[Owasp-cincinnati] Separating username and password
Marco M. Morana
marco.m.morana at gmail.com
Fri Oct 2 22:13:22 EDT 2009
Seems what you are describing is a kind of Passmark RSA control used by BofA
(they called Sitekey) as well as other banks. This control provide for site
to user validation, usually upon validation of the username, the user is
presented an image with a text that he has preregistered. If the user
visually validate the image and the text then he would not that the password
would be given to a trusted site. For this control to work, the first time
you assess the site you have been asked to answer challenge/questions so a
cookie will be dropped on your browser. For a fraudster to enumerate other
usernames it has also to copy someone else cookie on his browser otherwise
he has to supply C/Qs. This kind of attack (Finding 2) is possible and
described by the paper herein
The other attack is obviously MiTM to which all MFA controls are affected.
I actually think there is a value in this control since provides for a trust
indicator to the user that he visited an authentic site. It is not a control
to validate the user to the site that still happens via validation of the
password, the challenge/questions to register the cookie and fingerprinting
of the machine that is validate by the RSA engine in the back end via Risk
These kind of MFA controls can be improved for resistance to MiTM in several
ways such as by 1) tying the cookie to the user (right now RSA cookies are
just tied to the machine) 2) by fingerprinting the machine with IDs stronger
then IP (such as by using USH Chip ID * ) and 3) with improved risk base
rule analytics on the back end.
Hope I did not digress too much, there is no absolute security only relative
to the attack you want to mitigate against..
From: owasp-cincinnati-bounces at lists.owasp.org
[mailto:owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of Edward
Sent: Thursday, October 01, 2009 8:55 AM
To: OWASP Cincinnati
Subject: [Owasp-cincinnati] Separating username and password
Thanks for the evening meeting, very interesting.
One point we discussed was the separating of username and password
fields on two separate web pages and how this could be bad because the
failure to recognize a username was bad feedback to give to a hacker.
Anyway, it appears my bank has a slight change on this offering
username and password on separate pages with a user chosen image on
the second page but an invalid username on the first page still takes
you to the second page to enter a password.
So, in this case the only indication that the username is correct is
the existence of an image on the password page. Presumably, not all
users have selected an image so this may limit the exposure of the
Interestingly, unlike the yahoo image identification, the banks
doesn't appear to be tied to a browser so any hacker from anywhere
would receive the image if they used my username.
The use of identification images is protecting against spoof servers
while reducing the security for brute force attacks. I guess the fake
email attacks are more prevalent.
Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org
More information about the Owasp-cincinnati