[cap-talk] Phishing with YURLs and Petnames
Sandro Magi
smagi at naasking.homeip.net
Tue Feb 14 14:35:16 EST 2006
Ian G wrote:
> Tyler Close wrote:
>
>> Basically, you have to come up with some story that convinces the user
>> to violate their rule of thumb, override the warning from the Petname
>> Tool and not check the real site using their existing petname
>> bookmark. If you're really good at social engineering maybe you could
>> pull this off, but it seems like a tall order, and certainly much more
>> difficult than phishing currently is.
>
>
> I think the main thing about Alan's rather
> inspired example is that it shows how hard
> it is to secure with only one factor. (This
> is easier to see if BankTwo had for example
> told all its users to install something like
> Petname, and rely on it.)
I think the example shows that i**f your secure channel (cert+petname)
is compromised, then you have to re-introduce your users to the new
entity using another secure channel, and that users should not trust an
introduction over an insecure channel period.
The only way I'd click that link, is if the e-mail had been encrypted
with BankTwo's distinct e-mail key (as an example of a second channel
used to introduce users). PGP e-mail is just another form of
encryption+petnames though.
You have to plan for upgrade contingencies ahead of time, but I don't
see why you'd absolutely need more than encryption and petnames. The
more complexity you add, the easier it is to get wrong.
Sandro
> Risks can be reduced by combining more than
> one factor.
>
> Regardless of the spin cycle, Petname is a
> good single factor but remains one factor
> alone. "The easy rule..." results in the
> easy attack. Although it is good in the
> current threat environment, it is an open
> question whether the environment will get
> tougher.
More information about the cap-talk
mailing list