Joerg Schneider wrote:
So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers.
Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet ...
By this you mean a dynamic, immediate MITM where the attacker proxies through to the website in real time? Just as a point of terms clarification, I would say that if the attacker collects all the information by using a copy of the site, and then logs in later at leisure to the real site, that's an MITM. (If he were to use that information elsewhere, so for example creating a new credit arrangement at another bank, then that technically wouldn't be an MITM.) Perhaps we need a name for this: real time MITM versus delayed time MITM? Batch time MITM?
Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks?
The user+client has to authenticate the server. Everything that I've seen over the last two years seems to fall into that one bucket.
Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind...
Maybe. But that only addresses the MITM, not the theft of user information. -- News and views on what matters in finance+crypto: http://financialcryptography.com/