[OWASP-Ireland] Phishing One-time passwords

Conall Lavery conall.lavery at entropy.ie
Mon Oct 17 07:01:31 EDT 2005 

All,

I think there is the making of another event on authentication similar
to the one that was done on centralised logging. Is anyone interested in
looking at this?

Phishing attacks have really put username/password under pressure. The
banks and similar businesses are looking at increasing the level of
authentication strength. Technologies such as tokens, smartcards and
certificates certainly deliver strong authentication but the service
providers balk at the cost, the complexity of managing the registration
and distribution of tokens (or whatever it is that you have). A key
requirement of suppliers of consumer service is that they are easy to
use - it is no use putting in strong authentication if no one uses the
service.

There are new approaches available now, like the scratch card mechanism
referred to by Eoin, or Entrust's
http://www.entrust.com/identityguard/index.htm and technologies based on
mobile phones.

I don't want to speak for the banks but their problem is not from the
losses that they are suffering due to phishing but from the low growth
of users of their online service. Research has shown that the take up of
Internet banking has stagnated and there is evidence that this is due to
the lack of confidence that potential consumers have in the service. I
wouldn't like this event to be limited to banking; the issues apply to
any business that offers an online service that could be the target of
fraud.

I thought that an event similar to a debate where a number of people
take the position of one type of technology might be a good way of
getting to the issues. No one technology is going to fit every
application but this approach might be good at flushing out the pros and
cons.

I realise this email could constitute an offer to help organise this,
but I am sure that following the excellent job that Cormac did with the
logging event that he might take this one too? :-)

Conall

-----Original Message-----
From: owasp-ireland-admin at lists.sourceforge.net
[mailto:owasp-ireland-admin at lists.sourceforge.net] On Behalf Of Brian
Honan
Sent: 17 October 2005 11:25
To: Eoin.Keary at allianz.ie; owasp-ireland-admin at lists.sourceforge.net;
OWASP-Ireland at lists.sourceforge.net
Subject: Re: [OWASP-Ireland] Phishing One-time passwords

Interesting in this case was the fact that each customer was given a
card from which they could scratch off their OTP.  Users were duped into
entering their latest OTP into a fake site.  So another weak link here
is that the passwords were pregenerated and had no expiration. 

Brian
-----Original Message-----
From: Eoin.Keary at allianz.ie
Date: Mon, 17 Oct 2005 11:14:45 
To:OWASP-Ireland at lists.sourceforge.net
Subject: [OWASP-Ireland] Phishing One-time passwords

http://www.theregister.co.uk/2005/10/12/outlaw_phishing/ 
 
One-Time passwords are meant to be more secure but the weak link is
people (Tell me something I don't know). 
 

 
 Eoin Keary
 Contractor
 Allianz Ireland
 IT Security (Tech Admin)
 Security Projects Division
 Dir: + 353-1-613-3490
 Mob: + 353-87-904-1922
 Mailto:eoin.keary at allianz.ie
 Ph  01 6133490
 
 
 
 
 
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are
companies of the Allianz Group, Europe's leading global insurer and
provider of financial services. 
 For more information on our products and services log on to
www.allianz.ie or call us on (01)613 3000.
 
 The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action or reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you have
received this in error, please contact the sender and delete the
material from your computer.
 
 Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish
Financial Services Regulatory Authority (IFSRA). 
 Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the
Irish Financial Services Regulatory Authority (IFSRA).
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
 
 
 
 
---
Brian Honan
BH Consulting
Helping You Piece IT Together
Tel:         +353-1-8243846
Mob:      +353-86-8114066
Email:      brian.honan at bhconsulting.ie
www:      http://www.bhconsulting.ie                
Support Global Security Week 5/11 - 9/11 www.globalsecurityweek.com

This message is for the named person's use only. If you received this
message in error, please immediately delete it and all copies and notify
the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient. Any views expressed in this message are those of the
individual sender and not of BH Consulting


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads,
discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
OWASP-Ireland mailing list
OWASP-Ireland at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-ireland


**********************************************************************
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This footnote also confirms that this email message has been swept for the
presence of computer viruses.
www.entropy.ie

**********************************************************************

More information about the Owasp-ireland mailing list