TidBITS: TidBITS Talk

Re: Phishing susceptibility #12

edward@tidbits.com — Thu, 14 Aug 2008 15:08:20 GMT

At 11:08 08/13/08 -0700, Dave Clark wrote:
>My business bank HQ'd in Long Beach, CA, uses an image that I
>recognize on its login screen and that can be reset, and it also asks
>me a pre-set question about things only I would know -- like what year
>did I buy my first automobile. There are a set of questions that get
>rotated at random, and I can change them.

Both of these methods can be very useful, but unfortunately are often
poorly implemented.

The "recognized image" method, where I've encountered it, has neither
allowed me to upload my own image, nor made it easy to pick an image from
their library, nor provided any method of synchronizing images between
institutions. Since I can't upload my own image, it's unlikely that the
image will be particularly recognizable. Since I can't sync images, I
already have nearly a dozen images that I'm supposed to instantly
recognize. They usually present the image library randomly and only three
or nine (I forget) images at a time, making browsing the library painful.
And even if an image I've used elsewhere is in the library, finding it is
nearly impossible.

A method by which I can challenge the bank to prove its authenticity is
certainly welcome, but so far the implementations are inadequate, the ones
I've seen anyway.

Questions are usually poor, often things that are public record. My
mother's maiden name is not only public record, but is very unusual and
thus discussed in public. Figuring out where and when I graduate from high
school and college is a no-brainer. The one mentioned about date of first
automobile acquisition is better, but once DOB is established, probably
three or four guesses will get the first car 90% of the time. I've been
asked the name of my first college roommate, which is probably a good
question -- it even took me a minute to remember, and I don't know where
I'd look it up if I had to. OTOH, for those who entered college much more
recently (it's been over 40 years for me), there may be a lot more people
around who know the answer, and in recent years it's likely that blogs,
Facebook, MySpace, etc may hold the answers.

The idea of proving my identity by "what I know" is much harder than most
people assume. As a result, I refuse to provide these answers when I'm
given a choice. When I am forced to provide answers, I often give
fictitious answers and put these into my encrypted password database (which
I make sure is backed up in several locations). Of course, my luck has it
that the very ones for which I do this are the ones which notice that my IP
address has moved to a different network and ask the "security" questions
to "validate" my identity.

One hopes that the banks are at least keeping stats on whether their
methods reduce fraud, which has to be the goal since total elimination is
impossible. I wonder, though, to what extent they are actually just
grasping at straws.

Edward

Edward
--
Art works by Melynda Reid: http://paleo.org

Re: Phishing susceptibility #13

Lewis_Butler@tidbits.com — Thu, 14 Aug 2008 15:08:20 GMT

On 13-Aug-2008, at 04:09, Lukas Mathis wrote:
> Totally unrelated to the topic at hand, of course. I'm a bit confused
> about the people claiming that anti-phishing features are bad.

Any security feature that is, at its core, reactive is a bad thing.
It gives lusers a false sense of security instead of educating them to
become users. The antiphising measures taken in he browsers might be
catching most phishing attempts, but the very existence of those
features means that any phishing they miss is almost guaranteed to work.

Re: Phishing susceptibility #14

John_C._Welch@tidbits.com — Fri, 15 Aug 2008 10:08:23 GMT

On 8/14/08 11:20 AM, "LewisGmail" <gkremegmail.com> wrote:

> On 13-Aug-2008, at 04:09, Lukas Mathis wrote:
>> Totally unrelated to the topic at hand, of course. I'm a bit confused
>> about the people claiming that anti-phishing features are bad.
>
> Any security feature that is, at its core, reactive is a bad thing.
> It gives lusers a false sense of security instead of educating them to
> become users. The antiphising measures taken in he browsers might be
> catching most phishing attempts, but the very existence of those
> features means that any phishing they miss is almost guaranteed to work.

I'd be surprised if they were even catching "most". I've yet to see any
stats on such things that are even vaguely trustworthy.

--
John C. Welch

Re: Phishing susceptibility #15

edward@tidbits.com — Fri, 15 Aug 2008 10:08:23 GMT

At 08:20 08/14/08 -0700, LewisGmail wrote:
>the very existence of those features means that any phishing they miss is
>almost guaranteed to work

A form of autopilot syndrome.

Edward
--
Art works by Melynda Reid: http://paleo.org

Re: Phishing susceptibility #16

u.huth@tidbits.com — Fri, 15 Aug 2008 10:08:23 GMT

am 14.08.2008 11:04 Uhr schrieb tidbits-talktidbits.com unter
tidbits-talktidbits.com:

>> In return, the bank encrypts their data (e.g. the account statement) with
>> their private key, I download that data and decrypt it with the banks public
>> key.
>
> That would kind of mean that everyone with the public key could
> decrypt the data, and since the public key is typically public... :-)
>
> You encrypt with the public key and decrypt with the private key (only
> the owner of the private key can decrypt messages).
> You sign with the private key and verify signatures with the public
> key (only the owner of the private key can sign messages).

Well, ok, so I mixed the keys... ;-)

However, I don't know whether the scheme my program and the bank uses
qualifies as public / private key. I used that only as an example.

Fact is, that my program generates a pair of keys. One of which I keep and
the other I personally hand over to the bank on a sheet of paper. The bank,
too, generates a pair of keys. One they keep and one which I get printed on
a sheet of paper.

With these keys the transfers between me and the bank are encrypted and
decrypted. For each customer who uses this program, another set of pairs of
keys is generated.

Unless someone steals the sheet whereupon the keys are printed, there's no
chance that messages can be decrypted or encrypted by the wrong person.

Udo

Re: Phishing susceptibility #17

Lukas.M@this.li — Sat, 16 Aug 2008 08:08:45 GMT

I wrote:
>> I'm a bit confused about the people claiming that anti-phishing
>> features are bad.

Lewis Butler replied:
> Any security feature that is, at its core, reactive is a bad thing.
> It gives lusers a false sense of security instead of educating them to
> become users.

That is an idealistic view. In reality, many people will never become
"computer literate" enough to avoid clicking on suspect links.
Additionally, some phishing techniques are clever enough that they can
fool even careful, educated people. Being able to get information
about the url in your browser's address bar is useful for your
"lusers" (or, as I like to call them, "normal people" - I typically
try not to insult my parents) and pros alike.

By your logic, Windows users should not use Antivirus apps, because
they should instead be educated enough not to catch viruses in the
first place. Perhaps they should, but there is no way to reach this
goal. And by your logic, safety belts are bad because people should
not crash their cars in the first place. They should not, but do, and
always will.

A lot of useful security features are at their core reactive. Being
reactive alone does not make them "bad."

Lukas

Re: Phishing susceptibility #18

brausch@owt.com — Sat, 16 Aug 2008 08:08:45 GMT

"One hopes that the banks are at least keeping stats on whether their methods reduce fraud, which has to be the goal since total elimination is impossible. I wonder, though, to what extent they are actually just grasping at straws."

Actually reducing fraud is a minor concern. The major item is that the law requires banks to have a second authentication mechanism. Pick a picture or answer more questions is just the cheapest to implement of the available choices. I work at a credit union and wrote our internet banking system. We wouldn't have added this type of stuff if it wasn't required. It is a pain for our members and for the most part provides the illusion of security.

One method that I've seen and like a lot (and may try to convince the powers that be here) is the idea of a phone confirmation call when a member tries to log in. The member would register a phone number that gets called. They press 1 to continue, hangup to not allow, for example.

Re: Phishing susceptibility #19

miraz065@tidbits.com — Sat, 16 Aug 2008 15:08:59 GMT

On Sat, Aug 16, 2008 at 20:45, Bill Rausch <brauschowt.com> wrote:

> One method that I've seen and like a lot (and may try to convince the powers that be here) is the idea of a phone confirmation call when a member tries to log in. The member would register a phone number that gets called. They press 1 to continue, hangup to not allow, for example.

My bank uses a thing they call Netcode. If a transaction exceeds a
certain dollar limit (that I can reduce if I like) they send a 6 or 7
digit number via SMS to my cellphone. I must enter that number on the
webpage within a couple of minutes to confirm the transaction. The SMS
message also has an ID number they quote on the page - handy for when
I double click by mistake for example, generating more than 1 SMS.

It works quite well.

Cheers,

Miraz

Re: Phishing susceptibility #20

Ewen@tidbits.com — Sat, 16 Aug 2008 15:08:59 GMT

We had a bank that sent text messages with a once only password for confirmation. The problem with this is that they would not send to an out of country phone number, and we normally live out of country. This sort of approach can therefore create problems for people who travel a lot and need acccess to on-line banking from overseas.

E

Re: Phishing susceptibility #21

John_C._Welch@tidbits.com — Sat, 16 Aug 2008 15:08:59 GMT

On 8/16/08 4:45 AM, "Lukas Mathis" <Lukas.Mthis.li> wrote:

> That is an idealistic view. In reality, many people will never become
> "computer literate" enough to avoid clicking on suspect links.
> Additionally, some phishing techniques are clever enough that they can
> fool even careful, educated people. Being able to get information
> about the url in your browser's address bar is useful for your
> "lusers" (or, as I like to call them, "normal people" - I typically
> try not to insult my parents) and pros alike.

