Wednesday, June 01, 2005

Making Phishers Solve the Captcha Problem

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe more I read about Bank of America's solution to the phishing problem, the more I believe it susceptible to man-in-the-middle (MIM) attacks. The Wall Street Journal today described their new system, called SiteKey, in a bit more detail. The BofA site describes it as well.

As I understand it, if you haven't signed into SiteKey before, you will get a randomly selected challenge question. Once you've answered the challenge successfully, a secure cookie is deposited on your PC. Subsequent authentications from that PC will force you to view a pre-selected image that will confirm you're signing into Bank of America, rather than a spammer's zombie machine in Chung Li, Taiwan.

Sidebar: isn't it odd that when you go the Bank of America site, you immediately note that the page is presented in cleartext ("http://"), not SSL ("https://). The first step to combat phishers is to provide an SSL connection... first time, every time. Customers need to get used to expecting a secure connection on every BofA page.

Yes, their sign-in operation itself is secure. I just think it a tad bizarre that every page isn't secure as well. Just for the customer's peace of mind.

As far as I can tell, there's no way for SiteKey to distinguish a malicious, zombie PC from a user's virgin computer. The zombie PC could present a false BofA store-front to the victim and proxy login information from the user to the bank and any resulting pages and images from the bank to the victim.

Step 4 of the BofA SiteKey page even states the following:

If we don't recognize your computer:
We will ask you one of your secret SiteKey Confirmation Questions.

After you answer your question correctly, we will show you your SiteKey.

Sounds like it's completely susceptible to a man-in-the-middle: the classic phisher's false store-front.

I believe you've got to make phishers solve the captcha problem.

A Blogger Captcha

You know captchas: they're the odd-looking images representing stretched or melted alphanumeric text that can (presumably) be read by humans, but not malicious bots.

The example at right is the kind of captcha that Google's Gmail service employs. Mail services require strong captchas to prevent spambots from signing up for their free email services for mass-spam campaigns. We need more spam like GM needs more healthcare costs.

The challenge for systems like SiteKey is to create a captcha-like problem for phishers. I think I have the seeds of just such a solution. The idea is to make a man-in-the-middle attack bloody difficult.

Educating the users to expect an "anti-fraud" checklist on the sign-in page is obviously the first order of business. This can be achieved through a snail-mail campaign or equivalent PR effort. Once customers expect the anti-fraud checklist, the next action in the campaign is to:

Squeeze the man-in-the-middle

Force the man-in-the-middle (MIM) to present information specific to both the client and the server. After the user has entered a sign-in name, the anti-fraud checklist page depicted above, should appear.

The key element of the page is a GIF or JPEG image, dynamically created like a captcha, consisting of the three checklist items depicted at the top of this article.

The MIM gets squeezed by changing fonts

Why is this checklist so difficult for a MIM to present?

Checklist item 2: In a normal situation (with no MIM involved), the bank's server should be able to deduce the client's general location through IP-address geo-mapping.

For the MIM to present the correct location data, it will have to use an IP-address-to-geographic-location mapping algorithm and deduce it on its own.

Checklist item 3: The server has non-sensitive information about the customer (e.g., a check number that recently cleared) that can be presented on the page. This is called a "shared secret" that only the customer and the bank should know.

And for the MIM to retrieve a valid shared secret, it will have to screen-scrape the third line of the checklist from the image the bank has presented.

Captcha problem: Once the MIM has accomplished numbers two and three, it now has to somehow merge the images in a way that looks consistent. But the fonts are changing, the font sizes are changing, and the colors are changing. They're selected randomly.

Without some serious artificial intelligence, the MIM is trapped having to solve a classic captcha-style problem. And I, for one, thinks that's a hard road to hoe for the phishers.


Anonymous said...

Can anyone recommend the top RMM program for a small IT service company like mine? Does anyone use or How do they compare to these guys I found recently: N-able N-central performance management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Ramesh said...

Online Access Control
How does a portal / website secure online access for its registered users?
How does a portal / website eliminate the risk of phishing completely?
By integrating Blue ID 2
Blue ID 2 provides a portal a mechanism to allow the customers to use the Phone as an Authentication device. With the risk of phishing and identity theft removed, access is made safe, easy and a mass market phenomenon.

Verity Technologies, a mobile applications company with focus on Authentication and Identity Management Services, today announced a launch of its path breaking Blue ID 2 technology. This new generation technology can secure financial transactions, manage access, control confidential data and generally eliminate phishing in this era of increasing online adoption. We will be happy to demonstrate the technology should you be interested. We look forward to a sustained fruitful relationship.
Ramesh A
Verity Technologies Pvt. Ltd.,
#791, 12th Main, 1st Cross,
HAL 2nd Stage, Indiranagar,
BANGALORE – 560008
E mail :ramesh[at]veritytech[dot]com