[fc-discuss] Financial Cryptography Update: The Perfect Phish - all conditions are now in place

iang@iang.org iang@iang.org
Fri, 14 Oct 2005 20:37:01 +0100 (BST)

 Financial Cryptography Update: The Perfect Phish - all conditions are now in place 

                            October 14, 2005




News of active MITM attacks have reached us with Yahoo being the one
attacked.  This involves the phisher driving the traffic from his fake
site back to Yahoo _in real time_.  Previously, phishers just collected
the data and used it later, now they get access directly, which gives
them immediate possibilities in the event that they tripped any alarm
bells that would later on close of access.


Bad news for Lloyds TSB who are experimenting with what look like
SecureId tokens.  These tokens do a crypto maths problem that is
syncronised with a matching server program back at the website.  It is
based on time, and the numbers change as the minutes roll by.


It's a nice token to prove (to some definition of the word) that you
are talking to is who you want to be talking to.  The problem is, as
discussed and predicted not just here but in security groups elsewhere,
this only works if the phisher delays acting.  It specifically and
famously doesn't work against the above MITM attack as it can't tell if
anyone else is sitting in between you and the other party!  Sorry about
that, but you do insist on buying these things from big companies and
not doing the proper due diligence.


How significant is all this?  Well, quite important:  it's the last
link.  _Every piece is now in place for the perfect phish._  The
phishers recently tried out SSL attacks in anger so they have all that
cert and SSL code in place, they are now doing MITMs so they have the
real-time backend work in place (this is just multi-tiered or
webservice work, recall) and we've had easy-to-obtain popup-tax certs
for about 2-3 years now (even works with a stolen credit card...).

When the perfect phish takes place is difficult to predict, but I'll
stick my neck out and say by the end of the year.  Users will be
looking at a perfectly good website, with SSL and the little padlock,
and talking to their banks.  The only thing that will be wrong will be
the URL, but it will be camouflaged somehow.  Is this realistic?  Very.
 For the last year or more we've been in a holding pattern as phishers
have migrated their model from area to area looking for new schools of
fresh phish.

Powered by Movable Type
Version 2.64