And what happens when the phishers take apart the algorithms used to make
the browsers flash warnings?

--
John C. Welch

Re: Phishing susceptibility #22

John_C._Welch@tidbits.com — Sat, 16 Aug 2008 15:08:59 GMT

On 8/16/08 4:45 AM, "Bill Rausch" <brauschowt.com> wrote:

> Actually reducing fraud is a minor concern. The major item is that the law
> requires banks to have a second authentication mechanism. Pick a picture or
> answer more questions is just the cheapest to implement of the available
> choices. I work at a credit union and wrote our internet banking system. We
> wouldn't have added this type of stuff if it wasn't required. It is a pain for
> our members and for the most part provides the illusion of security.
>
> One method that I've seen and like a lot (and may try to convince the powers
> that be here) is the idea of a phone confirmation call when a member tries to
> log in. The member would register a phone number that gets called. They press
> 1 to continue, hangup to not allow, for example.

It's more expensive, but two-factor auth with hardware tokens would be a
better option.

--
John C. Welch

Re: Phishing susceptibility #23

dc19991@tidbits.com — Sat, 16 Aug 2008 19:08:08 GMT

On Aug 16, 2008, at 8:59 AM, John C. Welch wrote:

> It's more expensive, but two-factor auth with hardware tokens would
> be a
> better option.

For us Dummies, could you explain this? Thanks.

Dave

Re: Phishing susceptibility #24

cdevers@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

On Sat, 16 Aug 2008, Dave Clark wrote:

> On Aug 16, 2008, at 8:59 AM, John C. Welch wrote:
>
> > It's more expensive, but two-factor auth with hardware tokens would
> > be a better option.
>
> For us Dummies, could you explain this? Thanks.

First dummy tip: Google.

First hit for "two-factor auth" goes to Wikipedia:
http://en.wikipedia.org/wiki/Two-factor_authentication

    An authentication factor is a piece of information and process used
    to authenticate or verify a person's identity for security purposes.
    Two-factor authentication (T-FA) is a system wherein two different
    factors are used to authenticate. Using two factors as opposed to
    one delivers a higher level of authentication assurance. Using more
    than one factor is sometimes called strong authentication.

Broadly speaking, there are three ways to authenticate a system, that
is, to verify that you are who you say you are. The three ways are:

  * something you know (such as a password, PIN...)
  * something you have (such as a credit card, smart card, ID, token...)
  * something you are. (such as a fingerprint, retinal scan, voice...)

In general, a two-factor auth system demands an item from at least two
of these categories.

At an ATM machine, you present your card (something you have), then
enter your PIN (something you know).

On some new laptops (Thinkpads & maybe some others), you can augment the
old password login (something you know) with a thumbprint reader
(something you are).

The system John is referring to has to do with keychain fobs from a
company such as RSA or Cryptocard. These cards have a little display
with a random number on it. Logging on to a system protected by such a
system generally means entering both a memorized password (something you
know) along with the currently displayed number (something you have).
That way, if the security token is lost, other people can't log in (they
don't know your password) and accidentally revealing your password isn't
as big of a deal (because they also need your keychain to get in).

--
Chris Devers

Re: Phishing susceptibility #25

Lewis_Butler@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

On 16-Aug-2008, at 02:45, Lukas Mathis wrote:
> I wrote:
>>> I'm a bit confused about the people claiming that anti-phishing
>>> features are bad.
>
> Lewis Butler replied:
>> Any security feature that is, at its core, reactive is a bad thing.
>> It gives lusers a false sense of security instead of educating them
>> to become users.
>
> That is an idealistic view. In reality, many people will never
> become "computer literate" enough to avoid clicking on suspect links.

The point still stands. Having a REACTIVE system of security is
stupid, and guarantees a failure of the system whenever a new threat
comes along. This is why people with Anti-Virus software get infected
in the windows world. Someone HAS to be in order for the AV to be
updated.

> Additionally, some phishing techniques are clever enough that they
> can fool even careful, educated people. Being able to get
> information about the url in your browser's address bar is useful
> for your "lusers" (or, as I like to call them, "normal people" - I
> typically try not to insult my parents) and pros alike.

If phishing techniques can fool someone being careful then there is a
real problem with the system, isn't there? No amount of technology
will fix a broken system.

> By your logic, Windows users should not use Antivirus apps, because
> they should instead be educated enough not to catch viruses in the
> first place.

If there had been no anti-virus software, we would have a much more
secure Windows and a couple of orders of magnitude less viruses. Or
Windows would have gone away as a platform choice.

> Perhaps they should, but there is no way to reach this goal. And by
> your logic, safety belts are bad because people should not crash
> their cars in the first place. They should not, but do, and always
> will.

Safety != Security, something it seems very few Americans currently
understand.

Re: Phishing susceptibility #26

John_C._Welch@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

On 8/16/08 3:08 PM, "Dave Clark" <dc1999gmail.com> wrote:

>> It's more expensive, but two-factor auth with hardware tokens would
>> be a
>> better option.
>
> For us Dummies, could you explain this? Thanks.

Well, a very simple version of two-factor auth with hardware tokens is your
ATM card.

It's something you know, such as a PIN and something you have, like your ATM
card. One without the other is useless.

For online banking, you'd have a hardware token, (most fit on a keychain,
and tend to be called "keyfobs") that can generate a random passphrase. So,
you use that in conjunction with a PIN when you log in.

It does a phisher no good to have your pin without the keyfob, and it does
them no good to have the keyfob without the pin, (although most pins can be
sussed out with ease).

Even if they fake a page, and you enter in your pin and the passphrase from
the keyfob, it does them little good, as that passphrase has a lifetime of
seconds, so you'd have to have a way to intercept that passphrase and
nigh-immediately use it for it to be of use to you.

While the most well-known version of such things is made by RSA, in my
experience, I much prefer CryptoCard, as they are not hobbled by only
working well with Windows ala RSA. In fact, implementing two-factor auth is
in my long term network plans as it tends to eliminate the worst parts of
human-created passwords.

--
John C. Welch

Re: Phishing susceptibility #27

dc19991@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

On Aug 16, 2008, at 12:51 PM, Chris Devers wrote:

> On Sat, 16 Aug 2008, Dave Clark wrote:
>
>> On Aug 16, 2008, at 8:59 AM, John C. Welch wrote:
>>
>>> It's more expensive, but two-factor auth with hardware tokens would
>>> be a better option.
>>
>> For us Dummies, could you explain this? Thanks.
>
> First dummy tip: Google.
>
> First hit for "two-factor auth" goes to Wikipedia:
> http://en.wikipedia.org/wiki/Two-factor_authentication

Well, that's why I have a large collection of Dummies' books.
Sometimes I forget that Google ss The Fount of All Knowledge!!!

Dave

Re: Phishing susceptibility #28

kevinv@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

--On August 16, 2008 8:59:56 AM -0700 Miraz Jordan <mirazfirstbite.co.nz>
wrote:

> On Sat, Aug 16, 2008 at 20:45, Bill Rausch <brauschowt.com> wrote:
>
>> One method that I've seen and like a lot (and may try to convince the
>> powers that be here) is the idea of a phone confirmation call when a
>> member tries to log in. The member would register a phone number that
>> gets called. They press 1 to continue, hangup to not allow, for example.
>
> My bank uses a thing they call Netcode. If a transaction exceeds a
> certain dollar limit (that I can reduce if I like) they send a 6 or 7
> digit number via SMS to my cellphone. I must enter that number on the
> webpage within a couple of minutes to confirm the transaction. The SMS
> message also has an ID number they quote on the page - handy for when
> I double click by mistake for example, generating more than 1 SMS.

Two-factor authentication isn't a solution for many phishing issues.
Here's Bruce Schneier opinion on this, specifically mentioning the SMS
method, from 2005.

<http://www.schneier.com/blog/archives/2005/03/the_failure_of.html>

One reason 2 factor authentication isn't a panacea is the Man-in-the-middle
attack. You go to a web site via phishing e-mail. Looks like your bank and
you login. You get a SMS message with the 2nd authentication password, you
enter the SMS info. What happens in the back ground is the server you've
connected to is logging into your bank with your info at the same time you
enter the info into the bogus site. You get the SMS note as expected and
then promptly give it to the bogus site, which uses it to login to your
real account and do what it wants.

Re: Phishing susceptibility #29

kevinv@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

--On August 16, 2008 8:59:56 AM -0700 "John C. Welch" <jwelchbynkii.com>
wrote:
>> One method that I've seen and like a lot (and may try to convince the
>> powers that be here) is the idea of a phone confirmation call when a
>> member tries to log in. The member would register a phone number that
>> gets called. They press 1 to continue, hangup to not allow, for example.
>
> It's more expensive, but two-factor auth with hardware tokens would be a
> better option.

A real-world example of how to phish for 2 factor authentication. A bank
issued a pad of paper to customers with one time passwords on them (this
takes the place of the hardware tokens above.)

