AOL Help : About AOL® PassCode

[Joerg Schneider]

Florian Weimer wrote:
> I think you can forward the PassCode to AOL once the victim has
> entered it on a phishing site.  Tokens ` la SecurID can only help if

Indeed.

> the phishing schemes *require* delayed exploitation of obtained
> credentials, and I don't think we should make this assumption.  Online
> MITM attacks are not prevented.

So, PassCode and similar forms of authentication help against the
current crop of phishing attacks, but that is likely to change if
PassCode gets used more widely and/or protects something of interest to
phishers.

Actually I have been waiting for phishing with MITM to appear for some
time (I haven't any yet - if somebody has, I'd be interested to hear
about), because it has some advantages for the attacker:

* he doesn't have to bother to (partially) copy the target web site

* easy to implement - plug an off-the-shelf mod_perl module for reverse
proxy into your apache and add 10 minutes for configuration. You'll find
the passwords in the log file. Add some simple filters to attack PassCode.

* more stealthy, because users see exactly, what they are used to, e.g.
for online banking they see account balance etc. To attack money
transfers protected by PassCode, the attacker could substitute account
and amount and manipulate the server response to show what was entered
by user.


Assuming that MITM phishing will begin to show up and agreeing that
PassCode over SSL is not the solution - what can be done to counter
those attacks?

Mutual authentication + establishment of a secure channel should do the
trick. SSL with client authentication comes to my mind...