This is an interesting read, but, yes, it has already been thought about. A
few problems with your method:

* The password timeout is too short. Consider that the default check
frequency for most mail programs is 30 minutes. Of course, this could be
fixed by making a longer timeout.

* "A little bit of education" is exactly what we need. If we had a "little
bit of education" to go around, then we would all be savvy users. You're
assuming that a normal user would be interested in learning this method...

* Consider that the average time for a user to become disinterested in the
website they are visiting is measured in seconds or minutes. If this system
was implemented in a site that provided online merchandise, this lag would
be unacceptable for most, if not all, merchandisers. If the users are
waiting around for an email, the chances are dramatically increased that
they will move to a different site that doesn't have this method
implemented.

* It is not secure. The email would need to be encrypted. The encryption
requires another password. All the phisher would have to do is pose as
someone requiring the password for the encrypted email as opposed to the
password for the website. Of course, this could cause the user to become
more suspicious.

* Easier methods for one-time passwords are already being used, and have
been for some time. For example, I remember at my work that we had this
program which would generate 5 random words for every login we attempt. The
program would accept a secret passphrase that only the user knew and would
only be installed on the local system of the user. It would generate the
five words and the server would accept that passphrase only once. Once the
session is ended, that passphrase is no longer available. This effectively
eliminates the requirement for waiting for an email.

* However, even if you did implement a one time password policy, so what?
Phishing is a social attack. It's not a passphrase attack. Phishing doesn't
only gather passphrases, it can gather social security numbers, credit card
information, birth dates, etc. You're not fixing anything by implementing a
new, less effective method for password generation.

So you are assuming LOTS of things in your blog, and the worst assumption
you make is that your system will work. It's got lots of holes and doesn't
focus on the fact that HUMANS are susceptible to phishing, not password
systems. I don't mean to sound rude or upfront. I'm just trying to warn
anyone who may attempt your system that it may fail, easily.

Phishing cannot be solved. It is an ancient art of exploiting social order.
One method for minimizing the effects of phishing is education. Another
would be enforceable punishment for attackers who use this for committing a
crime. Another way is to develop applications which take secure transaction
into consideration.

Actually, the fact that you are proposing a "solution" to this phenomenon
with the implementation of your system is scary to me. It is a very
narrowly-focused view of security. You need to refocus on the basics of
information security, I've outlined some of that above. But the lesson you
should take from this is: social engineering attacks cannot be solved by a
magic bullet. All a phisher would need to do is find the weakest link: an
uninformed user (or administrator).

Again, my apologies for sounding upfront. I just want to show you the
seriousness of making these assumptions. Please feel free to contact me
directly.

--
Christopher Canova, Student
canovac (at) earthlink (dot) net [email concealed]
http://home.earthlink.net/~canovac

-----Original Message-----
From: Michael Silk [mailto:michaels (at) phg.com (dot) au [email concealed]]
Sent: Monday, November 22, 2004 7:41 PM
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Article - A solution to phishing

Hi,

Just a quick little article about a login system that, should (i think
:)), prevent phishing attempts on your site.


http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm

l

Have a look at it and let me know what you think ... and apologies to
anyone if an idea like this is already out there :)

-- Michael

**********************************************************************
This email message and accompanying data may contain information that is
confidential and/or subject to legal privilege. If you are not the intended
recipient, you are notified that any use, dissemination, distribution or
copying of this message or data is prohibited. If you have received this
email message in error, please notify us immediately and erase all copies of
this message and attachments.

This email is for your convenience only, you should not rely on any
information contained herein for contractual or legal purposes. You should
only rely on information and/or instructions in writing and on company
letterhead signed by authorised persons.
**********************************************************************

[ reply ]