOGIN AND CANCEL!!1one1!eleventy' tactics.

There is, it seems, no winning.

Re:Good. (2, Insightful)

stunt_penguin (906223) | more than 7 years ago | (#15696719)

^ sorry, your method of sending all (or all recent) transaction info as a mark of authenticity in the email would probably help to eleminate that type of attack since the phishers would have no way of providing this info.

Having said that, with current methods, maybe a 'someone just transferred $1000 [such an arbitrary number, don't you think?], please login in the next 24 hours to cancel this transaction' might be an effective phishing technique, rather than the old 'we los your details, oops!' tactic; has anyone seen the like of this yet?

Re:Good. (1)

zlogic (892404) | more than 7 years ago | (#15696755)

How about this: buy some stuff, then (after receiving it or knowing it can't be returned) cancel the payments. Should work great on paid downloads & online stores, as well as services (e.g. taxi, car wash etc.).

The dutch "postbank" bank does this (1)

SmallFurryCreature (593017) | more than 7 years ago | (#15696858)

Loggin is the usual user/password combo, nothing special but if you want to transfer money the final step is that they send a code to your mobile phone via a sms message. The code then has to be entered for the transaction to be processed.

You can change your mobile phone easily enough, just change it in the settings but that also requires a sms message with a code. So as long as you got your phone you are safe.

If you lose your phone you will have to disable your account and you will be send by mail a new set of login details.

It seems fairly secure, it would be hard to imagine how to phis it. The only thing that could possibly be done is that they try to get you to change your mobile phone number to one they control.

But this attack and that suphisticated. It still requires people not to check the bloody url. First rule of online banking. ALWAYS handtype the url. Second rule of online banking, see the first rule.

For the postbank that is mijn.postbank.nl not that hard to type and unless someone hacked the mainsite likely to be secure (provided your browser/os/isp ain't been hacked.

Fuck this, I am going to keep my fortune in an old sock.

Re:Good. (1)

Lumpy (12016) | more than 7 years ago | (#15696909)

giving you a customer high security to your accounts is not in the interest of the bank. They do not make money off that therefore it will not be even addressed. Most banks still use a really cheezy login system, (some like 5th 3rd used to send your password in the open when you went to the account settings page. It displayed openly your password on the screen.)

Re:Good. (1)

AlecLyons (767385) | more than 7 years ago | (#15696979)

I think if you really want to make forgieries difficult you have to drop some of the convenience of online banking. At the moment, once I'm logged in I can make most any transaction I like. How about if, before I'm allowed to transfer money to anyone who I never have before I'm required to add them in as an authorised payee. If the process for doing this involved me receiving an SMS message where I'm required to actively make an effort and reply direct to the Bank to authorise the new payee from my own phone, it would be a significant blow to the phishers I'd of thought.

Rabobank security (3, Interesting)

mwvdlee (775178) | more than 7 years ago | (#15696546)

My bank (Rabobank, netherlands) uses a key-generating hardware device, based on account, PIN number, optional numbers generated by the site (which are to be entered into the keygen) and an internal clock. With sending any transfer, the site requires a new key to be generated. If the amount to be transferred is sufficiently large, one of the numbers used to generated the key is the exact amount, thus requiring the user to validate the amount as well.

Phishers may be able to coordinate up to the point of this validation, but if one suddenly had to enter an additional verification number of, e.g. "2000.00" (minus the decimal point), it'd be very hard to use phishing for large amounts of money.

Then again, I also have other accounts at two other banks, both of which require only a one-time, 5/6-digit, non-changing, numeric password.

Re:Rabobank security (1, Redundant)

jawtheshark (198669) | more than 7 years ago | (#15696595)

both of which require only a one-time, 5/6-digit, non-changing, numeric password.

I'm surprised. I live in Luxembourg and all banks I know of don't do simple password systems. For the ING, it's the same system as you describe: electronic device that spits out numbers.

The other banks that I know of, have the following system: Username, Password (usually, easy passwords are not allowed) and finally they give you a 16-digit (actually, often alphanumeric) separated in 4 blocks of 4 chars. At login 2, 3 or 4 chars of this digit are asked (usually only one in each block). They do not ask different digits at each trial. After three failed logins, your account is blocked. You know this. So, even if a phisher would perform a man-in-the-middle attack, he would in worst case obtains 4 digits of the 16-digit code. The probability that the phisher gets exactly those 4 digits to login are 0.25^4. Not exactly high.

Sure, there is still a risk and it's still not foolproof. Especially, if the phisher decides to ask all codes, but most clients would become wary of that, I hope.

Of course, the system with an electronic device seems the best to me. No ebanking system should use a simple username/password authentication.

Re:Rabobank security (0)

Anonymous Coward | more than 7 years ago | (#15696690)

I'm surprised. I live in Luxembourg and all banks I know of don't do simple password systems.

Yes, but Luxembourg has strict bank secrecy laws. Most of us don't live in a country like that.

Re:Rabobank security (2, Interesting)

strider44 (650833) | more than 7 years ago | (#15696643)

I'd think the numbers would be pretty much hack-proof if one of the factors that you needed to put in the token or hardware device was the target bank account. This would obviously make banking slightly less convenient as you'd have to enter a new number in every time you transfer but it would save a lot of touble and be impervious to this type of attack mentioned in TFA.

Re:Rabobank security (1)

takev (214836) | more than 7 years ago | (#15696802)

For the ABN AMRO, also in the Netherlands they have a generic calculator like device where you can slide in your bank pas (which has a chip). You will have to logon to your bank-pas using your 4 digit code, then your bankpas is unlocked to handle the challenge/response of the website.

With large transactions they ask you to sign the destination bank account number, by doing the same challenge/response, but the challenge is part of the destination bank account number.

