Phishing usually works by directing the consumer to a scraped version of the website. One method that's starting to be more common is a dynamic website, where after entry of username and before entry of password, the bank site reveals some image or phrase chosen by the consumer, which I will call the counter-password. In essence, not only must the consumer present a valid password, so does the bank. Mutual authentication.
The phishing site cannot display the correct counter-passwordwithout querying the bank, and this gives the bank an opportunity to detect, confound, and prosecute the proxy.
This can be enhanced with use of an out-of-band communication channel. If the IP address making the request (which would be the proxy, possibly via onion routing) isn't one the consumer has logged in from before, send the consumer an SMS with a one-time code they must additionally use before the counter-password is revealed and login enabled.
Other methods are for the browser to cache the correct server certificate and tell the consumer when they visit a site without a cached certificate, thus warning the consumer that this isn't the familiar site they've used before.
IMO, the best thing that a bank can do is to educate it's users on when and how they will communicate with them. Many users have no idea about what phishing is and so showing them examples and raising their awareness about fraud will do more than any technical solution (though the technical side should be pursued just as aggressively). A user aware that phishing can occur will be far less likely to fall prey to it.
Use an EV SSL certificate, and then put a message on your login pages that tells users to look for the EV Signature in their browser.
Make it clear in your emails that your bank will never ask a user for their password. Setup a special email dedicated to phishing so customers can send you suspected emails, and you can then notify customers.
现有方法例如使用动态 TAN(索引 TAN 或 iTAN),或者通过短信在单独渠道提交的 TAN(移动 TAN 或 mTAN ),或者 - 最安全并且还可以防止实时中间人攻击 - 要求用户签署每笔交易,例如使用 DigiPass 或智能卡。
之所以没有广泛实施,可能是因为银行支付网络钓鱼攻击造成的损失仍然比投资安全更具成本效益。
The best way to prevent phishing attacks should rely on technical means that don't require the user to understand the problem. The target audience will always be large enough to find someone who gets fooled.
A good way to prevent from attacks is to use an authentication mechanism that doesn't rely on a simple pass phrase or transaction authentication number (TAN) that an attacker can steal.
Existing methods e.g. use dynamic TANs (Indexed TAN or iTAN), or a TAN submitted on a separate channel via SMS (mobile TAN or mTAN), or - most secure and also preventing from real-time man-in-the-middle attacks - require the user to sign each transaction, e.g. using DigiPass or a smartcard.
The reason that this is not widely implemented is probably that it is still more cost-effective for banks to pay for the damage from phishing attacks than investing in security.
The easiest way to mitigate it from a bank perspective would be to educate customers upon account creation that (a) the bank does not have the customer's e-mail address, so it simply can't send mails to them and (b) send a letter to every existing customer once, explaining the same.
For the customer this has the benefit that they will know that whenever they receive a mail claiming to come from their bank it can't be real.
I recommend analyzing online banking fraud based on the types of attacks: stolen credentials, Man-in-the-middle and malware/man-in-the-browser and how authentication can thwart them: two-factor authentication for sessions, mutual authentication to prevent MITM and transaction authentication for MitB. I wrote an article about this in 2006: http://www.bankinfosecurity.com/articles.php?art_id=115&pg=1 and I wrote a doc tutorial on mutual https authentication: http://www.howtoforge.com/prevent_phishing_with_mutual_authentication. EV certs are little additional value for many of the same reasons that standard ssl of little value: no one knows how to validate a certificate and the UI cannot be trusted. Using images is of no valued and makes for a really annoying user experience.
While SMS is better than static passwords, you are then relying on the security of the cell carriers. However, since they have so many users and increasing the security of their systems means more helpdesk calls, incentives are not aligned. Also, please reference the latest snafu with the iPad email addresses where even basic security principles were not followed.
Banks need to get serious about designing systems and/or using vendors that base their architecture on solid security principals and follow standard encryption techniques rather than marketecture with an eye towards meeting miniumum compliance standards.
发布评论
评论(6)
网络钓鱼通常会引导消费者访问网站的抄袭版本。一种开始变得更加常见的方法是动态网站,在输入用户名之后和输入密码之前,银行网站会显示消费者选择的一些图像或短语,我将其称为反密码嗯>。从本质上讲,不仅消费者必须提供有效密码,银行也必须提供有效密码。相互认证。
网络钓鱼网站在不询问银行的情况下无法显示正确的反密码,这使银行有机会检测、混淆和起诉代理。
这可以通过使用带外通信信道来增强。如果发出请求的 IP 地址(可能是代理,可能通过洋葱路由)不是消费者之前登录过的地址,请向消费者发送一条短信,其中包含一次性代码,他们必须在反击之前另外使用。密码已显示并启用登录。
其他方法是让浏览器缓存正确的服务器证书,并在消费者访问没有缓存证书的网站时告诉消费者,从而警告消费者这不是他们以前使用过的熟悉网站。
Phishing usually works by directing the consumer to a scraped version of the website. One method that's starting to be more common is a dynamic website, where after entry of username and before entry of password, the bank site reveals some image or phrase chosen by the consumer, which I will call the counter-password. In essence, not only must the consumer present a valid password, so does the bank. Mutual authentication.
The phishing site cannot display the correct counter-passwordwithout querying the bank, and this gives the bank an opportunity to detect, confound, and prosecute the proxy.
This can be enhanced with use of an out-of-band communication channel. If the IP address making the request (which would be the proxy, possibly via onion routing) isn't one the consumer has logged in from before, send the consumer an SMS with a one-time code they must additionally use before the counter-password is revealed and login enabled.
Other methods are for the browser to cache the correct server certificate and tell the consumer when they visit a site without a cached certificate, thus warning the consumer that this isn't the familiar site they've used before.