<http://www.finextra.com/fullstory.asp?id=14384>

All a hardware token would do is keep the user from giving multiple
passwords to the phishing site. They could still login immediately with the
info from the token.

Re: Phishing susceptibility #30

treycampbell@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

Two-factor authentication combines two independent factors to give you more confidence in the authentication process. Choose any two from: something you have, something you know, and something you are/do. It's commonly implemented as something that you have (like the hardware token that John mentioned) with something that you know (typically a PIN code or the like).

For example, the system that I use at work combines a 4-digit PIN (what I know) and a 6-digit number that my security token generates (what I have). The token is associated with me, so the authentication system knows what number it should be showing at any given time. The number changes every minute. To successfully authenticate, I have to supply the correct PIN and the number that my token should be displaying when I'm trying to authenticate.

Trey

Re: Phishing susceptibility #31

John_C._Welch@tidbits.com — Tue, 19 Aug 2008 12:08:38 GMT

On 8/18/08 6:34 AM, "Kevin van Haaren" <kevinvanhaaren.net> wrote:

>> My bank uses a thing they call Netcode. If a transaction exceeds a
>> certain dollar limit (that I can reduce if I like) they send a 6 or 7
>> digit number via SMS to my cellphone. I must enter that number on the
>> webpage within a couple of minutes to confirm the transaction. The SMS
>> message also has an ID number they quote on the page - handy for when
>> I double click by mistake for example, generating more than 1 SMS.
>
> Two-factor authentication isn't a solution for many phishing issues.
> Here's Bruce Schneier opinion on this, specifically mentioning the SMS
> method, from 2005.
>
> <http://www.schneier.com/blog/archives/2005/03/the_failure_of.html>
>
> One reason 2 factor authentication isn't a panacea is the Man-in-the-middle
> attack. You go to a web site via phishing e-mail. Looks like your bank and
> you login. You get a SMS message with the 2nd authentication password, you
> enter the SMS info. What happens in the back ground is the server you've
> connected to is logging into your bank with your info at the same time you
> enter the info into the bogus site. You get the SMS note as expected and
> then promptly give it to the bogus site, which uses it to login to your
> real account and do what it wants.

That's just bad 2-factor then. Ideally, that password has a lifetime just
long enough for you to enter it.

--
John C. Welch

Re: Phishing susceptibility #32

John_C._Welch@tidbits.com — Tue, 19 Aug 2008 12:08:38 GMT

On 8/18/08 6:34 AM, "Kevin van Haaren" <kevinvanhaaren.net> wrote:

>>> One method that I've seen and like a lot (and may try to convince the
>>> powers that be here) is the idea of a phone confirmation call when a
>>> member tries to log in. The member would register a phone number that
>>> gets called. They press 1 to continue, hangup to not allow, for example.
>>
>> It's more expensive, but two-factor auth with hardware tokens would be a
>> better option.
>
> A real-world example of how to phish for 2 factor authentication. A bank
> issued a pad of paper to customers with one time passwords on them (this
> takes the place of the hardware tokens above.)
>
> <http://www.finextra.com/fullstory.asp?id=14384>
>
> All a hardware token would do is keep the user from giving multiple
> passwords to the phishing site. They could still login immediately with the
> info from the token.

Not in my experience. Both Cryptocard and RSA's passwords last just barely
long enough to type them in. In fact, I've had them expire WHILE I was
typing them in. Could it happen, sure, it's possible, but requiring a reauth
before you commit a transaction can deal with that fairly well.

And that's assuming you use one that generates passwords that you type in.
There's also USB keyfobs that you have to plug in to your computer, and the
website has the code to read them directly. A bit less convenient if you're
traveling, but for a phishing site to use that password, it would have to
replicate your bank's auth setup pretty perfectly.

--
John C. Welch

Re: Phishing susceptibility #33

kevinv@tidbits.com — Tue, 19 Aug 2008 12:08:38 GMT

--On August 18, 2008 3:34:12 AM -0700 "John C. Welch" <jwelchbynkii.com>
wrote:

> For online banking, you'd have a hardware token, (most fit on a keychain,
> and tend to be called "keyfobs") that can generate a random passphrase.
> So, you use that in conjunction with a PIN when you log in.

I have a 2 online banks and several credit cards that I work with online.
I can't wait to have 5 keyfobs on my keychain.

Re: Phishing susceptibility #34

kevinv@tidbits.com — Tue, 19 Aug 2008 12:08:38 GMT

--On August 18, 2008 3:34:12 AM -0700 "John C. Welch" <jwelchbynkii.com>
wrote:

> It does a phisher no good to have your pin without the keyfob, and it does
> them no good to have the keyfob without the pin, (although most pins can
> be sussed out with ease).
>
> Even if they fake a page, and you enter in your pin and the passphrase
> from the keyfob, it does them little good, as that passphrase has a
> lifetime of seconds, so you'd have to have a way to intercept that
> passphrase and nigh-immediately use it for it to be of use to you.

And if the fake page immediately logs into the bank with your info as you
enter it? They've got the fake screen that's over half the battle.
They've got a server, they got a web page that looks correct, they got you
to click a fake link, they got you to enter a password, they got you to
enter the 2nd piece of authentication. You really think they aren't going
to spend the time to write code that has the bogus server login to the bank
as you immediately?

Re: Phishing susceptibility #35

Lukas.M@this.li — Tue, 19 Aug 2008 12:08:38 GMT

I wrote:
> > That is an idealistic view. In reality, many people will never become
> > "computer literate" enough to avoid clicking on suspect links.
> > Additionally, some phishing techniques are clever enough that they can
> > fool even careful, educated people. Being able to get information
> > about the url in your browser's address bar is useful for your
> > "lusers" (or, as I like to call them, "normal people" - I typically
> > try not to insult my parents) and pros alike.

John C. Welch asked:
> And what happens when the phishers take apart the algorithms used to make
> the browsers flash warnings?

I'm not sure what algorithms you are talking about. Browsers mainly
use blacklists to identify phishing sites. The only way to get around
blacklists is to change the phishing site's address. The blacklists
are updated regularly, and Firefox downloads an update to its local
copy every 30 minutes.

And even if phishers do get a new address, and that new address is not
yet in a blacklist, and somebody goes to a phishing site by accident,
naïve users are no worse off than before because they would have
fallen for the phishing site before, and smart (or perhaps "cynical"
would be a better word :-) users are no worse off than before because
they will still be able to identify the phishing site.

Lewis Butler wrote:
>>> Any security feature that is, at its core, reactive is a bad thing.
>>> It gives lusers a false sense of security instead of educating them
>>> to become users.
>> That is an idealistic view. In reality, many people will never
>> become "computer literate" enough to avoid clicking on suspect links.
>The point still stands.

I don't see how. Many people will never be able to identify phishing
sites. Some protection is thus better than no protection.

Here are two recent examples, one from Coding Horror, and one that
happened to me a few days ago.

Jeff Atwood found this interesting phishing attempt. The phishers
hacked a legitimate site:
<http://www.codinghorror.com/blog/archives/001164.html>
Note how convincing the phishing attempt looks (to Windows users).
There is no way you can educate users to reliably detect such
sophisticated phishing attempts. The attack was caught by the Firefox
blacklist, by the way, but not by the IE blacklist (at the time of
Atwood's visit; IE catches it too by now).

Atwood asks:
"How do you protect naive users from cleverly designed FUI exploits
like this one? Can you imagine your mother doing a web search on
flowers -- flowers, for God's sake -- clicking on the search results
to a totally legitimate website, and correctly navigating the
resulting maze of fake UI, spurious javascript alerts, and download
dialogs?"

The second example is something that happened to me. A few days ago, a
friend of mine sent me a message on MSN's instant messaging system.
The message simply contained an http address. I clicked on the
address, which led me to a site which asked me to enter my MSN login
and password. The site looked reasonably like an official Microsoft
site (Microsoft uses all kinds of different URLs, so it's hard to
identify their sites by a site's URL).

It was, of course, a phishing site which would, upon a user's login,
send more messages to this new user's friends, but how would your
average person know this? The address was sent to me by a friend from
that friend's protected MSN account, so there was some level of trust
right from the get-go. Safari didn't alert me when I opened the
address. People are used to entering their Microsoft Passport
credentials; a lot of web sites accept them. I actually started
habitually typing my e-mail address before I thought "wait a minute,
what the heck is this?"

Here's more on this phishing attempt:
<http://www.raymond.cc/blog/archives/2008/06/14/beware-of-pics-for-msn-friends-phishing-websites/>

Blacklists are not perfect, of course. But they are better than
nothing, and Apple should (and probably will) implement them in
Safari.

>> Additionally, some phishing techniques are clever enough that they
>> can fool even careful, educated people. Being able to get
>> information about the url in your browser's address bar is useful
>> for your "lusers" (or, as I like to call them, "normal people" - I
>> typically try not to insult my parents) and pros alike.
>If phishing techniques can fool someone being careful then there is a
>real problem with the system, isn't there? No amount of technology
>will fix a broken system.

I'm not sure I understand the dichotomy. The system *is* technology.
Only technology can fix the system.

