[cap-talk] an attack on the pet name tool bar
marcs
marcs at skyhunter.com
Fri Feb 11 15:46:01 EST 2005
> > The problem here is obviously the "false petname bar".
> > It almost goes without saying that the petname bar must not be
> > spoofable (e.g. by always displaying it at the top of all
> windows that
> > can be used for browsing, and preferably by distinguishing
> those from
> > all other windows). Isn't this true of the security-related GUI
> > elements for any possible solution, including the TrustBar?
>
> Yep. But how does a phisher ask for the logo?
In general, phishers can't ask for the petname. But the inability to ask for
the petname is not an element of the security. You can usually guess the
petname -- legitimate enterprises have strong reasons to have unique
memorable names, so the nicknames they suggest for themselves will often
make fine petnames. Guessing that the petname for PayPal is indeed PayPal
will work great for the phisher. The phisher's problem -- the security --
comes into play when the user's machine makes a mapping between a petname
and a key. If the phisher's key is not the key associated with a petname,
the phisher's data will not be marked with the petname.
The phisher has no way to stick his fingers into that mapping process,
except by social engineering, persuading the human to do something confusing
to himself.
--marcs
More information about the cap-talk
mailing list