[cap-talk] Phishing with YURLs and Petnames
Ian G
iang at systemics.com
Tue Feb 14 14:02:24 EST 2006
Tyler Close wrote:
> On 2/14/06, Karp, Alan H <alan.karp at hp.com> wrote:
>>Due to a break in at our online banking server, we have been forced to
>>revoke our digital certificate and issue a new one. Your petname won't
>>work with the new certificate. Please click on https://BankTwo.com.ru
>>and enter your petname. Then log in to verify that the change was
>>recorded correctly. At that time, we'll ask you to verify your personal
>>information.
...
> You might catch some users with this, but hopefully not many.
That's all that phishing needs....
> Basically, you have to come up with some story that convinces the user
> to violate their rule of thumb, override the warning from the Petname
> Tool and not check the real site using their existing petname
> bookmark. If you're really good at social engineering maybe you could
> pull this off, but it seems like a tall order, and certainly much more
> difficult than phishing currently is.
I think the main thing about Alan's rather
inspired example is that it shows how hard
it is to secure with only one factor. (This
is easier to see if BankTwo had for example
told all its users to install something like
Petname, and rely on it.)
Risks can be reduced by combining more than
one factor.
Regardless of the spin cycle, Petname is a
good single factor but remains one factor
alone. "The easy rule..." results in the
easy attack. Although it is good in the
current threat environment, it is an open
question whether the environment will get
tougher.
iang
More information about the cap-talk
mailing list