WingNews logo WingNews
top | item 30719581

(no title)

raghava | 4 years ago

Possible mitigation measure:

1. If identity providers start offering a dynamic, trusted element within the critical pages (login, password prompt, 2FA/OTP verification etc)

2. if such dynamic element is from a known range/set of customer/trusted-party supplied identity elements.

Ex. During my account creation, say I am prompted to select some "secret identity themes", and I choose { batman, bike, carrots }

At the login/password/OTP prompt, I am shown a 3x3 grid of pics / words / hints, which have at least 3 (or whatever configurable number, in my account preferences) that are somehow connected to my "secret identity theme". This way, I know I can trust this page. The grid also has many unrelated ones acting as decoys elements, so that any malicious spoofing party cannot really figure them out.

I believe you get the general idea.

Do y'all feel this can possibly help, in mitigating this very serious & very harmful threat?

I intend to write a short post on this soon.

discuss

order

mnw21cam|4 years ago

The Barclays Android banking app gets you to choose a few words that you make up, and displays those words on the login screen as a way of authenticating to you that it actually is the Barclays app login screen.

noodlesUK|4 years ago

I remember some big service many years ago (maybe yahoo?) had a “memorable image” or something that was associated with your username as some kind of anti phish metric. Of course nowadays that would be trivial to bypass with something like Modliskha or a different reverse proxy passing through the website content.

https://github.com/drk1wi/Modlishka

raghava|4 years ago

Yes. That's why a cluster of elements for a "secret identity theme", instead of just one image. (After all, infosec/security is finally just a game of making reward-to-effort ratio too impractical for most threat-actors & thus achieve reasonable 'sense of security', in a world where exploits exist for almost every ring in the stack - including ring 0)

I feel BITB mostly gets used by those who may not really be having access to lob a proxy attack at the intended target as well, which filters a good set, among potential victims.