Re:Rabobank security (1)

sirf (799191) | more than 7 years ago | (#15696644)

My swedish bank uses a credit card sized device which does some (unique for each user) magic crunching on numbers entered. When you log in you are presented with random numbers which must be entered into the device, and the result is used to login within three minutes. When you transfer money you must enter both the account number, and the amount, into the device and submit the results. To me this seems secure enough to use public terminals for banking. I do. Even if you forget to log out from the bank, very little harm can be done. You need to enter numbers to do just about anything except log out.

Re:Rabobank security (3, Interesting)

dr_d_19 (206418) | more than 7 years ago | (#15696655)

Phishers may be able to coordinate up to the point of this validation, but if one suddenly had to enter an additional verification number of, e.g. "2000.00" (minus the decimal point), it'd be very hard to use phishing for large amounts of money.

No it will not.

This is an example of how the man in the middle attack would occur on any Swedish bank

Hello, welcome to CitiBank, please insert your account number and the response to the following challenge: 8022 8429
- "Uhm, ok" (login via man in the middle)

There was a problem, please try again with the following challenge: 2842 2020
- "Oh, my bad" (add phising account to users account allow list)

You will need one more challenge/response pair however, which you can get using:

  - A third login problem
  - Any action performed by the user that would require the response/challenge usually
  - Information about "heightened security" and the need to re-verify the identity.
  - Information about an e-visa/new savings account/free stocks or anything that would potentially require a challenge

So this is very possible.

This can be solved using client side certificates tho'.

Re:Rabobank security (1)

Hast (24833) | more than 7 years ago | (#15696717)


This is an example of how the man in the middle attack would occur on any Swedish bank ...

This can be solved using client side certificates tho'.

Not quite all. Eg Handelsbanken uses certificates instead and is thus safe from MITM attacks.

Re:Rabobank security (1)

Homology (639438) | more than 7 years ago | (#15696801)

> Not quite all. Eg Handelsbanken uses certificates instead and is thus safe from MITM attacks.

But your the certificate can be stolen, though. One bank used to use a certificate
and a 4 digit PIN code for access, and only Windows was supported. Sure certificates
are better than nothing, but they need to be augmented with something else to
make them safer.

Re:Rabobank security (1)

maris382 (988126) | more than 7 years ago | (#15696728)

Another solution could be to add an extra digit representing the type of information you are signing.

Say,
    1 for login,
    2 for an account number, and
    3 for an amount.

Then, making sure that the personal token tells the user what kind of information he is signing (flashing 'login', for instance), you could avoid most phishing attacks like you described (unless, of course, if the phisher has access to an account that you've already signed, which seems rather difficult to get)

Re:Rabobank security (1)

mwvdlee (775178) | more than 7 years ago | (#15696820)

That problem would be easily solved by simply linking the site-generated validation codes to the action they are supposed to validate; you couldn't log in using the "allow" challenge. At best, a phisher could piggy-back on the actions of the user. If the target account numbers are used as validation codes (along with action validation codes ofcourse). The best a phisher could possibly do is change the amount... unless ofcourse, that amount is also used as a validation code.

Now *surprise*, this is exactly what's happening at a lot of banks.

Obviously, no amount of security measures will stop a phisher from scamming an utter idiot. But then again, the type of person who'd still fall for it should arguably not be allowed to manage their own finances anyway.

Are you surprised? (2, Insightful)

Manip (656104) | more than 7 years ago | (#15696548)

This isn't at all a shocker. The authentication problem is only one piece of a very complex puzzle. But in this case simple and common SSL certificate verification would work to stop such a man-in-the-middle attack.

Further down the road though, this is why technology leaders need to standardise authentication tokens to include some kind of two way verification ... So when you enter your token into the browser, first the browser checks the web-site is the "owner" of that token and if it is not then it warns the user, after verification the browser then sends the token and the user is verified to the site.

Something like this:
  mybankcom - 9 -

The browser implements a "token box," when a post is attempted with said box the domain gets stripped of all special characters (up to the path) and then compared to the first part of the token. If they are case insensitively identical then the browser will submit the rest of the token (the pseudo random number) to the web-site.

The token box would have to look unique and be very difficult to clone... Which might require it to jump out from the main content window, but that is a problem for browser UI developers and beyond the scope of the problem.

Re:Are you surprised? (3, Interesting)

FireFury03 (653718) | more than 7 years ago | (#15696706)

But in this case simple and common SSL certificate verification would work to stop such a man-in-the-middle attack.

SSL (and other such certification systems) present a trust problem:

When I connect to Alice, she presents a certificate which is signed by Bob. This tells me that Bob has verified that Alice is who she says she is. All very good you might think... except why the hell should I trust Bob? Maybe "Alice" is really Charlie pretending to be Alice and Bob signed the certificate because Charlie paid him a whole heap of cash. Or maybe Bob just didn't actually bother to check before signing the certificate. Either way, I don't know Bob and so he hasn't earnt my trust.

In this case, Bob is someone like Verisign - a large corporation who has been paid a reasonably large amount of money by Alice. If there's one thing I've learnt it's that most large corporations are fundamentally untrustworthy, especially when they're receiving bundles of cash from someone.

