[Cryptography] phishing attack again - $300m in losses?

Benjamin Kreuter brk7bx at virginia.edu
Mon Feb 16 17:43:36 EST 2015


On Mon, 2015-02-16 at 21:03 +0000, ianG wrote:
> The browser, or whatever we call the agent that handles the URL, has to 
> be able to defend itself.  No ifs, no buts.

The browser is just one piece of the puzzle.  Another piece is hardware
tokens and NMZK identification protocols, so that a malicious site
cannot forward login credentials (which is what phishing is really about
in most cases).

At this point it is a matter of economics.  We know how to make
practical NMZK identification and there is nothing special about
hardware tokens.  Judging by the increasing interest in 2FA I think we
are almost at the point where the damage done by phishing justifies the
cost of deploying hardware tokens (both buying all that hardware and
dealing with lost/stolen/damaged tokens).

The problem with having the browser "defend itself" is that we will need
to deal with legitimate sites becoming malicious.  The entry-level
attack would be something like this:

http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3

A more sophisticated attack would try forwarding credentials in real
time.

-- Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150216/e2cdebce/attachment.sig>


More information about the cryptography mailing list