>> By your logic, Windows users should not use Antivirus apps, because
>> they should instead be educated enough not to catch viruses in the
>> first place.
>If there had been no anti-virus software, we would have a much more
>secure Windows and a couple of orders of magnitude less viruses. Or
>Windows would have gone away as a platform choice.

That's not how viruses work. Today's viruses work by social
engineering users to start executables. How can you make Windows more
secure without using some kind of virus detection software if you
can't trust users not to run malevolent software?

>> Perhaps they should, but there is no way to reach this goal. And by
>> your logic, safety belts are bad because people should not crash
>> their cars in the first place. They should not, but do, and always
>> will.
>Safety != Security, something it seems very few Americans currently
>understand.

Well, now that you've put my in my place by telling me that my analogy
is wrong, perhaps you could deign to explain how the difference
between safety and security relates to my analogy - I fail to see the
relation, but perhaps I'm missing something :-)

Lukas

Re: Phishing susceptibility #36

edward@tidbits.com — Tue, 19 Aug 2008 14:08:28 GMT

At 03:34 08/18/08 -0700, John C. Welch wrote:
>you'd have a hardware token, (most fit on a keychain, and tend to be
>called "keyfobs") that can generate a random passphrase.

For clarity, it should be pointed out that the generated token is
pseudo-random, not random. The generated token *appears* random and cannot
be predicted from external examination of the device, and ideally (to avoid
leaves no statistically detectable non-random trails. The latter is hard,
as a long chapter in Knuth demonstrates, but is important because any clues
might make it possible to guess the sequence.

For this technique to work, the keyfob and the remote system must be able
to both generate the same token. This requires that both be protected from
examination. I assume (but don't know for sure) that keyfobs use well-known
methods of embedding the chips into a substance (such as an epoxy resin)
which makes it impossible to examine the innards without destroying them
first. For the remote system, standard access control is used.

Von Neumann famously (quoted by Knuth) said that generating "random"
numbers by arithmetic means is a sin, but in this case it's actually a
necessity.

None of this changes the gist of the previously posted explanations.

Sending an SMS message with the key to a cell phone is a variant on "what
you have". In this case, "what you have" is a cell phone capable of
receiving messages at a previously determined number. This method would
make it possible to use truly random keys (for example, generated by
particle decay), though I don't know of any good reason to do so.

Edward
--
Art works by Melynda Reid: http://paleo.org

Re: Phishing susceptibility #37

BRausch@tidbits.com — Tue, 19 Aug 2008 14:08:28 GMT

The big problem with existing hardware tokens is that every bank account would need a different one using today's technology. (Also, they do cost considerably more than most other choices.) I have an account at several financial institutions (banks, credit unions, brokerages, retirement plans, ...) If they all required hardware tokens, I wouldn't have a big enough pocket to carry them all.

That's one good reason to go with a software approach. I do like the idea of an encrypted certificate but the logistics are intimidating (simply teaching people how to install and use them, distributing them in the first place, dealing with backups, ...).

So the holy grail is: 1) cheap 2) convenient 3) effective

So far there is no perfect solution. Most banks have settled for 1 and/or 2. Three is sort of a moving target in the war with the bad guys, especially when you add the human element to the equation. The basic idea that I discuss with my staff is to make sure that we are NOT the low hanging fruit.

Re: Phishing susceptibility #38

John_C._Welch@tidbits.com — Tue, 19 Aug 2008 14:08:28 GMT

On 8/19/08 8:38 AM, "Kevin van Haaren" <kevinvanhaaren.net> wrote:

>> For online banking, you'd have a hardware token, (most fit on a keychain,
>> and tend to be called "keyfobs") that can generate a random passphrase.
>> So, you use that in conjunction with a PIN when you log in.
>
> I have a 2 online banks and several credit cards that I work with online.
> I can't wait to have 5 keyfobs on my keychain.

Luckily, there aren't that many to choose from, and the banks that have
started using them have been fairly intelligent about how they're
implemented.

PayPal taking an early lead here, and being not a "bank" per se has made it
easier for other institutions to play nice with them.

--
John C. Welch

Re: Phishing susceptibility #39

John_C._Welch@tidbits.com — Tue, 19 Aug 2008 14:08:28 GMT

On 8/19/08 8:38 AM, "Kevin van Haaren" <kevinvanhaaren.net> wrote:

>> It does a phisher no good to have your pin without the keyfob, and it does
>> them no good to have the keyfob without the pin, (although most pins can
>> be sussed out with ease).
>>
>> Even if they fake a page, and you enter in your pin and the passphrase
>> from the keyfob, it does them little good, as that passphrase has a
>> lifetime of seconds, so you'd have to have a way to intercept that
>> passphrase and nigh-immediately use it for it to be of use to you.
>
> And if the fake page immediately logs into the bank with your info as you
> enter it? They've got the fake screen that's over half the battle.
> They've got a server, they got a web page that looks correct, they got you
> to click a fake link, they got you to enter a password, they got you to
> enter the 2nd piece of authentication. You really think they aren't going
> to spend the time to write code that has the bogus server login to the bank
> as you immediately?

Only if you live in a world of absolutely zero latency. Latency that works
against this scenario:

1) Time to enter in the password once you display it on the keyfob.
2) Time to send it to the phishing site/time to receive.
3) Time to package that information up in a way that can be sent to the bank
site
4) Time to actually send it to the bank site

While 3) is less than a second, 1 & 2 can take real time, as they depend on
the human, and 4) is a non-trivial, (in terms of password TTL) amount of
time.

That's assuming of course that the ONLY credentials needed are the
pin/password combo. Add in another test, and now you have three levels of
authentication in really the same two screens you have now.

--
John C. Welch

Re: Phishing susceptibility #40

John_C._Welch@tidbits.com — Tue, 19 Aug 2008 14:08:28 GMT

On 8/19/08 8:38 AM, "Lukas Mathis" <Lukas.Mthis.li> wrote:

> John C. Welch asked:
>> And what happens when the phishers take apart the algorithms used to make
>> the browsers flash warnings?
>
> I'm not sure what algorithms you are talking about. Browsers mainly
> use blacklists to identify phishing sites. The only way to get around
> blacklists is to change the phishing site's address. The blacklists
> are updated regularly, and Firefox downloads an update to its local
> copy every 30 minutes.

It's not solely blacklists, but thanks for bringing that up too, as another
reminder of how weak this entire concept is.

> And even if phishers do get a new address, and that new address is not
> yet in a blacklist, and somebody goes to a phishing site by accident,
> naïve users are no worse off than before because they would have
> fallen for the phishing site before, and smart (or perhaps "cynical"
> would be a better word :-) users are no worse off than before because
> they will still be able to identify the phishing site.

Exactly. Phishing is a HUMAN issue, and you can't fix the human with the
bits.

> Blacklists are not perfect, of course. But they are better than
> nothing, and Apple should (and probably will) implement them in
> Safari.

What happens when someone figures out how to hack the blacklists, and fill
them with so many false positives that you can't take them seriously? The
entire anti-phishing concept is based on not having false positives. It
won't take many to get people to think, "Oh that stuff doesn't work right,
just ignore it."

Bang, anti-phishing is dead.

>>> Additionally, some phishing techniques are clever enough that they
>>> can fool even careful, educated people. Being able to get
>>> information about the url in your browser's address bar is useful
>>> for your "lusers" (or, as I like to call them, "normal people" - I
>>> typically try not to insult my parents) and pros alike.
>> If phishing techniques can fool someone being careful then there is a
>> real problem with the system, isn't there? No amount of technology
>> will fix a broken system.
>
> I'm not sure I understand the dichotomy. The system *is* technology.
> Only technology can fix the system.

Phishing uses the system to play the human. Education and ACTUAL REAL JAIL
TIME AND PENALTIES FOR THE MORONS BUILDING THIS STUFF are the only answers.

<rant on>
Every time I see one of these moronic articles where some punk gets busted
writing this stuff and the penalty is barely a slap on the wrist and someone
hiring them to "help <company> be more secure", my blood boils. *Worldwide*,
the message is "There is no real penalty or long term downside to doing bad
things to people via computer.", and lo, it's a huge growth industry. Here's
one: You get busted running a phishing site, you have to make full
restitution, and you get 20 years in the friggin' pen. Not some minimum
security club either. Throw little johnny hacker in with the axe murderers
and the serial killers. Make getting caught something to be highly avoided,
and carry real penalties, and maybe the little dinks will think twice.

At the VERY least, it should make you a pariah in the computer field.
<rant off>

>>> By your logic, Windows users should not use Antivirus apps, because
>>> they should instead be educated enough not to catch viruses in the
>>> first place.
>> If there had been no anti-virus software, we would have a much more
>> secure Windows and a couple of orders of magnitude less viruses. Or
>> Windows would have gone away as a platform choice.
>
> That's not how viruses work. Today's viruses work by social
> engineering users to start executables. How can you make Windows more
> secure without using some kind of virus detection software if you
> can't trust users not to run malevolent software?

You can't. What he was doing is called "Blaming the victim". "If windows
weren't so insecure, we wouldn't have these problems". That's silly, but
it's a common reaction.

