[e-gold-list] RE: two factor cracked - VNUNet.com
Patrick J. Kobly
patrick at kobly.com
Wed Aug 2 12:31:53 MDT 2006
http://dgc.kobly.com/modules.php?name=News&file=article&sid=534
Gah. As soon as the press gets a hold of something, they twist it all to hell.
It looks like vnunet interviewed a researcher at MessageLabs on a short blurb in
their July intelligence report:
http://www.messagelabs.com/publishedcontent/publish/threat_watch_dotcom_en/intelligence_reports/july_2006/DA_155200.chp.html
"Phishing attacks too have become much smarter, with Google?s Gmail becoming
one of the latest targets, but the banking industry will be more worried by
suggestions that two-factor authentication may be rendered useless. One
particularly sophisticated phishing site demonstrated this point when it was
uncovered that it could validate and make use of the one-time password
credentials live, in real-time, as the user entered their details into the
phishing site."
I'm guessing that e-gold got dragged into this discussion because of its AccSent
PINs. Presumably, some phisher has been convincing e-g users to provide their
AccSent PINs to the phishing site. It seems a far jump from this to
"two-factor is dead." It's easy to write this off as a PEBKAC problem, but
there are opportunities to improve here:
- Continue educating users on how to tell if they're really connected to
e-gold's site
- Decrease the number of instances that an AccSent PIN is issued / required, so
that this is not a part of the user's normal routine. Increase the user's
suspicion if he's presented with an AccSent PIN prompt. Maybe change the
Home&Work mode so that a) it's on by default and b) it can track more than 2 IP
addresses - when you successfully respond to an AccSent PIN challenge, the
system asks whether you want to add this IP to the list of permitted
(non-AccSent prompted) addresses, maybe even ask for a description of the IP
address - ("My home computer", "My business computer", "My PDA", "My in-laws
computer",...). While logged in, the site could show the textual description
previously provided, and if it doesn't match what you expect it to be, the
user's suspicion would be raised. Further, AccSent could ask on login, "You
don't appear to have logged on from the computer called 'My in-laws computer'
in a while, do you want me to remove it from the list of accepted addresses?"
PK
More information about the E-gold-list
mailing list