Comments on: Phishing and OpenID: Bookmarks to the Rescue?

By: Daniel Benoy

Daniel Benoy — Tue, 19 May 2009 20:35:03 +0000

Sorry for all the posts, but I keep thinking up new ways to solve the problem :p

We could also instruct users (right in the login page) to check the HTTPS credentials and verify that it says the proper company name every time they log in.

Compared to my other four or five ideas, that one’s pretty weak, and relies entirely on a lack of user stupidity.

Another good idea:
High security sites like banks and such should not use OpenID :p For this reason, and because the bank site’s ISP can do a DNS man-in-the-middle attack on them, if their provider isn’t using ’smart mode’, or if their provider is rarely used.

By: Daniel Benoy

Daniel Benoy — Tue, 19 May 2009 20:20:13 +0000

Theoretically, you can even use wacky authentication schemes. Like:

- You get to your login page, and up comes a little animation telling you the phone number to call to enter your PIN.. and when the phone system gets your pin, the page authorizes you, and if it gets a wrong pin or nothing within 60 seconds, it fails out. You could even call up and answer some security questions to some agent and have them click release or not.

- You get a list of passwords at the beginning of the month, and you can use each one only once.

- You can use your passwords three or four times in a row, until it asks you one of the security questions you came up with when you signed up, and if you mess it up your account is locked until the issue can be resolved.

- You get your OpenID through your ISP, and your ISP checks your IP against its radius accounting table, and determines if your IP is actually logged in with that username in order to get its internet access, and if so, it automatically grants access (A phishing proxy would automatically always fail)

That’s actually what really attracted me to OpenID. It gives you complete freedom to choose the level at which you feel comfortable with your own authentication onto sites, and who you trust to help you provide that. You could even set up an OpenID that just lets anybody in, if you so chose.

By: Daniel Benoy

Daniel Benoy — Tue, 19 May 2009 20:09:22 +0000

Also, Verisign offers a ‘two factor’ OpenID authentication, so even if you phish in exactly this way, you would only get their password, but not compromise their fancy keyfob (Unless the algorithm on that thing is bad)

By: Daniel Benoy

Daniel Benoy — Tue, 19 May 2009 18:32:42 +0000

I have a web server of my own, and I set it up to verify SSL client certificates when I’m browsing against a CA that I created, and I used a customized version of phpMyID to verify that I’m using a valid certificate and authorize me automatically.

My client certificate private key resides on a smart card, so it can not be copied even if my client computer is compromised.

Firefox supports smart cards out of the box using PKCS#11

Theoretically, this level of security can be provided by any OpenID provider. That solves the phishing problem.

By: Post It #6 [tail -f carlo.log]

Post It #6 [tail -f carlo.log] — Wed, 06 Aug 2008 15:58:03 +0000

[...] Post It #6 — Posted under de, en, Google, Humor, OpenID, Post-It, Software —BookmarkID? Ka-Ping Yee came up with a funny idea on how to battle phishing using browser bookmarks. [...]

By: Daniel Chien

Daniel Chien — Mon, 09 Jul 2007 06:08:53 +0000

I have a simple way to detect phishing website by checking the IP address of the phishing website. On the Internet, everyone has an IP address. You can not fake your IP address due to IP two-way routing. Phishing website must use an IP address and can not be same as legitimate financial institution IP address. By comparing the IP address, we can know this is a phishing website or not.

By: randomwalker

randomwalker — Thu, 03 May 2007 06:23:27 +0000

If I have to retry the transaction (comment posting or whatever) at the original site, then I’m simply not going to use it. Sorry.

Further, I might realize that I have to login only after I write my comment. There’s a chance that the data will be lost when I try to get back there. If this happens, the user will VERY QUICKLY learn not to use your service EVER AGAIN.