--
John C. Welch

Re: Phishing susceptibility #41

dr@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

Dave Clark wrote:
> The bank is a bit old fashioned; it still features a picture of its
> founder in advertising. The only glitch was it took months to get an
> ATM card for my business. Dealing with them has been like a breath of
> fresh air after Behemoth Bank & Trust, who seemed to use branch
> managing as a trainee position for executives.

Of course they do. Which is why I get to change banks every 5 to 10 years. They get merged into bigger and bigger until the person sitting at the desk changes every month or so. Then I start looking again.

My current bank branch I've been with for about 15 years. There's a senior teller who's been there the entire time. She knows me. Knows my account. No mater what the issue if she's on duty I get it taken care of. But they are starting to get to be a real "big bank" and I might have to move on. :(

As to phishing, to be honest their web site has grown more confusing as they've grown and the marketing department has more control over the first page or two. Which makes it harder for me to know I'm at the right place. I just had a surprise surgery and needed my wife to do something I was going to do the next day. She wound up at a bogus site due to a typing error on the initial URL and since it wasn't her who normally went to this bank's site she didn't realize it at first. :(

David

Re: Phishing susceptibility #42

johnbaxterlists@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

1. The Verisign device that PayPal offers (and subsidizes pretty
heavily) has 5 random decimal digits (it looks like 6, but the first
one cycles from 0 through 9). The rest is I believe generated by
counter + device-unique-key --> AES --> armwaving to get the 5
"random" digits. The first digit lets the server at Verisign stay in
step with the varying clock in the football. (If you don't use it for
long enough (a couple of months or so), you will notice that you're
asked for an additional code.) The credit-card-like device that
Verisign also offers uses 6 random digits (and the server gets
confused if you play with it too much).

2. Yubikey <http://www.yubico.com> looks quite interesting (and is a
USB "keyboard" device suitable for keychain). It produces a one-time
password each time a button on it is touched. Here are two (not
necessarily sequential):

fuurdurrngdffuvikrvtccdujcgrvlluljuihtbrlgfh
fuurdurrngdffijcgvlrkrtgtutrivubhurecidfduuc

The constant part at the front identifies this Yubikey to Yubico's
servers (an entity can use its own servers, and a bank would). The
rest combines two counters (non-resettable count of number of times
device is plugged into USB, and an incrementing counter this time it
was plugged in, and some other stuff, encoded as above. Unfortunately,
current Mac OS X blocks use as it can't identify the keyboard--this is
new behavior (those samples were produced on Vista and moved using
Evernote).

Hear also <http://www.grc.com/securitynow> Look for episode 143, and
some others.

3. I like the rather paranoid idea suggested recently in a MacWorld
discussion: enter a bad password first. If the "site" "lets you in",
it's not the real site. That pretty much eliminates 1password and
friends, I fear. I haven't started doing this.

4. I also use a unique email address per institution or other site.
If a message comes to any other address, it's not real no matter how
convincing. If the message comes to the right address, I still
examine the headers (raw source), and still don't click on links even
though I can see they aren't malicious. I go log in. (Should a phish
arrive at the proper address, that address gets changed.)

Re: Phishing susceptibility #43

dr@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

Kevin van Haaren wrote:
> --On August 18, 2008 3:34:12 AM -0700 "John C. Welch" <jwelchbynkii.com>
> wrote:
>
>> For online banking, you'd have a hardware token, (most fit on a keychain,
>> and tend to be called "keyfobs") that can generate a random passphrase.
>> So, you use that in conjunction with a PIN when you log in.
>
> I have a 2 online banks and several credit cards that I work with online.
> I can't wait to have 5 keyfobs on my keychain.

My wife has a separate key ring in the car now to deal with the 3 grocery cards, 2 book stores, 3 office supply stores, etc... that we all carry around for the "discounts". I agree with you, more "key ring" things are not a grand idea IMHO.

David

Re: Phishing susceptibility #44

johnbaxterlists@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

On Tue, Aug 19, 2008 at 8:58 AM, John Baxter <johnbaxterlistsgmail.com> wrote:
> 3. I like the rather paranoid idea suggested recently in a MacWorld
> discussion: enter a bad password first. If the "site" "lets you in",
> it's not the real site. That pretty much eliminates 1password and
> friends, I fear. I haven't started doing this.

Naturally, iff this is widely used, it won't last long: the phishing
site will just reject the first attempt.

Re: Phishing susceptibility #45

dr@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

LewisGmail wrote:
> On 13-Aug-2008, at 04:09, Lukas Mathis wrote:
>> Totally unrelated to the topic at hand, of course. I'm a bit confused
>> about the people claiming that anti-phishing features are bad.
>
> Any security feature that is, at its core, reactive is a bad thing.
> It gives lusers a false sense of security instead of educating them to
> become users. The antiphising measures taken in he browsers might be
> catching most phishing attempts, but the very existence of those
> features means that any phishing they miss is almost guaranteed to work.
>
The problem is with people, not the computers. (Well our current crop of computers have design issues where security is an afterthought but that's a derivative of the people problem.)

I've been designing software for years. And have spend a large amount of that time dealing with people computer interactions. You call them lusers but in general most people don't think the way we programmers want them to. They think emotionally. This was finally driven home to me recently with an older adult. We were trying to get my mother-in-law to increase her deductible on her auto policy and also raise her liability limits. Premiums would be a wash or a savings. She has a ton of money in the bank. We explained why a $100 deductible (from when she got her first insurance 40 years ago) made no sense and the same with her liability limits of $30K. She resisted mightily. Finally she made the statement "If my policy needs to change then XXXXX (the insurance company) will tell me. After all they are the experts."

Most people want to trust the "experts". Thus they WANT to trust when someone calls asking to verify credit card numbers. They WANT to believe the email that tells them their bank needs them to click this link. They WANT to live in a world where they can trust folks. And they resist emotionally any attempt to tell them they can't trust the "email from their bank". Even though it's not really from the bank.

David

Re: Phishing susceptibility #46

dr@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

Bill Rausch wrote:
> "One hopes that the banks are at least keeping stats on whether their
> methods reduce fraud, which has to be the goal since total
> elimination is impossible. I wonder, though, to what extent they are
> actually just grasping at straws."
>
> Actually reducing fraud is a minor concern. The major item is that
> the law requires banks to have a second authentication mechanism.
> Pick a picture or answer more questions is just the cheapest to
> implement of the available choices. I work at a credit union and
> wrote our internet banking system. We wouldn't have added this type
> of stuff if it wasn't required. It is a pain for our members and for
> the most part provides the illusion of security.
>
> One method that I've seen and like a lot (and may try to convince the
> powers that be here) is the idea of a phone confirmation call when a
> member tries to log in. The member would register a phone number that
> gets called. They press 1 to continue, hangup to not allow, for
> example.

Please no. I get calls all the time from various bogus 800 or out of area numbers. All I need is another call to come through that I can't identify. (Don't suppose if this catches on that firms will not spring up to do this for a fee and thus the calls will start coming from call centers that also called last week to ask you to vote for xxxx.) Also my phone line is in use at times. Tivo, teens, spouses, even me when doing banking.

David

Re: Phishing susceptibility #47

Lewis_Butler@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

On 19-Aug-2008, at 06:38, Lukas Mathis wrote:
> It was, of course, a phishing site which would, upon a user's login,
> send more messages to this new user's friends, but how would your
> average person know this? The address was sent to me by a friend from
> that friend's protected MSN account, so there was some level of trust
> right from the get-go. Safari didn't alert me when I opened the
> address. People are used to entering their Microsoft Passport
> credentials; a lot of web sites accept them. I actually started
> habitually typing my e-mail address before I thought "wait a minute,
> what the heck is this?"

And anti-phishing features in browsers helped how?

For me, if 1Password doesn't autofill my name and password, I know
something is wrong. I use a utility that, in addition to giving me
easy access to my web passwords in any browser, also protects me from
phishing simply because of how it works. But even without 1password,
Safari would not remember the name and password for that site, so I
would have STILL be alerted.

Windows doesn't have a secure central keychain, and I think this one
of the best examples of how much better OS X is for the user.

> Blacklists are not perfect, of course. But they are better than
> nothing, and Apple should (and probably will) implement them in
> Safari

We (Me and countless others) tried blacklists for spam. It was never
successful. Even now, the best RBL out there (the zen list) which
combines blacklists with ISP's dynamic blocks and various others, only
slows the deluge of spam. Blacklists do not help stop phishing, and
therefore are useless. You need a better solution.

Phishing is not like spam. Spam is an irritant. Slowing it down is
useful in and of itself. Phishing is dangerous, and any solution that
doesn't STOP it is not a solution at all. One sucessful phishing
attempt is one too many.

I have one that works for me. Every site has a unique password. For
most sites, I have no idea what the password even is (In order to
login to my gmail from another machine I need to load up my
1password.html file on my my home machine, unlock it, find the gmail
password, and then type it in to the password dialog). No one can use
one password to get into a bunch of other accounts. Anytime a
supposed trusted site asks for my info, I take a long hard look to see
why the info wasn't autofilled.

