Go To Mortgage 101

Return To Group Index 

From: "Tim" 
Newsgroups: uk.finance
Subject: Re: Phishing
Date: Tue, 23 Nov 2004 14:37:44 +0000 (UTC)

> > "Mike Scott" wrote
> >>How about: customer (C) goes to phishing site (X).  X connects
> >>to real bank site (B) and gets challenge and passes to C.  C
> >>provides correct response to X. X uses this to authenticate itself
> >>to B.  It can now, presumably, carry out both C's legitimate
> >>business with B, as well as its own, essentially *at the same time*.
> >
> Tim wrote:
> > Of course, there *is* a way around this problem :-
> >
> > *Each* separate transaction could have a "challenge/response"
> > code.  So, the first CR simply gets the user into the system.  If
> > (s)he wants to move money (say), then another CR code is required,
> > which depends on the particular transaction to be authorised.
> >
> > "Real" customer wants to move £50 to ABC -
> > CR code entered & bank allows the transaction.
> > "Phisher-in-the-middle" tries to move £10,000 to XYZ - but cannot, as
(s)he
> > doesn't know the correct response to the challenge for *that*
transaction.
>
"Mike Scott" wrote
> Rather tedious for the user!

Agreed, but what price greater security?

"Mike Scott" wrote
> It still wouldn't stop a single attack  replacing
> the user's transaction (X hijacks C's response
> and does its own one-off thing with B), ...

It'll stop it because the response won't be valid for any other transaction
(different amount or destination).

"Mike Scott" wrote
> ... unless, I suppose, the challenge incorporated
> information about the proposed transaction:

As I said in my previous post - "another CR code is required, which depends
on the particular transaction to be authorised".

"Mike Scott" wrote
> then all X could do would be  mimic the desired
> transaction, which wouldn't matter too much.

Exactly!
[Altho' the system would be set up so that a second transaction, *exactly*
the same as the first, would need different CR codes anyway - then the
phisher couldn't even put through multiple versions of the same
transaction.]

> Tim wrote:
> > Of course, the *real* customer doesn't want to make that transaction,
> > so (s)he isn't going to tell the phisher the required CR code to enable
it!
>
"Mike Scott" wrote
> Given what I read on the upc.ebay group, your
> closing comment may be overly optimistic :-)

Eh?!  [Perhaps a synopsis of what you read may be interesting?]

If the phisher (pretending to be the bank), asked the "real" customer what
the response code was for a transfer of "£10,000 to 'Mr. Phisher' " - and
the customer stupidly gave the correct response to the "bank" (ie the
phisher) without wondering why (s)he was being asked, the perhaps the
customer shouldn't be using the Internet at all?!!   :-(