This kind of trust problem is not easilly solvable (if it's actually solvable at all). One potential way to do things is have a social network - each person signs the certificates of each of their friends and assigns a "trust score" showing how strong their trust relationship is. When I want to see how trustworthy Alice is, I traverse the network if signatures between me and Alice and can calculate the end "trustworthyness" from the scores of all the interconnections in the network. The problem here is that there usually aren't that many hops between any 2 people in the network - I might trust Bob and Bob might trust Alice, even though *I* don't trust Alice.

phishing preys on ignorance (5, Insightful)

grrowl (953625) | more than 7 years ago | (#15696554)

The target authorities and security developers should be aiming for, in my opinion, is not the people who do the wrong-doing, but the users themselves. The major difference that phishing has from hacking or physical robbery is that the attack is forceful against either the bank's online front or the customer whereas phishing preys on not physical or technological weakness but on intellectual weakness: ignorant users are conned into giving up personal details, going to a particular site or running a program because they are unaware of the risks. In phishing cases there really should be a bigger push for educating customers through more than just 20-pixel-high signatures on electronic correspondance. There should be in-bank brochures, tv spots/advertisements (or at least addendums to current tv spots) and users should clearly know never to click a link in an email from anyone, especially if it's pertaining to a bank or paypal-like site or in a personal mail from someone unfamiliar. There's a reason many geeks have clean-as-whistle computers (I virus and spyware scan every now-and-then -- about every 6 months -- and they both always come up clean) whereas the "common user" has problems with viruses and scumware seemingly constantly, and that reason is education and not-so-common sense. The answer then is obviously to educate, and make that sense common.

Re:phishing preys on ignorance (2, Interesting)

Sawopox (18730) | more than 7 years ago | (#15696614)

The solution to 99.99% of the problems we face today is education. But, as they say, "Ignorance is bliss." Some people today simply DO NOT CARE to put forth the effor to make any kind of change in their life. So long as the welfare check comes every month, and American Gladiators is on 24/7 re-runs, they're happy. What is worse, is this "So, what?" attitude we see in adults is being passed onto their kids. I teach middle-school, and sometimes I just want to scream, "WAKE THE FUCK UP AND OPEN YOUR GODDAMN EYES!" at the top of my lungs.

Re:phishing preys on ignorance (1)

cerberusss (660701) | more than 7 years ago | (#15696783)

Some people today simply DO NOT CARE to put forth the effort

Lots of broad, generalizing statements. Those same people might care a lot about their family and visit their brothers and sisters regularly. They may also have a big savings account for an early retirement. Things you may not care about. I'd like to scream to you: "WAKE THE FUCK UP AND STOP MAKING STUPID GENERALIZING STATEMENTS!" at the top of my lungs.

Re:phishing preys on ignorance (1)

Sawopox (18730) | more than 7 years ago | (#15696833)

Uhm, except those people that CARE about their family and HAVE big savings accounts for an early retirement are NOT the ones to which I was referring. I was referring to the people that sit on their fat lazy ass all day and expect government hand-outs and the welfare of others to get them through the day.

Re:phishing preys on ignorance (1)

cerberusss (660701) | more than 7 years ago | (#15696911)

OK so you've narrowed down the group. If you repeat this a few times, you'll probably lose some of that frustration and either a) correctly identify the group you're referring to -- or more likely b) realize you're spouting nonsense.

Re:phishing preys on ignorance (2, Funny)

Professor_UNIX (867045) | more than 7 years ago | (#15696826)

American Gladiators is on 24/7 re-runs
American Gladiators is back on the air!?!? SWEEEEET. What channel?

Man in the middle will always work (2, Insightful)

WebHostingGuy (825421) | more than 7 years ago | (#15696558)

A man in the middle attack will breach just about any security you have. Unless you can recognize it, or teach others to, this sort of attack will always work. The trick is that it is sophisticated and you have to educate people to know when they are connecting to the correct site or not; that is, check the URL and the SSL certificate when connected. And, never use self-signed SSL certificates.

Re:Man in the middle will always work (1)

Tatarize (682683) | more than 7 years ago | (#15696575)

Remind me again... why can't they catch the money? Why is there no way to tag cash and find where it ends up and lock that account up? My banking knowledge is limited, but it seems like if you can follow the cash you can get pretty good results.

Re:Man in the middle will always work (2, Informative)

maxwell demon (590494) | more than 7 years ago | (#15696647)

Well, probably they open bank accounts under false identities, and close them again immediatly after they got the money. For the next phishing attack they just can open another account under another false identity at another bank. All they need to be good in is in faking (or maybe stealing) identities (and of course in actual phishing). If that bank account is emptied and closed quick enough (i.e. before you note that someone took money from yor account), there's no way to lock it, and probably hardly a chance to find the person who had opened it.

Re:Man in the middle will always work (1)

Tatarize (682683) | more than 7 years ago | (#15696658)

Nah, I'm talking fish the phishers. Have preset bank accounts which are set to have any outward transers lock the account that gets the outward transfer. Find a fisher, give them the fake account. They fall for it and flags the offending account.

Re:Man in the middle will always work (1)

Bozdune (68800) | more than 7 years ago | (#15696697)

I like this idea a lot. Pursuant to someone who posted earlier about how dumb people seem to be, and how phishers pray on that dumbness, hey, there's a lot of smart people as well. I get phishing attempts multiple times per day. If I had a way to screw the phishers by sending them to a honeypot bank account, I would do it as a community service, and so would about a zillion other people who play here.

Re:Man in the middle will always work (1)

hughk (248126) | more than 7 years ago | (#15696891)

If you are in the US or UK, the identification procedures for new clients (KYC) are supposed to be quite painful. To establish a strawman identity for opening an account is possible but it definitely isn't easy. Most of the western world has similar information collection obligations, even traditional banking secrecy countries. So, for example, if I fished some details from your account and wired yor money to Switzerland, a complaint of wire fraud via the FBI to the Swiss Cantonale authorities will allow the bank to release account beneficiary data.

As far as the rest of the world, well if they aren't tracking who the account beneficiaries are, well your US bank is not supposed to wire money to them.

Re:Man in the middle will always work (1, Informative)

v1 (525388) | more than 7 years ago | (#15696856)

SSH is specifically designed to prevent MITMA. If I try to ssh to a system that I have recently swapped hardware on and still have the same hard drive, ssh flips out and warns me of a possible MITMA due to the MAC address of the destination having changed. (it displays a short warning saying "someone may be doing something nasty!") In fact, it won't even let me ignore the error, I have go go into the known_hosts file and remove the previous fingerprint before it will let me ssh into that system again. This problem never occurs unless I have changed the machine I am ssh'ing into, so there are no false positives to get accustomed to.

