Florian Weimer wrote:
I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens ` la SecurID can only help if
Indeed.
the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented.
So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet - if somebody has, I'd be interested to hear about), because it has some advantages for the attacker: * he doesn't have to bother to (partially) copy the target web site * easy to implement - plug an off-the-shelf mod_perl module for reverse proxy into your apache and add 10 minutes for configuration. You'll find the passwords in the log file. Add some simple filters to attack PassCode. * more stealthy, because users see exactly, what they are used to, e.g. for online banking they see account balance etc. To attack money transfers protected by PassCode, the attacker could substitute account and amount and manipulate the server response to show what was entered by user. Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks? Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind...