[Cryptography] Passwords are dying - get over it
ianG
iang at iang.org
Tue Dec 24 04:43:08 EST 2013
Hi Joe,
(thanks for the reminder, I needed to post on blog about MITB dual
channel defences being broken.)
On 23/12/13 18:48 PM, Joe St Sauver wrote:
> Kent commented:
> #and then, because they are so important they can force you to carry a
> #Bsafe fob, or something like that. Actually, they probably won't go
> #for a fob...
>
> In Google's case, it's pretty clear that they're putting their
> bet on smart phones as their 2nd factor/2nd channel of choice.
> (See http://www.google.com/landing/2step/ )
Oops! sorry 'bout dat! Overtaken again:
" Zeus and other MITB trojans have used social engineering to
bypass this process. When a user on an infected PC authenticates to a
banking site using SMS authentication, the user is greeted by a
webinject, similar to Figure 1. The webinject requires the installation
of new software on the user’s mobile device; this software is in fact
malware.
ZitMo malware intercepts SMS TANs from the bank. Once greeted by
the webinject on a Zeus-infected PC, the user enrolls by entering a
phone number. A “security update” link is sent to the phone, and ZitMo
installs when the link is clicked. Any bank SMS messages are redirected
to a cyber criminal’s phone (all other SMS messages will be delivered as
normal)."
My commentary:
http://financialcryptography.com/mt/archives/001464.html
New Report:
https://www.nsslabs.com/reports/view-precipice-mobile-financial-malware
Original 2006 MITB paper from Philipp Gühring:
http://financialcryptography.com/mt/archives/000758.html
> I've got a page that lists a variety of phone-based two factor
> authentication options at http://pages.uoregon.edu/joe/phone-2fa.html
> (if I've inadvertently overlooked anyone, please let me know and
> I'd be glad to add them to that page)
Nice page. Perhaps that could be expanded to include precursors and
attacks :)
iang
More information about the cryptography
mailing list