I am constantly frustrated with poor security implementations I see all around the web. Often, these mistakes could be avoided by never breaking the simple security rules. One of these rules wrote about in my book Hacking the Code is that you should always ask for the username and password at the same time. This prevents others from harvesting user names from your login process. User names normally are not secrets, but if someone had collections of usernames from say, banks, they could launch more effective and targeted phishing attacks.

This time it was a banking site I use who broke this rule, ironically in an effort to stop phishing attacks. They have employed a new system, which basically presents you with a picture and caption–the key–that you yourself pre-selected. The idea is that the site is proving its identity to you. If it can’t present to you your pre-selected key, you know you are logging in to a fake web site.

The concept is good but I was shocked to see how poorly they implemented the concept.

Of course, to present you with your key it first needs to know who you are, so it prompts you for your Online ID–your user name. You enter your name and it shows you your pre-selected photo and phrase and says it’s now safe to enter your passcode if you recognize your key.

But here’s the problem: by asking for a username by itself, the site is open to username harvesting attacks. It turns out it is pretty easy to guess usernames, a few quick guesses already turned up two valid usernames. But it’s even worse than that. The very first step in the process is to tell the system what state you live in. So with very little effort, someone would know your bank name, your username, and what state you live in.

It appears that in an attempt to make the system a bit more secure, they use cookies to identify the system you are logging in from. If you log in from a system that they don’t recognize, they will prompt you to answer one of the secret questions you selected when you signed up. They do this before showing your key apparently to prevent others from harvesting those as well. However, at this point someone would now know your bank name, your username, what state you live in, and what question you selected as your secret question.

It wouldn’t be hard for a clever attacker to produce a very convincing phishing attack from that information. In fact, this information gathered from Bank of America’s own anti-phishing device could be much more effective than a standard phishing e-mail. If you think about how many people fall for some of the horrible crafted phishing e-mails we see nowadays, how much more effective would it be if the e-mail stated the correct bank, your state, your actual username, and your own pre-selected secret question? In itself this is significant but combine that with a few other well-known attack methods (i.e., cross site scripting, session fixation, etc.) and you have a serious problem for these bank customers.

But it gets even worse. An attacker could simply do a two-phase phishing attack first by using the harvested the state/username/secret question pages to get the key info and once armed with that information do another phishing attack for the password. In other words, this whole implementation actually gives attackers the information it needs to pull off a very effective and convincing phishing attack, perhaps even more so than if they never implemented this system in the first place.

Although the concept is interesting, there are just too many problems trying to implement something like this on the server side. One way to implement this, however, might be to do so through a browser add-in that shows a picture based on the SSL certificate of a server. It uses a system that is already in place yet it would be much easier to spot than a missing lock icon in the status bar.

Related posts

• No related posts.