[148658] in cryptography@c2.net mail archive
Re: [Cryptography] Passwords are dying - get over it
daemon@ATHENA.MIT.EDU (ianG)
Tue Dec 24 13:07:10 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 24 Dec 2013 12:43:08 +0300
From: ianG <iang@iang.org>
To: cryptography@metzdowd.com
In-Reply-To: <13122307483531_1189A@oregon.uoregon.edu>
Cc: Joe St Sauver <joe@oregon.uoregon.edu>, kentborg@borg.org
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Hi Joe,
(thanks for the reminder, I needed to post on blog about MITB dual =
channel defences being broken.)
On 23/12/13 18:48 PM, Joe St Sauver wrote:
> Kent commented:
> #and then, because they are so important they can force you to carry a
> #Bsafe fob, or something like that. Actually, they probably won't go
> #for a fob...
>
> In Google's case, it's pretty clear that they're putting their
> bet on smart phones as their 2nd factor/2nd channel of choice.
> (See http://www.google.com/landing/2step/ )
Oops! sorry 'bout dat! Overtaken again:
" Zeus and other MITB trojans have used social engineering to =
bypass this process. When a user on an infected PC authenticates to a =
banking site using SMS authentication, the user is greeted by a =
webinject, similar to Figure 1. The webinject requires the installation =
of new software on the user=92s mobile device; this software is in fact =
malware.
ZitMo malware intercepts SMS TANs from the bank. Once greeted by =
the webinject on a Zeus-infected PC, the user enrolls by entering a =
phone number. A =93security update=94 link is sent to the phone, and ZitMo =
installs when the link is clicked. Any bank SMS messages are redirected =
to a cyber criminal=92s phone (all other SMS messages will be delivered as =
normal)."
My commentary:
http://financialcryptography.com/mt/archives/001464.html
New Report:
https://www.nsslabs.com/reports/view-precipice-mobile-financial-malware
Original 2006 MITB paper from Philipp G=FChring:
http://financialcryptography.com/mt/archives/000758.html
> I've got a page that lists a variety of phone-based two factor
> authentication options at http://pages.uoregon.edu/joe/phone-2fa.html
> (if I've inadvertently overlooked anyone, please let me know and
> I'd be glad to add them to that page)
Nice page. Perhaps that could be expanded to include precursors and =
attacks :)
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
