Comments on: False-Positive Trust http://securitymusings.com/article/421/false-positive-trust Rants and raves from information security professionals Fri, 03 Feb 2012 13:03:11 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Walt http://securitymusings.com/article/421/false-positive-trust/comment-page-1#comment-412 Walt Thu, 11 Sep 2008 14:38:26 +0000 http://securitymusings.com/?p=421#comment-412 A proxy-style phishing site could go to the real site and grab the picture as it was fooling the user. You would only need to know a few similar "something you know" factors, like the account number, and the answers to the flimsy security questions the user had set up. A phishing site could easily ask the user for this info, and then relay it to the real site to obtain the picture, which it would then display to the user, Alice-Eve-Bob "man in the middle"-style. I don't think the SiteKey was really touted as an extra authentication factor (although it may have been). It's a server authentication mechanism, not client. A proxy-style phishing site could go to the real site and grab the picture as it was fooling the user. You would only need to know a few similar “something you know” factors, like the account number, and the answers to the flimsy security questions the user had set up. A phishing site could easily ask the user for this info, and then relay it to the real site to obtain the picture, which it would then display to the user, Alice-Eve-Bob “man in the middle”-style.

I don’t think the SiteKey was really touted as an extra authentication factor (although it may have been). It’s a server authentication mechanism, not client.

]]> By: Peter Hesse http://securitymusings.com/article/421/false-positive-trust/comment-page-1#comment-411 Peter Hesse Thu, 11 Sep 2008 13:59:14 +0000 http://securitymusings.com/?p=421#comment-411 Reminds me of the article we had written some time ago, "Wish it was two factor":http://securitymusings.com/article/182/wish-it-was-two-factor based on a DailyWTF article. For example your bank's SiteKey. Is that really helping? No, it's the opposite. If I break into your account, I also now learn your secret picture, which I can share with you next time you think you're logging in to the bank. Reminds me of the article we had written some time ago, “Wish it was two factor”:http://securitymusings.com/article/182/wish-it-was-two-factor based on a DailyWTF article. For example your bank’s SiteKey. Is that really helping? No, it’s the opposite. If I break into your account, I also now learn your secret picture, which I can share with you next time you think you’re logging in to the bank.

]]>