CSO

A typical online banking website prompts you for a username and password combination to prove that you are indeed who you claim to be.  The rise of phishing over the past few years has raised the question “How does your bank prove who it is?”  Many technologies and procedures have been developed in an attempt to make this authentication a two way process.  The most common method is the display of a personalized image.  In this case the login process looks something like this:

1. When you first create your online banking account the valid server allows you to choose a picture from a group of pictures.
2. You then type in a phrase to describe that picture in a way that only you would.  The server then uses this picture and phrase to verify that it remembers this account creation.
3. When you later arrive at the login page you are prompted for a username.
4. A check is done for a secure cookie which was left on your machine last time you visited.</li>
5. If the machine is not recognized (i.e. the cookie doesn’t exist) then you are prompted with a security question to answer.  Upon answering it the cookie is set on your machine.
6. You are then shown that picture and phrase you set at account creation.  At this point you are prompted for your password.
7. You type in your password and are now granted access to the site.

There is a flaw in this process.  It has to do with the secure cookie and security question.  The secure cookie piece is supposed to be a flag to the user.  You should only see the security question if you are on a new machine that you haven’t used to access the site before.  Do users understand this?  What if I delete my cookies often?  Then this security question will always be a part of my login process.  This is where the attacker has wiggle room to take advantage of the system.

Using this process the phishing site can now act as a man in the middle and replicate the user experience for the unsuspecting victim while stealing their credentials.  The process would look something like this:

1. The user is prompted by the phishing site for their username.
2. The phishing site sends this along to the bank and waits for the security question page.
3. The phishing site then displays the same question to the user which the user answers.
4. The phishing site sends the answer to the bank and retrieves the customized picture and phrase.
5. The phishing site displays the picture and phrase to the user and prompts for the password.  Now the attacker has all the information he or she needs.  Including a newly set secure cookie on the phishing site machine.

Note: One weakness in this attack is that the phishing site will be unable to display a valid certificate for the banking website.  Studies have shown however that most users do not check for the lock icon which is displayed for sites using certificates for authentication.

The crux of this attack of course is getting the user to the phishing site.  This means users need to be educated on ways to avoid finding themselves in these situations.  So how does a user avoid being taken by a phishing site? 

• First and foremost do not click on links in emails or IM windows.  Always type the URL in yourself.  Once you’ve done that you can set a bookmark to use in the future.
• Look for the SSL Lock on the right hand side of the address bar.  This will tell you that you are at a site with a valid certificate.
• Use one of the anti-phishing toolbars created by Microsoft, Google or Netcraft which can help warn you of dangerous sites.

User vigilance is the only real protection.  Banks can continue to roll out new security features, but until users are willing and able to actively participate in the process they will continue to be vulnerable.  With recent studies showing that users don’t check for valid certificates and often will continue to login even if the incorrect security picture is shown to them will we ever be able to depend on the average user to practice online self-defense?

- John Carmichael