Although this prevents MITMA, it does not necessarily prevent phishing by default because the phisher could somehow trick me into ssh'ing to the wrong address, by hacking a DNS for example. However there is one further security feature of SSH. When you are ssh'ing into a system that you have never connected to before, it displays a warning and asks if you want to add the new host to your list of known hosts. Since you should never get this except the very first time you connect, if you see this warning when connecting to someplace you visit regularly, you know something is wrong.

I suppose the best defense to phishing instead of 2 part authentication, would be to send the users the program to access their content. Imagine the bank writing an ssh-enabled client with the fingerprint of their server hard coded into it, where it remembers your account information as well so you don't get used to typing in your bank password whenever asked for it. No link to click, just "run the bank program" to access your account. Even a dns compromise would not impact this. The only issue I can see with this method is storing the acccount information in a way that cannot be extracted by spyware AND not in a way that can be used in its encrypted form. (such as hashed)

The big problem with phishing here is simply that the user is too used to being asked for their account information, and as long as the phisher doesn't deviate too much from the norm the user will just go zombie and type it in. This information needs to be something you enter once, and if it ever asks you again there is a problem.

But in the end, profound user stupidity trumps all. That will never change.

Re:Man in the middle will always work (2, Informative)

Anonymous Coward | more than 7 years ago | (#15697007)

SSH is specifically designed to prevent MITMA. If I try to ssh to a system that I have recently swapped hardware on and still have the same hard drive, ssh flips out and warns me of a possible MITMA due to the MAC address of the destination having changed.

WRONG.

SSH does NOT care about the MAC address. The MAC address is only valid on a LAN. Every time a packet passes a router, the MAC address gets replaced, so it would be completely useless for any kind of authentication. Plus, changing the MAC address can be done in software easily. As I tend to tell people who do wireless networks: Forget about MAC filtering, cracking it takes less time (seconds) than activating it.

What SSH is complaining about is the host key. It has nothing to do with the hardware, but is located in a file in /etc. And moving the hard drive to a different machine does NOT change the host key. Re-installing does, however.

Re:Man in the middle will always work (2, Informative)

Leebert (1694) | more than 7 years ago | (#15697042)

ssh flips out and warns me of a possible MITMA due to the MAC address of the destination having changed.


No, it doesn't. You can change hardware (and even platforms) all day to your heart's content. What you CAN'T do is change the public key. If you, for example, uninstall ssh, and the uninstall removes the keys, and then you re-install ssh and regenerate the keys, you will get this message.

Although this prevents MITMA, it does not necessarily prevent phishing by default because the phisher could somehow trick me into ssh'ing to the wrong address, by hacking a DNS for example.


No, that wouldn't work. ssh stores a fingerprint for the server's public key. The fingerprint is associated with both the host's DNS name and its IP. If you were to poison DNS and cause me to connect to a different hostile machine with the "same" forged hostname, the public key of that hostile machine would differ. ssh would completely wig out and say that a man in the middle attack may be occurring.

There's plenty of ways around 2-factor authentication within ssh, but this isn't it.

carding (1)

joe 155 (937621) | more than 7 years ago | (#15696570)

could the banks not create a usb card reader which you could put your debit/credit card into as part of the authentication, or even better an "authentication" card, it could have say 5 billion numbers on it and the system could ask for 5 digits randomly out of all of them, if the box was set to never send more than 5 digits then even if you fell for a phishing attack or got hacked those numbers would almost never be asked for again. This seems like such a good idea... I feel I must be missing something.

Re:carding (1)

BrynM (217883) | more than 7 years ago | (#15696694)

could the banks not create a usb card reader which you could put your debit/credit card into as part of the authentication
They could not create it, but darn it they already have [wikipedia.org]. It's not wihtout it's problems as well.

Re:carding (1, Informative)

Anonymous Coward | more than 7 years ago | (#15696696)

What you are referring to is called a One time pad" [wikipedia.org] which this token effectivly provides, this is still vulnerable to man in the middle attacks, though

Re:carding (2, Interesting)

WedgeTalon (823522) | more than 7 years ago | (#15696995)

A lot of people, like you, are suggesting sophisticated technological solutions (which won't really work IRL). The REAL problem isn't the bank's security - it's the user's gullibility. My bank simply uses a username/password style login. It works fine. The only one with problems are those who believe evrything they get in their inbox.

They will Phish for every required parameter (1)

tezza (539307) | more than 7 years ago | (#15696583)

Given that a wget command to retreive any session authentication key only takes a couple of seconds, a full minute window is easily enough.

The phishers can also mimic the error path if the token is disallowed or mis-typed.

This is not an easy problem to solve!

Re:They will Phish for every required parameter (1)

Lumpy (12016) | more than 7 years ago | (#15696926)

This is not an easy problem to solve!

yes it is, after submitting transactions you must verify from your email account by responding to the email the bank sent you if you dont do this in 2 minutes the transactions are cancelled.

so unless the phishers also hijacked your email account you effectively defeated them as you will see the mystery transfers you did not do before they are submitted.

Perhaps if banks signed their emails (5, Insightful)

Colin Smith (2679) | more than 7 years ago | (#15696593)

People might just be able to determine if they were valid or phishing attempts.

Almost all email clients support s/mime these days, all you and the banks have to do is sign up to a certificate authority and install a certificate. They can be acquired for free.

 

Re:Perhaps if banks signed their emails (2, Insightful)

MonsoonDawn (795807) | more than 7 years ago | (#15696762)

1. Certs are entirely too easy to obtain.
2. Because of #1 the only thing a cert proves is that the hostname matches what's in the cert.
3. Phishers have been using faked yet secure websites for years now they'll just switch to emails.

