[funsec] The end of Phishing in sight?

[Florian Weimer]

* Pierre Vandevenne:

> FW> In Germany, we have both: two-factor authentication and phishing.
> FW> This should tell you something about the effectiveness of two-factor
> FW> authentication. *sigh*
>
> Well, it's not a question of agreeing or disagreeing - just thinking
> about it. Do you have any links to successful phising cases involving
> both password/login combos and tokens supporting digital signatures?
> I'd really like see the details of such cases.

Two-factor authentication does not necessarily mean "digital
signatures".

In May 2000, a proof-of-concept attack on the German Internet banking
standard HBCI (which is smartcard-based) was published, involving a
trojanized end user system.  Even card readers with separate displays
and PIN pads cannot thwart such attacks because the display contents
is controlled by the host software and does not necessarily match the
signed transaction.

This technology is not in widespread use, so it's currently not
targeted to my knowledge.  The two-factor authentication technology
used in Germany is PIN plus a list of one-time passwords, one for each
transaction.  Fairly low-tech, but as secure as you can get without
dedicated user terminals.  Obviously, the OTP does not depend on the
transaction contents, so it's still subject to MITM attacks, but this
is a property share with many of the proposed high-tech two-factor
authentication schemes.

There are plenty reports of attacks involving trojan horses which
change the contents of the browser window on the fly, and intercept
transmitted PINs and TANs, but the German press usually calls this
"phishing" as well, even if no spoofed web site was involved.

> note: I have no link to that industry and would have resented having
> to pay for the token if I had had to.

Me too, especially if it means I cannot repudiate fraudulent
transactions anymore because the system is considered "secure".