在我看来,银行能做的最好的事情就是教育用户何时以及如何与他们沟通。许多用户不知道什么是网络钓鱼,因此向他们展示示例并提高他们对欺诈的认识比任何技术解决方案都更有效(尽管技术方面应该同样积极地追求)。意识到可能发生网络钓鱼的用户将不太可能成为其受害者。
IMO, the best thing that a bank can do is to educate it's users on when and how they will communicate with them. Many users have no idea about what phishing is and so showing them examples and raising their awareness about fraud will do more than any technical solution (though the technical side should be pursued just as aggressively). A user aware that phishing can occur will be far less likely to fall prey to it.
使用 EV SSL 证书,然后在登录页面上放置一条消息,告诉用户在浏览器中查找 EV 签名。
在您的电子邮件中明确表示您的银行绝不会要求用户提供密码。设置专门用于网络钓鱼的特殊电子邮件,以便客户可以向您发送可疑电子邮件,然后您可以通知客户。
Use an EV SSL certificate, and then put a message on your login pages that tells users to look for the EV Signature in their browser.
Make it clear in your emails that your bank will never ask a user for their password. Setup a special email dedicated to phishing so customers can send you suspected emails, and you can then notify customers.
防止网络钓鱼攻击的最佳方法应该依赖于不需要用户了解问题的技术手段。目标受众总是足够大,可以找到被愚弄的人。
防止攻击的一个好方法是使用不依赖于简单密码或交易身份验证号码的身份验证机制(TAN),攻击者可以窃取。
现有方法例如使用动态 TAN(索引 TAN 或 iTAN),或者通过短信在单独渠道提交的 TAN(移动 TAN 或 mTAN ),或者 - 最安全并且还可以防止实时中间人攻击 - 要求用户签署每笔交易,例如使用 DigiPass 或智能卡。
之所以没有广泛实施,可能是因为银行支付网络钓鱼攻击造成的损失仍然比投资安全更具成本效益。
The best way to prevent phishing attacks should rely on technical means that don't require the user to understand the problem. The target audience will always be large enough to find someone who gets fooled.
A good way to prevent from attacks is to use an authentication mechanism that doesn't rely on a simple pass phrase or transaction authentication number (TAN) that an attacker can steal.
Existing methods e.g. use dynamic TANs (Indexed TAN or iTAN), or a TAN submitted on a separate channel via SMS (mobile TAN or mTAN), or - most secure and also preventing from real-time man-in-the-middle attacks - require the user to sign each transaction, e.g. using DigiPass or a smartcard.
The reason that this is not widely implemented is probably that it is still more cost-effective for banks to pay for the damage from phishing attacks than investing in security.
从银行的角度来看,缓解这种情况的最简单方法是在创建账户时告知客户 (a) 银行没有客户的电子邮件地址,因此它无法 向他们发送邮件,并 (b) 向每个现有客户发送一封信,解释相同的内容。
对于客户来说,这样做的好处是,他们会知道,每当他们收到一封声称来自银行的邮件时,这封邮件都不是真的。
The easiest way to mitigate it from a bank perspective would be to educate customers upon account creation that (a) the bank does not have the customer's e-mail address, so it simply can't send mails to them and (b) send a letter to every existing customer once, explaining the same.
For the customer this has the benefit that they will know that whenever they receive a mail claiming to come from their bank it can't be real.
我建议根据攻击类型分析网上银行欺诈:凭证被盗、中间人和恶意软件/浏览器中的人以及身份验证如何阻止它们:会话的双因素身份验证、相互身份验证防止 MITM 和 MitB 的交易身份验证。我在 2006 年写过一篇关于此的文章: http://www.bankinfosecurity .com/articles.php?art_id=115&pg=1 我写了一个关于相互 https 身份验证的文档教程: http://www.howtoforge.com/prevent_phishing_with_mutual_authentication。 EV 证书没有什么附加价值,其原因与标准 ssl 没有什么价值有很多相同的原因:没有人知道如何验证证书,并且 UI 不可信。使用图像没有任何价值,并且会带来非常烦人的用户体验。
虽然短信比静态密码更好,但您需要依赖移动运营商的安全性。然而,由于他们拥有如此多的用户,并且提高系统的安全性意味着更多的帮助台呼叫,因此激励措施并不一致。另外,请参考 iPad 电子邮件地址的最新混乱情况,其中甚至没有遵循基本的安全原则。
银行需要认真设计系统和/或使用供应商,将其架构建立在可靠的安全原则上,并遵循标准加密技术,而不是着眼于满足最低合规标准的市场结构。
I recommend analyzing online banking fraud based on the types of attacks: stolen credentials, Man-in-the-middle and malware/man-in-the-browser and how authentication can thwart them: two-factor authentication for sessions, mutual authentication to prevent MITM and transaction authentication for MitB. I wrote an article about this in 2006: http://www.bankinfosecurity.com/articles.php?art_id=115&pg=1 and I wrote a doc tutorial on mutual https authentication: http://www.howtoforge.com/prevent_phishing_with_mutual_authentication. EV certs are little additional value for many of the same reasons that standard ssl of little value: no one knows how to validate a certificate and the UI cannot be trusted. Using images is of no valued and makes for a really annoying user experience.
While SMS is better than static passwords, you are then relying on the security of the cell carriers. However, since they have so many users and increasing the security of their systems means more helpdesk calls, incentives are not aligned. Also, please reference the latest snafu with the iPad email addresses where even basic security principles were not followed.
Banks need to get serious about designing systems and/or using vendors that base their architecture on solid security principals and follow standard encryption techniques rather than marketecture with an eye towards meeting miniumum compliance standards.