Simple security tokens needed
Posted by Jonas Elfström Tue, 27 Mar 2007 20:46:00 GMT
Now a couple of swedish students have shown (by also using the problem I mentioned in this post) that a security token both needs to be used in a secure manner and that it also needs to be simple for the user to know what he is actually signing. According to the press it seems that they did this as a man-in-the-middle attack. This is just speculations but it seems the reason that this were possible were that the user did not have a clear view of what he was signing.
It could have been done something like this:
- Redirect the user to a fake site (and hope that he does not investigate the certificate).
- Ask for username and challenge the user with the verification code and then login to the bank in the background.
- Try to add a new account for transfers and then tell the user he mistyped and has to login again while challenging him to verify the new account.
- Transfer money the same way.
The bank has solved the problem by adding a 9 before all login codes. I'm not convinced this is simple and obvious enough for the users. One way to make it simple could be a security device with buttons labeled "login", "sign account" and "sign amount" or such.
EDIT: Now it has started to arrive phishing mails that asks the customers of Swedbank to install ssl3.exe...