March 03, 2004

Phishing - and now the "solutions providers"

A "solution" to Phishing called PassMarks has been proposed.

The solution claims that the site should present an individualised image, the PassMark, to each account on login. Unfortunately, this won't work.

Phishing involves interposing the attacking site as a spoof between the client's browser and the target site. The spoofing site simply copies the registration details across to the main website, and waits for the PassMark image to come back. And then copies the image back to the user's browser.

The flaw in their analysis may have been that they didn't realise that almost all phishing totally bypasses SSL. Of course. Or, maybe they didn't realise that the attackers are intelligent, and modify their approach to cope with the system under attack. Easy mistake to make, one supposes.

The analysis we've done still stands - what is needed to secure browsing against (current day, validated) threats like phishing is to modify the existing underutilised SSL infrastructure in these fairly minor ways:

  • add a "branding" box in the chrome of the browser,
  • accept self-signed certs as a positive security feature,
  • bootstrap all servers with their own self-signed cert.

The analysis is long, complex and not written down in full. You can see something of the story on the SSL page.

Further references: The anti-phishing WG's resources page has some potentially useful stuff. Simon's blog entry on PassMark put me on to this product, and also this fair overview by Scott Loftesness.

Posted by iang at March 3, 2004 01:20 PM | TrackBack