Certs are worse than useless, they're misleading.

Get a certificate - free (1)

Colin Smith (2679) | more than 7 years ago | (#15696920)

Bollocks.

The problem with email at the moment is that forging From: fields is trivial, anyone who knows the first thing about SMTP can do it in 5 seconds and this means that an email can appear to come from any source the actual sender wants. I can send an email to anyone and make it appear as if it's from any bank in the world.

With a signed email, if the sender(bank) email address in the From: field doesn't match the certificate then you know it's not from the real sender(bank). It's perfectly possible and indeed simple for the client to automatically check that a signed email is from who it says it's from. That's the whole point of digital signatures. It could then display a nice happy face for valid emails and an unhappy one for invalid or neutral for unsigned ones.

And certificates should be easy to obtain. Everyone should have one. Go get one now, they're free! It isn't whether you have a certificate or not that matters it's that you are who you say you are that matters and that's what certificate authorities do for you. It's then up to users check that the From address shows user@barclays.co.uk rather than user@barlcays.co.uk but at least they'll now be able to check.

You can get free certificates which can be installed in your s/mime compliant email client.

http://www.thawte.com/secure-email/personal-email- certificates/ [thawte.com]
http://www.cacert.org/ [cacert.org]
http://www.instantssl.com/ssl-certificate-products /free-email-certificate.html [instantssl.com]

More info here.
http://en.wikipedia.org/wiki/S/MIME [wikipedia.org]
 

Re:Perhaps if banks signed their emails (1)

karot (26201) | more than 7 years ago | (#15696790)

Sadly, some mail clients support signed and encrypted emails really badly (or not at-all). I have seen more than one installation of Outlook Express where, if a signed message is sent to them, you have to click extra buttons before it can be read, and you cannot reply-to or forward a message for some strange reason - I never did work out why.

Sadly Outlook Express still has a huge end-user following as it is familiar, and comes-with "that" operating system. Using POP3 mailboxes means that migrating between mailers is often painful, so we are stuck with incapable clients and Phishers are free to play. :-(

Re:Perhaps if banks signed their emails (1)

Colin Smith (2679) | more than 7 years ago | (#15696962)

right... of course... so nothing should be done...

Get a certificate, install it and use it.

 

Anonymity - the other side of authentication (2)

UR30 (603039) | more than 7 years ago | (#15696612)

How about the other side of authetication - anonymity. There are cases when the service provider doesn't need to know personal or professional details about the customers, but nevertheless this kind of data is collected widely. The Shibboleth technology developed in the Internet 2 project in principle makes it possible for a customer to limit the access to personal data by service providers. This kind of solutions should be made widely available. Now there are all too many authentication systems collecting data which may be used (at some point) for nefarious purposes.

It's simple -- make browser never access ANY .RU (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15696621)


It's simple -- make all browsers never access ANY .RU because any .ru is by definition a scam. .il too since that's always a pesky pinko commie ruskie too.

Re:It's simple -- make browser never access ANY .R (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15696936)

Quit spreading the lies that communism spreads scams like this. We all know that Russians and Isrealis are simply a morally inferior people. Nigerians too.

Bank Security (2, Insightful)

nighty5 (615965) | more than 7 years ago | (#15696623)

As a security consultant I use lots of ways to defeat all types of security controls. and in true Slashdot way I didn't read the article. There is no silver bullet to security, it requires successive layers of controls (defence in depth) to adequately protect against attacks. It is no suprise to see two factor auth is defeated in this situation, but there is other controls a web application can use to safe guard against these attack types:

Website Controls

Additional "next PIN" for each transaction

Challenge response

Enter a PIN challenge based on dollar amounts to transfer

The usual web security stuff - see OWASP for more

Signing transactions with certificates and tokens

Security Awareness

Workstation security is paramount, firewalls, anti-spam, anti-malware, running as non-admin all assist in this process

Some trojans imbedded into IE and pop-up boxes that sift the credentials upon the user typing in their banking website

As you can there is so much you can do.
Have fun!

Re:Bank Security (2, Informative)

OP_Boot (714046) | more than 7 years ago | (#15696786)

Out of all of your suggestions, only one - Signing transactions - will defeat a man-in-the-middle attack such as is described by the article.

Re:Bank Security (1)

TA (14109) | more than 7 years ago | (#15696810)

A very good way to block man-in-the-middle attacks is one that has been
described by another poster already, and which is in actual use by some
banks: Introduce a second channel to verify the actual transactions. In
the case described the bank simply sends a one-time pwd as an SMS to your
cellphone, you have to enter the pwd to confirm the transaction. The
attack used on Citibank customers (and my bank is using something similar)
wouldn't work. With this method you won't need those very tedious
systems where you have to enter all the accounts and amounts into
your OTP device, which is simply painful.

A slightly different SMS-based system (used by some, but it needs a
special SIM card) will have you to reply through SMS as well, with
a separate personal phone code.

Nothing surprising (4, Interesting)

arivanov (12034) | more than 7 years ago | (#15696630)

Nearly all US and UK Internet banking systems are susceptible to this.

There is an easy fix for this as well - client side certificates. I have an account with a bank in an ex-eastern European country and they use it. Many scandinavian banks use that as well (with the certificate on a token or a smartcard).

In order to authenticate the SSL handshake has to use both client side and server side certificates. After that the actual user id has to match the certificate one. A man in the middle cannot break through that because it will not have the private key from the user machine. From there on even if it can fake the bank interface to the user it cannot fake the user towards the bank. Game, set and match.

