[cap-talk] an attack on the pet name tool bar
Ian G
iang at systemics.com
Sat Feb 12 10:40:24 EST 2005
Ka-Ping Yee wrote:
>On Thu, 10 Feb 2005, Ian G wrote:
>
>
>>If the user falls victim to this, a second pro-forma
>>phish is then created with a false petname bar
>>and the other details.
>>
>>
>[...]
>
>
>>So the question is, even though the pet name
>>provides a useful defence against phishing, what
>>is stopping the pet name itself from being phished?
>>
>>
>
>A fundamental prerequisite for any trustworthy browser function
>(including the petname toolbar) is for some part of the browser's
>interface to be recognizably unspoofable. Currently, browser
>trustworthiness relies on the unspoofability of the window frame
>(particularly its close button), the pull-down menus, the toolbar
>buttons, the address bar, and the status bar.
>
>
Sure. But it's not an absolute, you cannot
require the browser to provide you with
the perfect platform. If the browser is so
ropey that it provides no safety in this
area ... hypothetically, IE, then you might
have to bite the bullet and say "it won't
provide much protection on IE because
the browser is too unstable."
Unfortunately browser real estate is a
really complex business, and all sorts of
funny effects happen. One is building on
sand, not rock.
[snipped henious IE crimes...]
>In my opinion, the real threat to the petname toolbar is that the
>significance of the toolbar's judgement (known vs. unknown) may
>become devalued. This could happen in a few ways, for example:
>
> 1. The user adds the petname toolbar to his current browser
> and doesn't bother to register petnames for all the
> previously existing accounts he has registered at all
> sorts of websites. Since the toolbar says "unknown"
> everywhere, the user quickly learns that the toolbar is
> meaningless and proceeds to ignore it.
>
>
OK. Can I suggest that in this case, instead
of saying just "unknown" it also adds a visit
count? And perhaps a time-of-last visit?
So if a user leaves paypal as unknown, it
would show something like
"unknown, 10 visits, last was thursday 10:14 am."
> 2. The user understands that he should register petnames to
> signify existing trust relationships. But when setting up
> the petname toolbar for the first time, the user doesn't
> remember all the accounts he has, and forgets a few. When
> he visits one of these forgotten sites, he realizes it was a
> forgotten site and proceeds to add a petname. After doing
> this a couple of times, the user learns: "If i go to a
> familiar-looking site and the petname toolbar says 'unknown',
> then i must have forgotten to register a petname -- so i
> should register one then." By getting used to this process,
> the user renders the petname toolbar useless (and even
> dangerous, since it now provides a false sense of security).
>
>
Yes, there would be an effect of this. I don't
think it is fair to say it would render the toolbar
useless, as it would still work for the majority
of petnames set by the user. It is only those
where the user simply follows the process
without thought.
There is an implied Introduction phase in the
setting of the petname; the user should be
encouraged to make sure this is their real
site. A bit like those PGP warnings before you
sign someone's key, but without the dramatics
(no popups!).
Your comment on the false sense of security.
I think a false sense of security arises from
several thing:
1. the supplier says it is secure
2. the user believes the supplier
3. it is not secure
Hence a key element in fighting the false sense
of security is avoiding 1. above. As we know there
are no absolutely secure systems, we know 3. is
always true. So we have to address 2. and make
sure that if the user decides it is secure, it is they
that are taking on that risk, and not by believing
the supplier's outrageous claims.
> 3. Phishers step up their attacks by editing their password-
> capturing webpages to say: "Have you installed the petname
> toolbar? If you haven't, get it now (link). If you have a
> petname toolbar, assign a petname to this session now. It
> is important that you do this NOW to secure your relationship
> with us!" (It is also entirely possible that legitimate banks
> will put up instructions that look just like this as well!)
>
>
Nice one! (In a sense this is a better variant
of my suggestion ... whiteboarding ideas is a
good way to attack a system.)
4. Phishers start launching their own petname
toolbar with their own instructions. (I actually
thought that was what you were saying above...)
>In short, the problem is that when the user sees "unknown" in the
>petname toolbar, he must make a distinction between (a) this is a
>potentially dangerous site with which i have no trust relationship;
>and (b) this is the site i want, except i haven't set up a pet name
>yet. The user has to make a judgement about whether or not he forgot
>something, which by definition is hard to do since if you forgot
>something you wouldn't remember it. I think that in order for the
>petname toolbar to be truly effective, the frequency of situation (b)
>must be minimized.
>
>
OK, it is hard but not intractable. See the notes
on counts and visit times above. Also, think how
you do remember things, everyone has a little
process they walk through, like "when was the
last time I used my credit card..."
The trick with the petname toolbar or any other
is that in the new site Introduction, it is useful
to marshal any information that is available to
help the user.
>If (b) happens as often as (a), or even half as often as (a), then
>"unknown" will cease to mean anything useful.
>
>I'll post some ideas i have for addressing this in a separate thread.
>
>
Oops, perhaps I should have waited!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
More information about the cap-talk
mailing list