[Cryptography] phishing attack again - $300m in losses?
Benjamin Kreuter
brk7bx at virginia.edu
Mon Feb 16 17:43:36 EST 2015
On Mon, 2015-02-16 at 21:03 +0000, ianG wrote:
> The browser, or whatever we call the agent that handles the URL, has to
> be able to defend itself. No ifs, no buts.
The browser is just one piece of the puzzle. Another piece is hardware
tokens and NMZK identification protocols, so that a malicious site
cannot forward login credentials (which is what phishing is really about
in most cases).
At this point it is a matter of economics. We know how to make
practical NMZK identification and there is nothing special about
hardware tokens. Judging by the increasing interest in 2FA I think we
are almost at the point where the damage done by phishing justifies the
cost of deploying hardware tokens (both buying all that hardware and
dealing with lost/stolen/damaged tokens).
The problem with having the browser "defend itself" is that we will need
to deal with legitimate sites becoming malicious. The entry-level
attack would be something like this:
http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3
A more sophisticated attack would try forwarding credentials in real
time.
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150216/e2cdebce/attachment.sig>
More information about the cryptography
mailing list