The only reason for US and UK banks not to use it is outright incompetence. I remember trying to explain the concept of client side SSL certificates to one of the cretins who have implemented a well known UK bank Internet banking security subsystem. He could not grasp the concept. By the way - he now works in the "risk" (that is the way they like calling this now) department of another well known UK bank.

Re:Nothing surprising (1)

nihaopaul (782885) | more than 7 years ago | (#15696667)

china has been doing two way certificates, problem is not the actual certificate but the `windows` only policy, mac and nix users are being alienated, just yesterday i had a meeting with a payment gateway (i know its not a bank per se) in china and i went through a model user.

I set them up with a computer running freesbie and gave them banking information and asked them to use their system to buy through our site, as you can imagine, they became pissed off that it wasn't `IE` then even more furstrated when trying to use their own banks.

i asked them straight out, should i have to use an operating system i dont trust to be able to buy online? ofcourse they were trying to keep business and replied `no` then i pointed out that a quarter of the visitors on the site are mac users.

so what i am getting at is, this would have to be an open standard not a closed propriatory way and intergreated into the khtml/ff/opera/ie browsers.

Paul

Re:Nothing surprising (2, Interesting)

arivanov (12034) | more than 7 years ago | (#15696760)

Strange.

No particular reason for client certificates to fail to work once loaded in a non-MS client. I got the east-EU bank mentioned in my original post working correctly with konq and mozilla.

Now, smart cards are a different matter. Some of them are not supported under *nix and MacOS. If the card is supported you should still be in the game.

Similarly, requesting certificates may be a problem. Mozilla has some troubles with handling the certificate-request/certificate import sequence. So does konqueror. It also cannot load a certificate with the same Subject as an existing certificates into the cert store. This makes requesting certificates via an interface which in turn requires a certificate to authenticate a real pain.

In either case it can be made to work. May be a bit painfull and I understand banks which refuse to provide support for anything but IE for this purpose (f.e. because of the aforementioned mozilla cert request sillies). As long as they do not outright deny you the possibility to use something else by using IE only features in the UI I am OK with that. I can sit down once a year on a windows machine to renew the certificate while swearing at Mozilla people for indexing their store based on Subject, not subject+serialNo.

Overall it can be made to work and it solves 99% of all phishing outright. IMO it is criminal for the banks not to use that. No rocket science involved.

Re:Nothing surprising (2, Informative)

Octorian (14086) | more than 7 years ago | (#15696904)

Client-side certificates work just fine in non-MS browsers and E-Mail clients. The problem, as mentioned in other posts, is in certificate distribution. All these other browsers do support installing client certificates off of websites, but often you'll find a site that insists on some weird ActiveX crap to handle certificate installation. Where I work, this is especially frustrating, as we have a lot of Mac users (including myself). So, we find a Windows machine, go through the process, export the certificates/keys, sneakernet them to our systems, and install them.

Re:Nothing surprising (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15696841)

The only reason for US and UK banks not to use it is outright incompetence.

No, it's not an easy fix, it's a huge hassle. If the client-certificate is going to be on the user's computer, then the user can only bank from one computer. Many people have multiple computers (desktop, laptop, spouse's PC, work PC, etc), will you issue client-certificates for all of these? If you do, you now have a certificate issuing problem. And if the client-certificate is in the browser, then it can be read by rootkits & spyware.

If you're going to use a token (smartcard or key fob), then you have interoperability problems with different browsers/operating systems for a full ssl client certificate.

The handheld tokens where you have to type a challenge & get a response don't implement a full ssl client certificate, and are subject to MITM attacks, as was described in the article.

Ways to beat this.. (2, Insightful)

wfberg (24378) | more than 7 years ago | (#15696633)

Let's see

1) the website is simply at another address, well-educated users will spot the lack of https and the different URL
2) I have an account at postbank(.nl) which uses a password for logging in, and then additional codes for transactions. The password will only give you read only access.
3) At this same bank, the transactions are verified by sending you a text-message; not the most secured channel, but the message doesn't just include a "transaction acceptance code", but also the amount of money being transferred. If something is amiss it's spotted easily through this second channel, beyong the phishers' control.
4) Another bank, abnamro.nl, lists the IP number you were last logged in from on the welcome page.

I feel that 1) could be attacked by phishers using malware, so that's no guarantee.
Using the amount of money to be transferred as part of the challenge is trivial and should simply be implemented at first opportunity. One of citibank's problems is that they're using a token that simply displays a code, rather than a challenge response system; no way to enhance the challenge..
Number 3) is also pretty neat. Reall, I don't care so much about my bankstatements per se that they need to be protected with two-factor authentication (though of course in the US, identity theft might make this more prudent). The ability to check my account without too much rigmarole is very user friendly.
Number 4) would be neat, but also confusing to many users, especially those behind DHCP.

Sum conclusion;
use challenge response, with the amount to be transferred firmly embedded in the challenge, or communicated to the user out-of-bounds.

Re:Ways to beat this.. (1)

houghi (78078) | more than 7 years ago | (#15696671)

1) well-educated users won't fall for phishing
2) Citibank uses the system from vasco.com. So now I need to enter 3 passwords. 1 for the site, 1 for the machine and the nymber that the achines gives me. None can be the same like my pin number.
3) In Belgium sending text messages is not cheap. I will be the one paying for it. No thanks.
4) At Citibank you also get a popup from you last login. Like I ever looked at it or rememeberd when I did log in the last time and if this is correct.

The problem is the man in the middle attack. Look at it this way. You need to urgently transfere money, yet your PC is down. You phone somebody (e.g. your spuce) and tell them what they need to enter.

You give the pincodes, the numbers the machine gives you and every other detail that is asked on the site. You can "inderectly" transfere the money.

Now all I need to do is that you give me that information. That is what the man in the middle attack is doing. It makes you give out the information.

