Security through kittens, was Solving password problems

James A. Donald jamesd at echeque.com
Wed Feb 25 17:13:25 EST 2009 

John Levine <johnl at iecc.com> writes:
 >> Clever though this scheme [kittens] is, man-in-the
 >> middle attacks make it no better than a plain SSL
 >> login screen.

Peter Gutmann wrote:
 > You don't even need a MITM, just replace the site
 > image on your phishing site with either a broken-
 > image picture or a message that your award-winning
 > site-image software is being upgraded and will be back
 > soon and it's rendered totally ineffective.

Assume we have this great process, perhaps
password-authenticated key agreement, perhaps kitten
based, that guarantees we are phish proof it the user
actually uses it.

How do we make the workflow and user interface so that
if the user is asked to bypass our great process, he
hears alarm bells?

When it comes to workflows, the WoW interface seems to
work quite well

WoW accounts control WoW gold, typically $50 to $100
worth, so WoW accounts are a popular phish target:

	An investigation of your World of Warcraft
	account has found strong evidence that the
	account in question is being sold or traded. As
	you may not be aware of, this conflicts with
	Blizzard's EULA under section 4 Paragraph B
	which can be found here:
		WoW -> Legal -> End User License
		Agreement

	and Section 8 of the Terms of Use found here:
		WoW -> Legal -> Terms of Use
	The investigation will be continued by Blizzard
	administration to determine the action to be
	taken against your account. If your account is
	found violating the EULA and Terms of Use, your
	account can, and will be suspended/closed/or
	terminated.

	In order to keep this from occurring, you should
	immediately verify that you are the original
	owner of the account.

	To verify your identity please visit the
	following webpage:
<https://www.worldofwarcraft.com/login/login?service=https%3A%2F%2Fwww...>
	Only Account Administration will be able to
	assist with account retrieval issues. Thank you
	for your time and attention to this matter, and
	your continued interest in World of Warcraft.

This phish used a flaw in the official WoW website to
redirect an https login with WoW to an https login with
the scammer site.

The interesting thing is that it and similar phishes do
not seem to have been all that successful - few people
seemed to notice at all, the general reaction being to
simply hit the spam key reflexively, much as people
click away popup warnings reflexively, and are
unaware that there ever was a popup.

Most accounts are lost through keyloggers - rather
phishing, the attacker has to take over the end user's
computer completely.

Why the attack resistance?  I conjecture that:

1.  User normally enters his password in an environment
      that looks nothing like a web page, so being asked
      to do so in a web page automatically makes him
      suspicious - it is a deviation from normal workflow

2.  Blizzard never communicates by email, so receiving
      email from blizzard automatically makes the user
      suspicious.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list