2006/02/13
Phishers exploit weaknesses in certificate process
The Washington Post Security Fix points out how phishers are exploiting weakness in the certificate granting process to fool users.
It is interesting because: 1.) The attacker gets a real GeoTrust cert with a similar name to the financial institution and 2.) the offer to sign up for Verified by Visa includes the first 5 digits of the credit card, which are the same for all the cards from the FI.
What it makes me think is: what is the value of a cert from GeoTrust vs. a home-rolled cert combined with mutual authentication and two-factor authentication from WiKID?
The trust in a signed certificate is based on the assumption that the signer has verified the site owner, which is clearly dubious. The trust in WiKID mutual authentication comes from the triangle between the WiKID server, the token client and the website. The token client validates that the site the user intends to visit has the same SSL certificate as the WiKID server has stored for that site. It doesn't matter if the cert is signed by a trusted CA - the only thing that matters is that the cryptography works.
Moreover, because the WiKID client launches the default browser to the site of the validated certificate, it's much easier for the user.
It is interesting because: 1.) The attacker gets a real GeoTrust cert with a similar name to the financial institution and 2.) the offer to sign up for Verified by Visa includes the first 5 digits of the credit card, which are the same for all the cards from the FI.
What it makes me think is: what is the value of a cert from GeoTrust vs. a home-rolled cert combined with mutual authentication and two-factor authentication from WiKID?
The trust in a signed certificate is based on the assumption that the signer has verified the site owner, which is clearly dubious. The trust in WiKID mutual authentication comes from the triangle between the WiKID server, the token client and the website. The token client validates that the site the user intends to visit has the same SSL certificate as the WiKID server has stored for that site. It doesn't matter if the cert is signed by a trusted CA - the only thing that matters is that the cryptography works.
Moreover, because the WiKID client launches the default browser to the site of the validated certificate, it's much easier for the user.
- Category(s)
- Phishing and Fraud
- Mutual Authentication
- The URL to Trackback this entry is:
- http://www.wikidsystems.com/WiKIDBlog/112/tbping
Digg this!
Del.ico.us
Google
Yahoo bookmarks
Reddit
Spurl
Simpy
