November 04, 2005

Phishing for News..

George reports that his story originally published here in FC has made it to USAToday:

He watched, horrified, as the intruder in quick succession dumped $60,000 worth of shares in Disney, American Express, Starbucks and 11 other blue-chip stocks, then directed a deposit into the online account of a stranger in Austin. "My entire portfolio was being sold out right before my eyes," recalls Rodriguez, 41, a commercial real estate broker who alerted Ameritrade in time to stop the trades.

Also BusinessWeek but I was not able to find a URL. George's story is a great one if you are unsure how far phishing reaches! (Addendum: SEC releases advisory to traders.)

Some interesting sniping from the banks on two-factor tokens. The current generation of two-factor tokens (like RSA Security's SecureId) are the stocking fillers of the security field. Cute, cheap in small numbers and broken by January. This is a well written piece rounding up the issues:

But tokens create their own headaches. They're relatively costly to deploy and can prompt lots of calls to customer service if they're lost or temporarily out of reach. Banks also fear a "necklace" scenario in which customers end up collecting an annoying strand of tokens from all the companies they do business with online.

Even one token might be seen as a hassle.

After ETrade Financial Corp. began offering tokens from RSA Security Inc. to its 2.8 million U.S. customers, only 20,000 signed up. Almost all those people could get the gadgets for free because they were frequent traders or had more than $50,000 in their accounts; everyone else had to pay $25.

That about matches the 1% takeup rate that I heard of in the gold sector, when someone tried to sell these things.

One-time passwords can be given out in less expensive ways. They can be beamed to a cell phone or handheld computer, or mailed to customers on scratch-off cards.

But security experts warn that one-time passwords can be stolen in a "man-in-the-middle" attack, in which a con artist harvests a victim's code on a phony Web site and instantly relays it to the real bank, then conducts transactions in her name. Such frauds are rare -- if they happen at all -- but that's partly because there are so many easier targets, for now.

Token vendors point out that their devices can be set to foil men in the middle by generating additional codes for each individual transaction. Still, there are enough knocks against hardware-based solutions that most banks will take softer steps to meet the regulators' demands.

Not bad! Someone has done their homework. This is not to say that it can't be done better, and the Wikid token may be just that. I haven't examined it in detail but it essentially duplicates what the software tools to address phishing do - it caches the cert in some way. (Also see blog.)

Posted by iang at November 4, 2005 11:37 AM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.