>> If phishing techniques can fool someone being careful then there is a
>> real problem with the system, isn't there? No amount of technology
>> will fix a broken system.
>
> I'm not sure I understand the dichotomy. The system *is* technology.
> Only technology can fix the system.

Different systems. the system of creating websites that can be easily
replicated by others and that have inherently insecure login methods
cannot be fixed with technology, the system has to be changed to one
that doesn't have those flaws.

For example, my bank has an initial login (https) that loads a second
login screen with a custom graphic that I chose. This is impossible
for a phishing site to replicate (they changed the system). Now, there
are other issues with that, but man-in-middle attacks are a whole
nother kettle of fish.

>> If there had been no anti-virus software, we would have a much more
>> secure Windows and a couple of orders of magnitude less viruses. Or
>> Windows would have gone away as a platform choice.
>
> That's not how viruses work. Today's viruses work by social
> engineering users to start executables. How can you make Windows more
> secure without using some kind of virus detection software if you
> can't trust users not to run malevolent software?

That *is* how viruses work, by definition. What you are describing is
a trojan, which is something entirely different.

>>> Perhaps they should, but there is no way to reach this goal. And by
>>> your logic, safety belts are bad because people should not crash
>>> their cars in the first place. They should not, but do, and always
>>> will.
>> Safety != Security, something it seems very few Americans currently
>> understand.
>
> Well, now that you've put my in my place by telling me that my analogy
> is wrong, perhaps you could deign to explain how the difference
> between safety and security relates to my analogy - I fail to see the
> relation, but perhaps I'm missing something :-)

Safety belts (Safety) don't prevent someone stealing the radio out of
your car (security).

Re: Phishing susceptibility #48

Jon_Cohn@tidbits.com — Wed, 20 Aug 2008 11:08:30 GMT

The New York Times had a recent article on replacing passwords with "Information cards" to reduce phishing schemes.
The article is at http://www.nytimes.com/2008/08/10/technology/10digi.html?_r=1&sq=passwords%20web&st=cse&oref=slogin&scp=3&pagewanted=print

Re: Phishing susceptibility #49

kevinv@tidbits.com — Wed, 20 Aug 2008 12:08:11 GMT

--On August 19, 2008 7:28:32 AM -0700 "John C. Welch" <jwelchbynkii.com>
wrote:

> Only if you live in a world of absolutely zero latency. Latency that works
> against this scenario:
>
> 1) Time to enter in the password once you display it on the keyfob.
> 2) Time to send it to the phishing site/time to receive.
> 3) Time to package that information up in a way that can be sent to the
> bank site
> 4) Time to actually send it to the bank site
>
> While 3) is less than a second, 1 & 2 can take real time, as they depend
> on the human, and 4) is a non-trivial, (in terms of password TTL) amount
> of time.

Come on John, you're the one that assumes zero latency. You're assuming
when connecting to the real bank that there is zero latency between the
user and the bank. For the TTL levels you're setting if there is latency
between the user and the bank the user will never be able to login.

Because step 1 is dependent on humans typing, and most of us aren't that
great at typing, the TTL has to be pretty high or you're going to reject
too many people under false negatives. The total time involved in steps 2,
3 and 4 will be significantly less than the time that has to be allocated
for step 1.

The TTL also has to assume user may be on a dialup connection. That means
using a longer TTL just for slow connections, which the phishing site on a
compromised server doesn't have.

Step 3 is pretty much zero. If you write the phishing site form to work
exactly like the actual bank form (same field ID's etc...) then a simple
accept incoming, push to outgoing will work fine.

All the phisher is doing is setting up a proxy server that once the user is
authenticated they take over the session and do whatever they want. All
those enterprises with proxy servers aren't exactly complaining about
latencies in the tens of seconds, and any 2nd authentication TTL less than
that isn't exactly going to win over customers when they can't login.

Paypal's fob changes passwords every 30 seconds. You really think it's
going to take more than 30 seconds for steps 2-4?

> That's assuming of course that the ONLY credentials needed are the
> pin/password combo. Add in another test, and now you have three levels of
> authentication in really the same two screens you have now.

Oh lord, it's turtles all the way down!

<http://en.wikipedia.org/wiki/Turtles_all_the_way_down>

As long as user believes they are on the bank site, all the phisher has to
do is keep that proxy server running until the session is established. No
matter how many levels of authentication you go through.

Re: Phishing susceptibility #50

edward@tidbits.com — Wed, 20 Aug 2008 12:08:11 GMT

At 07:28 08/19/08 -0700, John C. Welch wrote:
>The entire anti-phishing concept is based on not having false positives.

Like trusted certificate chains.

>It won't take many to get people to think, "Oh that stuff doesn't work right,
>just ignore it." [...] Bang, anti-phishing is dead.

Which has already happened with certificate trust ... even I started
dismissing the warnings routinely a long time ago.

>Here's one: You get busted running a phishing site, you have to make full
>restitution, and you get 20 years in the friggin' pen.

I'm a 15yo kid in Russia or Nigeria. This *really* scares me.

Miriam Abacha

Re: Phishing susceptibility #51

edward@tidbits.com — Wed, 20 Aug 2008 12:08:11 GMT

Interesting post at

http://www.thesecuritypractice.com/

The most recent entry also appeared in comp.risks (where I first saw it).

Edward
--
Art works by Melynda Reid: http://paleo.org

Re: Phishing susceptibility #52

John_C._Welch@tidbits.com — Thu, 21 Aug 2008 14:08:21 GMT

On 8/20/08 7:30 AM, "LewisGmail" <gkremegmail.com> wrote:

> For me, if 1Password doesn't autofill my name and password, I know
> something is wrong. I use a utility that, in addition to giving me
> easy access to my web passwords in any browser, also protects me from
> phishing simply because of how it works. But even without 1password,
> Safari would not remember the name and password for that site, so I
> would have STILL be alerted.

Relying on Safari's autofill is relying on something that is easily, and
often turned off by the site itself. Quite a few banking sites disable
autofill. Then there's flash password boxes that autofill doesn't deal with.
(No, I don't care if Flash is evil. It's immaterial to this issue. It
exists, and autofill doesn't handle it well. That's the material bit.)

>
> Windows doesn't have a secure central keychain, and I think this one
> of the best examples of how much better OS X is for the user.

Of course, that's assuming the user doesn't autologin and has a different
unlock password for the keychain, which is not default behavior in OS X.
Which means by default the keychain is more convenient than secure.

> Phishing is not like spam. Spam is an irritant. Slowing it down is
> useful in and of itself. Phishing is dangerous, and any solution that
> doesn't STOP it is not a solution at all. One sucessful phishing
> attempt is one too many.

There hasn't been, isn't, and never will be any form of perfect solution to
anything. What you get are a series of imperfect solutions that end up doing
the job well enough. If you're waiting for perfection, I recommend giving
up. Both have an equal success rate.

> For example, my bank has an initial login (https) that loads a second
> login screen with a custom graphic that I chose. This is impossible
> for a phishing site to replicate (they changed the system). Now, there
> are other issues with that, but man-in-middle attacks are a whole
> nother kettle of fish.

Did you pick the custom graphic from your hard drive that you personally
created, or was it from a list of graphics the bank has. I've only seen the
"choose from our list" one, and that's hardly impossible to fake.

--
John C. Welch

Re: Phishing susceptibility #53

John_C._Welch@tidbits.com — Thu, 21 Aug 2008 14:08:21 GMT

On 8/20/08 8:11 AM, "Kevin van Haaren" <kevinvanhaaren.net> wrote:

>> Only if you live in a world of absolutely zero latency. Latency that works
>> against this scenario:
>>
>> 1) Time to enter in the password once you display it on the keyfob.
>> 2) Time to send it to the phishing site/time to receive.
>> 3) Time to package that information up in a way that can be sent to the
>> bank site
>> 4) Time to actually send it to the bank site
>>
>> While 3) is less than a second, 1 & 2 can take real time, as they depend
>> on the human, and 4) is a non-trivial, (in terms of password TTL) amount
>> of time.
>
> Come on John, you're the one that assumes zero latency. You're assuming
> when connecting to the real bank that there is zero latency between the
> user and the bank. For the TTL levels you're setting if there is latency
> between the user and the bank the user will never be able to login.
>
> Because step 1 is dependent on humans typing, and most of us aren't that
> great at typing, the TTL has to be pretty high or you're going to reject
> too many people under false negatives. The total time involved in steps 2,
> 3 and 4 will be significantly less than the time that has to be allocated
> for step 1.

It's not high. I've regularly had the password expire while typing it in,
more with the RSA keys than the CryptoCard keys, since the latter don't
create the password until you tell it to. On the other hand, it means
CryptoCard passwords can expire a LOT faster

>
> The TTL also has to assume user may be on a dialup connection. That means
> using a longer TTL just for slow connections, which the phishing site on a
> compromised server doesn't have.

Not at all. Network speed issues are not as much of an issue in this case as
human ones.

