Internet and e-mail policy and practice
including Notes on Internet E-mail


2009
Months
Aug

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


16 Aug 2009

Are phishing and malware separate threats? Email

Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer that watches the keystrokes you type, the mouse clicks you make, and the windows that appear on your screen, sends them back to bad guy HQ, and even adds or substitutes its own keystrokes and mouse clicks in a way that you can't easily detect.

I like Verisign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. There's no question that straight phishes and malware are different problems, but they attack the same customers toward the same ends, and a lot of popular security strategies like those keyfob tokens that generate a different random number every minute are equally ineffective against both. There's also some overlap in implementation, e.g. phishes that direct you to a website that downloads malware.

We can usefully distiguish between offline and online attacks. An offline attack steals credentials for use later, while an online attack sits between you and the bank and does bad stuff in a session after you set it up. Offline attacks are deterred by changing the credentials from one session to the next. The keyfob is one expensive way to do it, but there are others. Most of my non-US bank accounts have two passwords where the bank only asks me for three randomly chosen letters of the second password each time I log in. I gather some European banks send their customers a printed list of one-time passwords, and you use one and cross it out each time you log in.

None of these are effective against online attacks, since the bad guys have a proxy that asks you the real questions from the bank and passes back your real answers, setting up a real session The problem is that there's an insecure endpoint, either a malware infected PC on your desk, or the proxy which you think is the bank and the bank thinks is you.

The solution either way is to switch to a secure endpoint. That's why I have suggested a hardware USB confirmation dongle with a screen and YES/NO buttons, where you set up the transaction on the insecure PC but the dongle has an encrypted connection to the bank. so the display on its screen and your push of the YES or NO button are secure. Another possibility is a confirmation phone call to a phone which is physically separate from your PC, where it reads you the transaction, and you press 1 for yes or 2 for no. (Attention Users! Do not use a softphone on your PC for confirmations!)

It seems to me that although the details are different, the fundamental problems and solutions are very similar, so it makes sense to consider them together.


posted at: 22:49 :: permanent link to this entry :: 2 comments
posted at: 22:49 ::
permanent link to this entry :: 2 comments

comments...        (Jump to the end to add your own comment)


Some European banks confirm operations through a one-time code instantly sent to you by SMS to a previously validated mobile number.

(by Giovanni Bajo 17 Aug 2009 15:12)


SMS confirmation
So long as the SMS contains the details of the transaction you're confirming, that should be OK. The point is that the entire channel to the display and from the yes/no button is separate from your insecure PC.

(by John Levine 17 Aug 2009 22:02)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE

10 days ago

A keen grasp of the obvious
My high security debit card
300 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.