Shostack + Friends Blog Archive

 

Ka-Ping Yee on Phishing

In “How to Manage Passwords and Prevent Phishing,” Ping writes:

So, right up front, here is the key property of this proposal: using it is more convenient than not using it.

This property makes this proposal unique (as far as I am aware). All the other proposals I have seen require the user, on each login, to do more work than they previously had to do. And that, in my mind, instantly dooms a solution to failure, or at the very least creates a stiff barrier to its adoption.

The full passpet proposal is really good, as you’d expect. It entails extending the browser to use nicknames, and key those names to domains, and strong password storage.

I think there are a few issues to be considered.

  • How does the user decide if they’re at the right site to start with? Passpet works for the user if they’re setting up accounts, but if they’re transferring accounts into passpet, they’re vulnerable to phishing. (That is, if I have a password for Citibank, and I enter it into a fake site, then fake site now knows my Citibank password.)
  • The user needs to install software.
  • The bank doesn’t have any indication of the user’s password safety. This is easily corrected if the browser sets an ‘X-Passpet-Version:’ header.

In comparison to my “Preserving the Internet Channel Against Phishers” proposal, it requires that the user install software, but allows the bank to continue sending HTML email, and using dodgy hostname constructions. It has the possibility of communicating additional detail about user security to the bank.

Sending HTML email is seen as very worthwhile by banks’ marketing departments. The security risk of a user setting up an account in the wrong place is a risk that banks will be happy to encourage you to take. The big questions will be the install cost of passpet versus other “strong authentication” systems that are being put forth to satisfy new Federal regulations.

7 comments on "Ka-Ping Yee on Phishing"

  • Anonymous says:

    You say “It entails extending the browser to use nicknames”. I think you meant petnames. See http://www.schneier.com/blog/archives/2006/02/petnames.html

  • Adam says:

    Thanks, but I meant nicknames until someone explains to me why the user should have to understand the difference.

  • Ping says:

    Thanks for the kind compliment.
    Let’s see what i can do about addressing the issues you mentioned:
    1. The user could be spoofed in the setup process. Well, yes. I think this is out of scope, though — i mean, you can’t expect any scheme to help you before you’ve actually started using it. In the setup process, the user is exactly as vulnerable as they are during any other login; Passpet gives them the opportunity to step into a safer usage pattern.
    2. The user needs to install software. Yup. I concede that one. I don’t see any good way around this, because any password security tool has got to have a trustworthy piece of UI to interact with — it’s got to stand closer to you than any webpage can. At least, with Firefox, it’s pretty easy to install an extension.
    3. The bank doesn’t get an indicator of password safety. This is an interesting point that i hadn’t even considered. How do you think it would affect banks if this indicator were or weren’t present?

  • Adam says:

    With regards to (1), my “type a URL and create a bookmark” approach is far harder to spoof. Perhaps Passpet could do something clever with knowing the difference between a typed URL and a clicked one, or use careful directions to bring them to the right site.
    (3) becomes interesting mainly because of the FFIEC rules. If the bank knows something about how you’re managing your passwords, that may interact with those rules.

  • Adam says:

    Hmm, i don’t know if I actually mean that “far” in “far harder.”

  • Ping says:

    I agree that typing in a URL is harder to spoof. But it’s only harder to spoof once you’ve started doing it. That is, in either case, some user behaviour has to change in order to yield the improvement in security.

  • Zooko says:

    Adam:
    The important distinction between passpet’s “user assigned labels” and other things which might be called “nicknames” is that the attacker has no influence on the value of the label.
    Some on-line poker sites offer a feature of “sticky notes” which you can attach to a player and write notes into. If you encounter that player again in a future session, that sticky note and your original notes will reappear, attached to that player. It is important that the player to whom it is attached has zero influence on what information is entered into the sticky note. (Except, of course, inasmuch as he can influence what you choose to write.)
    The same principle applies to passpet’s “user assigned labels”. If the attacker gets to suggest something, such as by transmitting a “suggested nickname” which says that he is called “my b4nk”, then much of the value is lost.
    This traditionally the distinction between “pet names” and “nicknames” [1, 2], but I’ve recently learned that people respond more favorably to the concept when it is presented in terms of “sticky notes” than in terms of “petnames”.
    [1] http://www.skyhunter.com/marcs/petnames/IntroPetNames.html
    [2] http://www.erights.org/elib/capability/pnml.html

Comments are closed.