Re:Ways to beat this.. (0)

Anonymous Coward | more than 7 years ago | (#15697015)

3): no the bank sends the messages so they'll pay for it.
Yes I know in the end you will pay for it but:
  a. the bank pays a lot less for the huge amounts they would send
  b. everything costs money, tokens do, (digital) certificates doe, etc.

what is your major malfunction? (2, Informative)

Anonymous Coward | more than 7 years ago | (#15696664)

Customer number + pin, then new code for every transaction. Been using it for years. Can't even login to the Sampo web-bank without these 3 things. They may grab my account number and pincode as much as they want cause, they're doing shit with those codes without my every-time-changing code. Welcome to Finland.

-m10

Re:what is your major malfunction? (2, Informative)

azknom (226212) | more than 7 years ago | (#15696888)

Add to this that you must authenticate every new destination and the phishers will have a really difficult time to get any money. They need to have my authentication device to add their own account and then add a transfer to the ones I do myself without me knowing. I cant see this happening. Sure thay can see what I have on my account by sitting in the middle and tehy can see all I do but they can not change what I do without my authentication device. I have used this since 1997 here in Sweden and would never trust a simple password to do my banking.

Online Banking (0)

ajs318 (655362) | more than 7 years ago | (#15696670)

Just what is the whole big deal with online banking anyway? I've never seen the attraction.

There are exactly two reasons, and two reasons alone, why I ever visit a bank. One, the rare one, is to pay in some money or a cheque through the hole-in-the-wall machine. The other one, the common one, is to draw out money through the hole-in-the-wall machine. The HITW can also tell my balance; but I generally know how much is in there, give or take a ton. Between transactions, I hardly care how much is in the bank as long as it's more than nothing. I know how much my wages are, I know how much my regular outgoings are and I know how much extra I've been putting in or taking out.

Unless and until they come out with some software that allows me to scan pound notes with my own scanner and have my bank account credited, and print out pound notes from my own printer and have my account debited, I will have reason to visit the bank. And if said software is not Open Source, then I will still continue to visit the bank.

Re:Online Banking (0)

Anonymous Coward | more than 7 years ago | (#15696771)

I used to hold this view but then I only had a current account. Now I have a range of current, joint & savings accounts, various tax free things, various investments, brokerage accounts, multiple credit cards, mortgage etc etc with an assortment of financial institutions.

Being able to view them or move money between them on a couple of webpages is much more convenient and flexible than using a hole in the wall for each one.

Especially when its raining.

Re:Online Banking (1)

ajs318 (655362) | more than 7 years ago | (#15696874)

I have a mortgage. No savings account on Earth is ever going to pay me more interest than I'm paying out on my mortgage, because that's how all banks make their money in the first place: by charging borrowers more interest than they pay out to investors. I see no point in having "savings" while I have an outstanding loan hanging over my head: it will only work out more expensive in the long run. If I have spare money, I just make a repayment against my mortgage. If I needed extra money, beyond my overdraft facility, I could just add it on to my mortgage; so far, touch wood, I haven't had to.

Re:Online Banking (1)

HexDoll (778270) | more than 7 years ago | (#15696797)

just what is the whole big deal with online banking anyway?

There are exactly two reasons, and two reasons alone, why I ever visit a bank. One, the rare one, is to pay in some money or a cheque through the hole-in-the-wall machine. The other one, the common one, is to draw out money through the hole-in-the-wall machine.

1) Not everyone uses cash, a lot of people pay by card
2) Some people have multiple bank accounts, they like to have just enough in their day-to-day account and the rest in a higher interest savings account.
3) People are lazy, why go to the bank when you can do everything you need from home?

Re:Online Banking (1)

TA (14109) | more than 7 years ago | (#15696853)

Well, in addition to the arguments already presented (multiple
accounts, moving funds between them etc.) it's the simple fact
that in my country paying bills over the actual counter in the
bank involves charges so high that it's like robbery. The only
practical way is to use online banking.
 

Re:Online Banking (0)

Anonymous Coward | more than 7 years ago | (#15696915)

Isn't charging individuals for banking transactions illegal, under the same laws that forbid protection rackets?

Re:Online Banking (1)

aslate (675607) | more than 7 years ago | (#15696896)

Just what is the whole big deal with online banking anyway? I've never seen the attraction.

Well, i have 3 accounts at the moment with one bank, and one with another. With online banking at Nationwide i'm able to transfer money instantly between the three accounts (One savings, current and an online saver account i'm trying out). I can see how much money i've got and what's gone through the account without waiting for a statement or bothering to go to an ATM or wait in line at the bank.

With the Natwest account i have a debit card (Can't obtain one on the others till i'm 18), so i use online banking to transfer money to that account, to check whether purchases have gone through and what's left in the account.

The biggest advantage i've found with online banking? I can open, upgrade and modify my accounts online. Since i've signed in with my details (Which i've remembered, don't have saved as cookies etc. and i check i'm at the right page), they know it's me and i can do what i want. I recently upgraded an account to a student account and will adjust that to a student account with credit card when i'm 18, all online. The last time i tried opening an account instore was a bastard. They didn't accept provisional licences, i didn't have post in my name acceptable as proof of address (I don't get utility bills) and there's long queues. Now i can do it all online since i've already verified who i am.

Re:Online Banking (0)

Anonymous Coward | more than 7 years ago | (#15697031)

Just what is the whole big deal with online banking anyway? I've never seen the attraction.

Do you ever pay bills (cable/satellite/phone/credit card/mortgage etc)? Do you take an actual cheque, fill it in, put it in an envelope, put on a stamp, and go put it in a mailbox? Or you would you rather log on to a website and take care of it immediately whenever you like for no transaction cost? Even at 3am sitting in your underwear (pants as you call them)?

Most banks let you download your transactions into personal finance software, which lets you track and quantify all of your purchases. You could keep all your paper statements, but can you tell me how much you spent on restaurants last year? It's very handy for budgeting.