By: The Security Roundtable » Blog Archive » The Security Roundtable for February 2007 - OpenID

Thu, 15 Mar 2007 19:56:09 +0000

[...] Another idea (and MITM attack): http://usablesecurity.com/2007/01/20/phishing-and-openid/ [...]

By: Confluence: PlatformSecurity

Confluence: PlatformSecurity — Wed, 28 Feb 2007 22:22:15 +0000

OpenID…

OpenID This page has not been filled in yet. Notes from Sunil (email): And of course, UCAP can prevent it through it’s Defense is depth approach (Security Skin, EV SSL, Reputation Service, Stronger Username/password)…….

By: Richard M. Conlan

Richard M. Conlan — Wed, 28 Feb 2007 08:42:37 +0000

Some interesting blog entries on OpenID with comments on phishing and other issues:

ongoing

Should We Support OpenID?

By: Dubroy.com/blog » Warming up to OpenID

Dubroy.com/blog » Warming up to OpenID — Mon, 26 Feb 2007 18:20:35 +0000

[...] It’s not all rosy though. Many people have pointed out that the OpenID process is very susceptible to phishing attacks; but that’s a problem we’re going to have to solve somehow anyways, and I think the proposed solutions are pretty decent. Technorati Tags: authentication, openid, security, single sign on, usability [...]

By: Ping

Ping — Wed, 21 Feb 2007 04:45:02 +0000

If you always go directly to your OpenID provider to enter your password, then there’s no problem. The problem is the case where the relying party redirects you to your OpenID provider’s login form.

By: Mark Cross

Mark Cross — Tue, 13 Feb 2007 13:35:19 +0000

Dear Ping,

I don’t quite follow your walk through:

Go to my OpenID provider & “log in” with OpenID URL & Password.
Visit a site I’ve never seen before.
Enter my OpenID name and click “Log in”.
See the challenge page for my OpenID provider.
Return back to the newly added site.

If you were prompted for a password - something did go astray.

Yours puzzled,

Mark

By: Benlog » BeamAuth: Two-Factor Web Authentication with a Bookmark.

Benlog » BeamAuth: Two-Factor Web Authentication with a Bookmark. — Tue, 06 Feb 2007 19:47:48 +0000

[...] In recent days, Simon Willinson and then Ka-Ping Yee proposed having Alice use a bookmark to reach her OpenID server, rather than rely on the web site to redirect appropriately. This is interesting, and one of the OpenID implementors, JanRain, thinks so too. [...]

By: Kragen Sitaker

Kragen Sitaker — Mon, 29 Jan 2007 03:37:27 +0000

Looks like Simon went and implemented this as part of his idproxy service.

By: Andrew Cox

Andrew Cox — Tue, 23 Jan 2007 08:25:40 +0000

By: Don Park

Don Park — Mon, 22 Jan 2007 22:16:30 +0000

Ping, I like the way you think. Admitedly, this is one of the password-less ideas I had but it’s neat to find others thinking along the same line. Oh, I liked your Passpet idea also. :-)

By: Ping

Ping — Mon, 22 Jan 2007 06:25:01 +0000

I don’t think you’re misunderstanding it. The procedure I had in mind was to first use the bookmark to log in, and then retry the original transaction. With a little care in the UI, the provider might be able to make this less confusing.

By: Ping

Ping — Mon, 22 Jan 2007 06:23:32 +0000

Yes, you can embed the secret in the URL. Then you’re essentially using the URL like a capability. In general, this is a great idea, though it may take some catching up from software to properly treat URLs as capabilities (they need to be treated as secrets, and there’s the issue of logging in from a different computer than the one you normally use).

By: Ping

Ping — Mon, 22 Jan 2007 06:13:36 +0000

Providers could do that, if they wanted. But I don’t expect the personalized-image scheme to work, because it’s susceptible to a man-in-the-middle attack.

If I want to phish your password, I’ll go to the provider and attempt to log in as you. The provider will show me your image and title. Then I present that image and title to you when persuading you to give me your password.