Security through kittens, was Solving password problems
James A. Donald
jamesd at echeque.com
Wed Feb 25 17:13:25 EST 2009
John Levine <johnl at iecc.com> writes:
>> Clever though this scheme [kittens] is, man-in-the
>> middle attacks make it no better than a plain SSL
>> login screen.
Peter Gutmann wrote:
> You don't even need a MITM, just replace the site
> image on your phishing site with either a broken-
> image picture or a message that your award-winning
> site-image software is being upgraded and will be back
> soon and it's rendered totally ineffective.
Assume we have this great process, perhaps
password-authenticated key agreement, perhaps kitten
based, that guarantees we are phish proof it the user
actually uses it.
How do we make the workflow and user interface so that
if the user is asked to bypass our great process, he
hears alarm bells?
When it comes to workflows, the WoW interface seems to
work quite well
WoW accounts control WoW gold, typically $50 to $100
worth, so WoW accounts are a popular phish target:
An investigation of your World of Warcraft
account has found strong evidence that the
account in question is being sold or traded. As
you may not be aware of, this conflicts with
Blizzard's EULA under section 4 Paragraph B
which can be found here:
WoW -> Legal -> End User License
Agreement
and Section 8 of the Terms of Use found here:
WoW -> Legal -> Terms of Use
The investigation will be continued by Blizzard
administration to determine the action to be
taken against your account. If your account is
found violating the EULA and Terms of Use, your
account can, and will be suspended/closed/or
terminated.
In order to keep this from occurring, you should
immediately verify that you are the original
owner of the account.
To verify your identity please visit the
following webpage:
<https://www.worldofwarcraft.com/login/login?service=https%3A%2F%2Fwww...>
Only Account Administration will be able to
assist with account retrieval issues. Thank you
for your time and attention to this matter, and
your continued interest in World of Warcraft.
This phish used a flaw in the official WoW website to
redirect an https login with WoW to an https login with
the scammer site.
The interesting thing is that it and similar phishes do
not seem to have been all that successful - few people
seemed to notice at all, the general reaction being to
simply hit the spam key reflexively, much as people
click away popup warnings reflexively, and are
unaware that there ever was a popup.
Most accounts are lost through keyloggers - rather
phishing, the attacker has to take over the end user's
computer completely.
Why the attack resistance? I conjecture that:
1. User normally enters his password in an environment
that looks nothing like a web page, so being asked
to do so in a web page automatically makes him
suspicious - it is a deviation from normal workflow
2. Blizzard never communicates by email, so receiving
email from blizzard automatically makes the user
suspicious.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list