So much for typing. How about selecting password letters
from dropdown
boxes, or from an image map with scrambled letters that was sent to
the browser.
Sorry, what about these? They have essentially the same
security properties as cleartext passwords.
One would hope that all communication from the browser to the server is
encrypted as in SSL regardless of whether passwords go in cleartext or whether
there is some Javascript to encrypt them first. In that case, the big issue is
keylogging software that has been widely installed by malware distributed by
Phishing organizations. Key-stroke loggers do not look at mouse-clicks.
Second, it doesn't take that many phishing attacks to extract
most of the secret word.
Depends on length of said word/phrase. Also, I can see how naïve people are
fooled by the first email, but surely the percentage who would click on each
successive email, decreases.
At the end of the day, phishing is a social problem, not a technical problem.
It can't be solved by purely technical means. All technical solutions to
phishing involve some form of behavior change.
You've mentioned man-in-the-middle attacks. Such attacks cannot be prevented if
the user interface requires cleartext inputs. Remember, this is not like
typical cryptography MITM attacks where the MITM receives an ecrypted stream
and is able to decrypt it, modify it, and reencrypt it. In this case, the user
asks the MITM to provide a web page and associated Javascript. While the look
of this page will be identical to the bank's page, the functionality does not
need to be identical. It can send everything cleartext to the MITM who them
emulates the human user.
To defeat MITM you need a secure channel, but how can you establish a secure
channel to a human being who has already defeated the bank's security system by
enlisting the phishing organization as their agent?
I would rather see the focus of effort go to building simple embedded computer
systems that one can plug into a USB port and rely on to establish an encrypted
channel to the bank. That way, the human user does not play any significant
role in establishing the channel of communication and cannot subvert the
process.
--Michael Dillon
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf