At Thu, 13 Sep 2007 12:21:48 +0100,
<michael(_dot_)dillon(_at_)bt(_dot_)com> wrote:
and IMHO, any solution that doesn't let the user type his password
into some Web form is a non-starter, both for reasons of backward
compatibility and because sites (quite
legitimately) want to provide a
visually attractive interface to users which is consistent
across all
platforms (for support reasons).
This may well be true.
However, I'm not aware of any technique which both meets this
constraint and is phishing resistant.
Bank issues a SecurID token (or SD chip with onetime pad) and requires a
six-digit PIN to be entered which cannot be reused. In order to get to
the bank in the first place, user must enter a URL that is printed on
their monthly statement. It changes every month and you may not use any
other URL.
Sorry, my fault for remembering to mention the constraint that
you also don't have to carry a token around. Obviously, if people
are prepared to carry tokens the problem is much easier. That
said, this scheme is actually not very secure because it's
susceptible to active MITM attacks on the connection to
the bank. The schemes I mentioned are substantially more
secure.
So much for typing. How about selecting password letters from dropdown
boxes, or from an image map with scrambled letters that was sent to the
browser.
Sorry, what about these? They have essentially the same security
properties as cleartext passwords.
My bank requires my surname, a customer number that is not the account
number, a 5 digit pin code typed in, and a challenge response where the
challenge is two random letter positions from my secret word, and the
response is two letter selections from two dropdown boxes.
This is complicated, but actually not particularly phishing resistant--
something that is true of a lot of the mechanisms banks are currently
adopting. First, it's vulnerable to the MITM attack mentioned above.
Second, it doesn't take that many phishing attacks to extract most
of the secret word.
-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf