[Cryptography] Security weakness in iCloud keychain

[Michael Nelson]

On May 8, 2018, Jon Callas <jon at callas.org> wrote:
> TOTP is just a shared secret system. It has the advantage
> over a naive password that intercepting it and reusing it is
> blocked off, but that's not the threat. The adversaries are
> not breaking the TLS that carries a password, they're
> hijacking the database and going from there.

 Jon, not sure what context you're speaking in here so apologies if I've misunderstood. But I disagree with that main point as I understand it. There are 3 main types of attack: keyloggers, phishing, and database theft. I guess what you were thinking is that database theft yields up orders of magnitude more credentials than the other methods, and that's true. However, as far as the criminals' being able to use the stolen credentials goes, that's not the end of the story.

I was very interested to read the big study article from 2017

"Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials", by Kurt Thomas et al.:

https://acmccs.github.io/papers/p1421-thomasAembCC.pdf

They say:
"As such, while credential leaks represent the largest source of passwords in our dataset (even taking into account match rates), phishing victims are the most likely to become hijacked."

There is a lot of interesting information in that article, and there are many nuances, such as how representative the data is. But it seemed to me very good info, as far as we can get it. In that paper, "credential leaks" means database theft, while "hijacked" means that the victim's stolen data is actually used by the miscreants. Even if the nuances shift things a bit, it is quite clear that a non-phishable credential such as OTP is a major improvement over passwords.
Mike



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180528/6ad25c25/attachment.html>