>
> Step 3 is pretty much zero. If you write the phishing site form to work
> exactly like the actual bank form (same field ID's etc...) then a simple
> accept incoming, push to outgoing will work fine.
>
> All the phisher is doing is setting up a proxy server that once the user is
> authenticated they take over the session and do whatever they want. All
> those enterprises with proxy servers aren't exactly complaining about
> latencies in the tens of seconds, and any 2nd authentication TTL less than
> that isn't exactly going to win over customers when they can't login.
>
> Paypal's fob changes passwords every 30 seconds. You really think it's
> going to take more than 30 seconds for steps 2-4?

Then kill the passwords faster, or add another layer after the password
entry.

>
>> That's assuming of course that the ONLY credentials needed are the
>> pin/password combo. Add in another test, and now you have three levels of
>> authentication in really the same two screens you have now.
>
> Oh lord, it's turtles all the way down!
>
> <http://en.wikipedia.org/wiki/Turtles_all_the_way_down>
>
> As long as user believes they are on the bank site, all the phisher has to
> do is keep that proxy server running until the session is established. No
> matter how many levels of authentication you go through.

If you're demanding a perfect security system, then I recommend DNA
encoding, and your bank only allowing you to make transactions in person
with DNA verification for every transaction, even within a visit. That won't
be perfect security, but it will approach it rather well.

However, I don't see the "must draw blood and never bank over the phone, use
checks or the internet ever again" system gaining a lot of traction.
Everything else is a compromise, and out of what is available TODAY,
two-factor initial auth with a reauth layer is going to do the job a LOT
better than what most people are using.

--
John C. Welch

Re: Phishing susceptibility #54

John_C._Welch@tidbits.com — Thu, 21 Aug 2008 14:08:21 GMT

On 8/20/08 8:11 AM, "Edward Reid" <edwardpaleo.org> wrote:

>> Here's one: You get busted running a phishing site, you have to make full
>> restitution, and you get 20 years in the friggin' pen.
>
> I'm a 15yo kid in Russia or Nigeria. This *really* scares me.

If we get all the nations to agree to it, then yeah, it will. Prisons in the
US suck, but they are MUCH better than say Russia. Insane Soviet Special
Forces folks make for bad cellmates.

Again, there's no perfect solution, but the current "Let's not take this
seriously" system is a COMPLETE failure.

--
John C. Welch

Re: Phishing susceptibility #55

Carl_S_Zimmerman@tidbits.com — Thu, 21 Aug 2008 14:08:21 GMT

On Aug 16, Lukas Mathis wrote in part:
>By your logic, Windows users should not use Antivirus apps, because
>they should instead be educated enough not to catch viruses in the
>first place.

Lukas has entirely missed the logic of Lewis Butler and others with
respect to phishing.

Viruses etc. depend on technology to do their dirty work. In almost
all cases, by the time a user could gather enough information to act,
the damage is already done. Therefore, in the absence of
technological assistance, all the user education in the world would
be of little use.

Phishing, on the other hand, depends on tricking the user to take a
potentially harmful action which is superficially innocuous.
Therefore, educating the user to be watchful for such trickery is the
only defense against phishing which has the potential to be 100%
effective. And anything which lulls the user into being less
watchful increases the risk, rather than decreasing it.

This is *not* to say that technology *cannot* be useful in taking
precautions against phishing. It only means that for anti-phishing
techology to be truly effective, it must take human factors into
account in such a way that it does not lull the user into being less
watchful.

Re: Phishing susceptibility #56

Lukas.M@this.li — Thu, 21 Aug 2008 14:08:41 GMT

In Reply to Lewis Butler.

>> Safari didn't alert me when I opened the
>> address. People are used to entering their Microsoft Passport
>> credentials; a lot of web sites accept them. I actually started
>> habitually typing my e-mail address before I thought "wait a minute,
>> what the heck is this?"
>And anti-phishing features in browsers helped how?

That's kind of the point: They didn't help, because I was using
Safari, and Safari has none. Had I been using Firefox, it would have
immediately been obvious that the site was a phishing site.

>Safari would not remember the name and password for that site, so I
>would have STILL be alerted.

Alerted to what? To the fact that you had never been to this site? You
already knew that.

1password is a great tool to detect phishing attacks that target sits
you visit regularly. It's useless at detecting phishing attacks from
sites you don't normally visit.

>> Blacklists are not perfect, of course. But they are better than
>> nothing, and Apple should (and probably will) implement them in
>> Safari
>We (Me and countless others) tried blacklists for spam. It was never
>successful.

That is incorrect. To this day, blacklists are used to block large
parts of all spam.

>>> If there had been no anti-virus software, we would have a much more
>>> secure Windows and a couple of orders of magnitude less viruses. Or
>>> Windows would have gone away as a platform choice.
>> That's not how viruses work. Today's viruses work by social
>> engineering users to start executables. How can you make Windows more
>> secure without using some kind of virus detection software if you
>> can't trust users not to run malevolent software?
>That *is* how viruses work, by definition. What you are describing is
>a trojan, which is something entirely different.

You are not refuting my point, you are arguing semantics. We are
talking about anti-virus software. I assumed you meant "things which
anti-virus software is used against" when you said "viruses" as this
is the only interpretation of your original statement which makes
sense.

By your own definition of "viruses," Windows is already practially
virus-free, and your original point makes no sense anymore.

Anti-virus software is used to catch different types of malware, not
only viruses, but also trojans. Trojans are one of the predominant
species of malware, and pretty much the only way to identify them is
using blacklists. Trojans often don't behave differently from
benevolent applications in a way a computer could detect.

>>>> Perhaps they should, but there is no way to reach this goal. And by
>>>> your logic, safety belts are bad because people should not crash
>>>> their cars in the first place. They should not, but do, and always
>>>> will.
>>> Safety != Security, something it seems very few Americans currently
>>> understand.
>> Well, now that you've put my in my place by telling me that my analogy
>> is wrong, perhaps you could deign to explain how the difference
>> between safety and security relates to my analogy - I fail to see the
>> relation, but perhaps I'm missing something :-)
>Safety belts (Safety) don't prevent someone stealing the radio out of
>your car (security).

I know what the difference between safety and security is; I am unsure
how it relates to my analogy. It seems to me that my analogy is
correct regardless of the semantic minutiae :-)

John C. Welch wrote:
>The entire anti-phishing concept is based on not having false positives.

It's highly unlikely that you will get many (or any) false positives
using a blacklist. Heuristic algorithms are different, of course, but
browsers don't use them.

Your own example of how false positives could occur included people
hacking the list to include wrong sites. Sure, that could happen. It's
also possible that you get hit by lightning tomorrow, but you don't
base your whole life on that possibility. And even if the list *did*
get hacked, Google would fix it within hours. People would not get
used to automatically dismissing the alerts within two hours.

Lukas

Re: Garmin nuvi 255W Focuses on Navigation #3

ace@tidbits.com — Thu, 21 Aug 2008 14:08:41 GMT

At 7:12 AM -0700 8/12/08, Brent Thompson wrote:
>You mentioned the need to find a gas station along your route. On my
>nuvi 650 I can find that by selecting Near.. before selecting Fuel.
>You select "Along my current route", then select Fuel. This only
>works if you have a route entered. If you are driving without a
>planned route just create a destination for a town coming up on your
>preferred route, then do the search.
>
>I don't know if this works on the 255W but it may.

Thanks for the pointer, Brent. It's entirely possible that that
option was there, but that I was focusing on the Where Am I?
interface instead. If I review another Garmin unit, I'll look for
that.

cheers... -Adam

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #1

Lewis_Butler@tidbits.com — Sat, 16 Aug 2008 08:08:45 GMT

On 15-Aug-2008, at 04:23, Pohle wrote:

> Please, would anybody help me bringing my latest pictures to my
> family's screen savers automatically again? Grandma will not
> download files and install them herself...

Can you still 'subscribe' to a gallery in iPhoto? (I have no idea, I
only publish them). If so:

Publish the photos as a gallery. Subscribe to the gallery in iPhoto.
Set the screensaver to use the gallery as its source of pictures.

Yeah, that's still in iPhoto help:
> You can subscribe to see photo albums published by a next-door
> neighbor or a friend on the other side of the world. As your friends
> or family members update their MobileMe Galleries, you see those
> photos in iPhoto on your computer.
>
> NOTE: To subscribe to a Gallery album, you must be using Mac OS X
> version 10.4.11 or later.
>
> To subscribe to a published album:
> Use your web browser to go to the website address for the
> published album, which is provided by the publisher.
>
> Click the Subscribe button.
> If you dont see this button, click the Show Options button to
> make it appear.
>
> In the dialog, choose one of the following:
> via RSS: This allows you to view the album using your favorite
> RSS feed reader.
> in iPhoto: This causes the album to appear in your Source list.
>
> If you want, you can change how often to check for new photos. To do
> so, choose iPhoto > Preferences, click Gallery, and select a
> timeframe (for example, every hour or every day) from the pop-up menu.
> You can also update a subscribed album at any time by clicking the
> icon that appears next to it in your Source list.
>

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #2

Pohle@tidbits.com — Sat, 16 Aug 2008 15:08:59 GMT

When I try to subscribe, iPhoto tells me:
"There are no photos in the subscription "MobileMe Atom Feed""
URL is correct, photos are in the online album.
No photos show up in the local album.

