Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on April 13, 2007 8:45 AM.

The previous post in this blog was Message about you having malware dupes people into getting malware.

The next post in this blog is More black eyes for anti-virus vendors.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Message about you having malware dupes people into getting malware | Main | More black eyes for anti-virus vendors »

More information on why the use of stronger authentication doesn't stop phishing attacks

Here's a blog entry from a PhD student who showed how a phishing attack would successfully work against Bank of America's SiteKey Service. As the blog says ""[W]hen you see your SiteKey, you can be certain you're at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."" Thus, it's a form of authentication.

The student has posted a video of the attack.

Stronger authentication doesn't mean that phishing attacks won't occur. With a man in the middle attack, it usually means that the criminal takes the information and passes it on to the real website which then sends the fake website the images, which in turn then displays them to the user. Thus the security features are broken since the user then enters in their id and pin authentication numbers which the criminal can use to masquerade as the user.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on April 13, 2007 8:45 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/204

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)