Do you have multiple accounts (chequing/savings/investing)? Want to instantly move money between them to cover the large cheque you wrote? Want to transfer money to your child away at university?

Or would you rather get out of your comfy chair, go to the bank, and wait in in line?

A good time (0)

Konster (252488) | more than 7 years ago | (#15696677)

This would be a good time...and application for live Linux CD's or (insert OS here). The OS itself would run live from a CD-ROM, and include a set of auth controls between itself and the bank all on its own, well before the browser or web certs are needed.

2006 compliance (0)

Anonymous Coward | more than 7 years ago | (#15696703)

Citibank just recently starting offering [securityinfowatch.com] Digipass tokens to its business customers and I believe may have extended the program to all of its online banking customers to meet 2006 compliance [banktech.com]. 2 factor authentication seems to be more prevalent in Europe as US banks have been slow to add this measure of security, which is why the FFIEC issued a mandatory compliance. Now with a deadline looming, US banks, especially those using tokens as their 2 factor method like E*Trade and Citibank, may be sent back to the drawing board. Although no method is foolproof, bad publicity alone may make these banks add further measures to ensure online security.

Bank sites should use CAPTCHA (1)

woodengod (863603) | more than 7 years ago | (#15696716)

Of course psichers can use real men in the middle to read the captcha's, but that would make their job lot's more difficult.

The problem is in the approach itself. (5, Insightful)

Parandor (779995) | more than 7 years ago | (#15696722)

Why is online banking allowing you to create new billing accounts online? Why can you make a transfer to a new, unlisted, account online? Answer: Banks want to save money.

Most people almost never create new billing and transfer "destinations". We could afford to go in person once or twice a year to do this. The very few who need these options are usually kwolegeable about security issues. Even if they are not, the fact that there is so few of them is a protection in itself. Remove these options from online banking and even a "phished" account will be of limited use to the phisher since the only thing he can do with it is pay your bills.

This solution was actually implemented in the beginning of online baking. The idea of pushing "new" features with no regards to their actual impact is almost like a disease in the current corporate world.

Depends on the user... (2, Interesting)

ndg123 (801212) | more than 7 years ago | (#15696763)

Actually quite a few people use this for personal transfers in the UK. For example if I go for a weekend trip with some old college friends who now live in different parts of the country, I may book all the flights or hotel rooms. Setting up a transfer direct to their personal accounts is quite useful and quick, compared to cash or cheques. My online banking used to take a couple of days to set up these arrangements, and now its immediate. I think this is rather dangerous.

Liability and fixing the problem (1)

Ritz_Just_Ritz (883997) | more than 7 years ago | (#15696830)

I suspect that we're only going to see some serious efforts to fix/curb this problem once the banks become 100% liable for monetary losses due to fraud. For the moment, their attempts to "fix" things are more of a PR exercise (for consumer's benefit and regulator's benefit) than an actual solution to the problem.

At some point, the naughty people have to pick up the money. There needs to be more international coordination for prevention of bank fraud so that these criminals can't hang out in countries with corrupt banking/regulatory/political systems and siphon accounts of citizens from around the world.

Re:Liability and fixing the problem (1)

sharp-bang (311928) | more than 7 years ago | (#15697040)

The regulatory action in the USA to encourage banks to improve authentication is an attempt to short-circuit the possibility of a major shift in liability, which could have a lot of unintended consequences for both banks and consumers.

Easy fixes to make it a bit harder (0)

Anonymous Coward | more than 7 years ago | (#15696850)

Companies can easily increase the diffculty of a successful man-in-the-middle attack with a single One Time Password, by simply asking for 2. Some places already do this. Basically, you are requried to use a single generated one time password to login into the site, and then when you are ready to complete a transaction, it requires you to enter a second complete different one time password generated from the same device. This is the total fix, but it is an easy way to make this type of attack much harder, asking for a single password, ok human error, asking for 2...that should raise some flags.

Matrix card (3, Insightful)

Tarrio (151332) | more than 7 years ago | (#15696954)

My bank uses a two-factor authentication system, the second factor being a card with a 10x10 matrix of double-digit numbers. When you login, the website asks you for your username, PIN and the number which appears in certain coordinates in the matrix card.

It used to ask you for it in the login page itself. Nowadays you need to have a mobile phone number associated with your account; when you try to login, the coordinates are sent to you by SMS. In that way, even if a phisher gets your username, PIN and full matrix, they cannot login because they don't know what coordinate is asked to you (and you receive the unsolicited SMS, so you can alert the bank). They would have to steal your cellphone too.

Ah, and you have to enter those numbers using an on-screen keypad which moves around randomly anter you click on each number, so keyloggers are now useless too.

Both tokens were passive (2, Informative)

accident (575230) | more than 7 years ago | (#15696994)

This is whats possible when both tokens are "passive" - that is they play no part in the negotiation and are one way (even if valid for a short time).

What is needed is for one of the tokens to be "active" in the negotiation. Anything that can perform a unique challenge-response will fix the MITM attack.

As others have stated, client side ssl certificates, hardware tokens with key-pads, smart cards, trusted-computing would suffice.

One Fix - Note for Firefox Developers (4, Interesting)

fdiskne1 (219834) | more than 7 years ago | (#15697008)

I know this won't fix all problems with phishing emails, but it should fix one factor of it. Could those who contribute their programming skills to Firefox make it so the actual domain of the site you are at is highlighted? This means that if you are at a site

http://citibusinessonline.da.us.citibank.com.tufel -club.ru/sahdlhasal

Firefox would display it as:

http://citibusinessonline.da.us.citibank.com. tufel-club.ru /sahdlhasal

I know some victims refuse to think about it at all and refuse to even look at the URL but this would give them one more tool to use to possibly see it is a scam.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...