Try http://gallery.mac.com/chpohle and see if you get the same.

Also, that workaround would require grandma to open iPhoto to get the
latest pics.
That is not what .Mac slides could do automatically.

Carl

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #3

Lewis_Butler@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

On 16-Aug-2008, at 09:59, Carl H. Pohle wrote:

> http://gallery.mac.com/chpohle

>> Click the Subscribe button.
>> If you dont see this button, click the Show Options button to
>> make it appear.
>>
>> In the dialog, choose one of the following:
>> via RSS: This allows you to view the album using your favorite
>> RSS feed reader.
>> in iPhoto: This causes the album to appear in your Source list.

Well, the via iPhoto option doesn't appear to be there, so something
is not working.

Sorry, I relied on the Help to be correct.

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #4

Lewis_Butler@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

On 16-Aug-2008, at 09:59, Carl H. Pohle wrote:
> When I try to subscribe, iPhoto tells me:
> "There are no photos in the subscription "MobileMe Atom Feed""
> URL is correct, photos are in the online album.
> No photos show up in the local album.

OK, this is odd. I just checked and my old .mac RSS sides screensaver
still works.

Opened up screensavers control panel, went to "Mobile Me and RSS" and
put in my .mac name.

Your .mac name does not work, however.

My .Mac slides are just pictures stored on my iDisk at

/Pictures/Slide Shows/Public/

Try putting your pictures in there, adding your ,mac name to the
screensaver and seeing if that works. I think it will, at least for now.

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #5

patrosh@tidbits.com — Mon, 18 Aug 2008 10:08:34 GMT

This is just anecdotal evidence, but a few of my friends have had the same problems with iPhoto as I have had in the past. Photos downloaded from camera to iPhoto have mysteriously disappeared on several occasions, never to be seen again. The other day, at the local Mac Reseller here in Bondi, I was next in line to a young woman who was frantic because her entire collection of photos had vanished from her iPhoto album.

iPhoto has been uninstalled on my G5 some time ago. I now use my own system of downloading and storing photos in various folders, each named appropriately for easy searching. Then I make sure I have copies of the folders in several hard drives for extra security, as well as burning critical photos onto DVDs.

I love my Mac... but I just don't trust iPhoto. I think it is a flaky app. Am I alone in this regard?

Paul

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #6

Nicky_Y._Schleider@tidbits.com — Tue, 19 Aug 2008 12:08:38 GMT

On Aug 18, 2008, at 6:34 AM, Paul Atroshenko wrote:

> This is just anecdotal evidence, but a few of my friends have had
> the same problems with iPhoto as I have had in the past. Photos
> downloaded from camera to iPhoto have mysteriously disappeared on
> several occasions, never to be seen again. The other day, at the
> local Mac Reseller here in Bondi, I was next in line to a young
> woman who was frantic because her entire collection of photos had
> vanished from her iPhoto album.
>
> iPhoto has been uninstalled on my G5 some time ago. I now use my own
> system of downloading and storing photos in various folders, each
> named appropriately for easy searching. Then I make sure I have
> copies of the folders in several hard drives for extra security, as
> well as burning critical photos onto DVDs.
>
> I love my Mac... but I just don't trust iPhoto. I think it is a
> flaky app. Am I alone in this regard?

i have had the same thing happen. my problem was with photos i
scanned and with slides of my paintings that i scanned. i no longer
trust iphoto either. i also keep things in separate folders.

nicky

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #7

Lewis_Butler@tidbits.com — Tue, 19 Aug 2008 12:08:38 GMT

On 18-Aug-2008, at 04:34, Paul Atroshenko wrote:
> I love my Mac... but I just don't trust iPhoto. I think it is a
> flaky app. Am I alone in this regard?

I have about 15,000... no, that's not right, I HAD like 15,000 photos
in iPhoto. The only time I've ever 'lost' photos was when I went
mucking about in the Library directories myself, and even then, I
didn't 'lose' them, iPhoto simply lost track of them.

I have pared and whittled and deleted hundreds of pictures the kids
took of doors, walls, floors, their armpits, other people's armpits,
etc and am down to just under 8,000. I've had more trouble with
iTunes losing songs than with iPhoto losing photos. And again, that
seems to come about from mucking in the Library structure manually.

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #8

macgeek417@tidbits.com — Tue, 19 Aug 2008 12:08:38 GMT

You DO have an iLife DVD, right??
try reinstalling the un-updated iPhoto (after backing up, of course}

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #9

Pohle@tidbits.com — Wed, 20 Aug 2008 12:08:11 GMT

I have that button,
- only in iPhoto 7.1.4 on my PowerBook G4, where I am still using Mac
OS X 10.4.11, with the .Mac icon instead of the MobileMe cloud still
in System Preferences.
- but not on my iMac, where I am using Mac OS X 10.5.4, with the
MobileMe cloud in System Preferences.

Which Mac OS X are you using?

Re: .Mac Slides are missing after iPhoto Update 7.1.4 #10

ace@tidbits.com — Thu, 21 Aug 2008 14:08:41 GMT

At 5:38 AM -0700 8/19/08, Nicky Y. Schleider wrote:
>>I love my Mac... but I just don't trust iPhoto. I think it is a
>>flaky app. Am I alone in this regard?
>
>i have had the same thing happen. my problem was with photos i
>scanned and with slides of my paintings that i scanned. i no longer
>trust iphoto either. i also keep things in separate folders.

My experience (which is extensive, given the number of book editions
I've written about iPhoto versions) is that iPhoto seldom, if ever,
actually touches the photos on disk, in the iPhoto Library
folder/package (it used to be a folder; in iPhoto '08 it's a
package). What can happen, although it's increasingly uncommon, is
for the database that tracks them to become corrupted.

And for that, if you launch iPhoto while holding down Command-Option,
can be rebuilt successfully in most cases. Other options exist for
recovering photos manually if the rebuild options fail.

cheers... -Adam

Re: Why I Hate the Eye-Fi Share Wireless SD Card #1

Lewis_Butler@tidbits.com — Tue, 19 Aug 2008 14:08:28 GMT

On 18-Aug-2008, at 20:42, Glenn wrote:
> This last weekend, my wife and I threw a birthday party for my older
> son, Ben, who turns four today. I took pictures like crazy over a
> couple hours, and because we had the party at the house, most of
> those photos were already on my computer and up at Flickr by the
> time the party was over

OK, Now *THAT* is worth the price of admission right there, isn't it?
I know my parents and in-laws, as well as extended family, would love
it if I had one of these for the next birthday/Christmas.

OTOH, I've never really 'gotten' Flickr, so the single event 'feature'
for iPhoto and the daily album would annoy me as well. OTOH, I
usually have to merge/split events anyway, so maybe not.

I use the .Mac gallery publishing... er, MobileMe gallery publishing
to share all the photos I want to share. It's not a price thing, I
know flickr is stupidly cheap, or free, it's just the convenience of
having a one-click gallery published from iPhoto is a bit hard to pass
up.

Yeah, I know, some people hate iPhoto. I love it. I can go through
several hundred pictures, adjusting them, straightening them, removing
red-eye, and culling the duds in an hour, click "mobileMe", click
"ok", and walk away. Voila, a new gallery is created. In fact, the
reason I am up this morning is that I finally went through about 400
photos from earlier this month and put up 4 new galleries (temporary,
they will eventually get merged into a single "0808 Glenwood" or
soemthing gallery) and then wrote a long email to family and some
friends about them. I've been at it about and hour and a half now,
but the last half hour has been spent writing the email and catching
up on last night's emails as well.

And with 20GB of space now, I don't even worry about the sizes anymore.

If I bought an Eye-fi I likely would not use it all the time, but I
think I might buy one just for events where I can provide people with
a nearly real-time gallery of pictures.

Re: Why I Hate the Eye-Fi Share Wireless SD Card #2

bruce.skelly@gmail.com — Tue, 19 Aug 2008 15:08:33 GMT

Adam,

I bought an Eye-Fi card (the original one) for my wife, and she loves
it. She uses it for taking pictures of the products of her hobby,
which are then posted in various groups on the internet. She finds
that the Eye-Fi card is perfect for this. We only use it on our home
network, so we don't have the hassle of reconfiguring the card all the
time. She finds that it saves her lots of time, and she never has to
worry about damaging the SD card by improperly removing it from the
computer of camera. When my daughter took our SD camera on a trip, I
purchased an SD 2 CF adapter, which worked perfectly with the Eye-Fi
card in an older Nikon Coolpix camera, and an even older Casio camera.

I could see this being used at events. The photographer can circulate
through the crowd, sending back a constant stream of photographs to
the helper, who can crop, adjust and print the images, making them
available as souvenirs.

One problem that you didn't mention is that because there is no
automatic way to delete the pictures after they have been successfully
uploaded, the memory card and become quite full. We discovered that
when you reach 350 to 400 images on the card, it can take a very long
time to upload new images. It seems that the algorithm is to check
each and every one of the images on the Eye-FI card to see which ones
need to be uploaded. With many pictures this can take a lot of
time. Once the already uploaded pictures are deleted, the speedy
operation returns.

Bruce