

London Calling: Two-Factor Authentication Phishing from Iran - secfirstmd
https://citizenlab.org/2015/08/iran_two_factor_phishing/

======
nickik
Google already has a solution for this, why are they ignoring it?

Google allready supports 2FA with the new U2F protocol. With this protocol the
app id (uri) is part of the process and its provided by the browser. Thus
phishing attacks will fail.

Sadly Firefox and other broswers do not yet support this, only Chrome. I
really hope this replaces the old 2FA TOTP style and specially SMS.

For people who want to use both, there is a nice solution. You can use YubiKey
as your U2F token and for websites that don't support this you can use the
YubiKey as your 2FA with the help of a android app called 'Yubico
Authenticater' and NFC. I prefer it to Google Authenticator because I can move
between android devices (just came in useful when my phone broke).

Google does not yet support NFC U2F on their mobile browsers as far as I know.
Thats very sad, I really want to be able to disable HOTP solution.

See the protocol here:
[https://image.slidesharecdn.com/fidou2fin10minutescis2015-15...](https://image.slidesharecdn.com/fidou2fin10minutescis2015-150622164512-lva1-app6891/95/fido-u2-f-in-10-minutes-
cis-2015-17-638.jpg?cb=1434991550)

------
rlpb
The article says, in "One Quick Check to Spot the Fakes!", to look for https
instead of http. But this is no good: an attacker could use a domain-validated
SSL certificate for the fake domains used.

~~~
fredley
This. The only way to check is to verify the certificate, which on Chrome
means clicking the padlock, switching to the Connection tab, and then viewing
certificate information. Not exactly straight forward.

~~~
Flimm
If you already trust your CA authorities and you already know what domain to
expect, then that's not necessary, you only need to check for HTTPS and the
domain name.

~~~
rlpb
Checking the domain name isn't sufficient because some letters look similar to
each other and not all users are capable of doing precise string comparison
matching in the same way that programmers do. The article has an example -
qoogle.com instead of google.com. I bet that a significant number of users
would miss this when asked to check.

~~~
leni536
How does it differ from checking the domain name in the certificate? I don't
get it.

~~~
rlpb
It doesn't differ from checking the domain name in the certificate. It does
differ from checking the entity in the EV certificate, which is generally the
legal name of the company.

In theory, a phisher could register a company with a similar name to the
target website's legal name, obtain a valid EV certificate for that, and then
phish using a similar looking domain with a similar looking EV certificate
legal name. In practice, if that were to begin happening, I'd like to think
that the authorities in charge of legal entity registration (eg. Companies
House in the UK) would start requiring identity checks for the legal entity
registrations, and then phishers would not have an easy path to exploit this
route.

~~~
leni536
The discussion started with only mentioning DV certificates.

> I'd like to think that the authorities in charge of legal entity
> registration (eg. Companies House in the UK) would start requiring identity
> checks for the legal entity registrations

Wait, they don't require that now?

------
Flimm
The only real protection from this is to verify that the SSL icon is displayed
in the address bar, and that the domain is the domain you expected. It's a
shame more websites don't educate users to do this.

This gives me an idea for a Javascript widget that guides users to verify the
address bar, with an appropriate demonstration screenshot based on the
expected domain, and the user's browser.

~~~
rlpb
Worse, websites will redirect you to a different domain as part of their
normal process.

For example, in the UK, the Lloyds Bank main website is lloydsbank.com, but
click (on their insecure page) for online banking logon and you're taken to
[https://online.lloydsbank.co.uk](https://online.lloydsbank.co.uk).

The main website for another UK bank, NatWest, is on natwest.com (it redirects
to [http://personal.natwest.com](http://personal.natwest.com)), but click for
online banking and you're taken to a page on
[https://www.nwolb.com](https://www.nwolb.com)

Telling users to check the domain is useless, since legitimate sites condition
users to ignore it.

EV certificates do fix this to some extent, but users are not conditioned to
check these, and it domain-validated certificates just complicate matters for
them.

I would prefer to see legislation that mandates security standards for
entities that handle personal data. In the UK, secondary legislation against
an amended Data Protection Act that mandates EV certificates would work well
for this, IMHO. This won't help the Internet at large, but would at least help
condition UK users to know what to check.

~~~
deanclatworthy
I'd love to see EV certificates everywhere, and cheap enough that made them
practical for small business owners who collect minimal personal information.
Should you really need an EV certificate to have a newsletter sign up form?
Probably not, but I wouldn't mind if it weren't for the fact that I'd pay over
200 pounds a year [0] for the privilege.

But absolutely, anyone storing _serious_ personal information (credit cards,
banking information, social security numbers) should be required by law to
have an EV cert.

[0] [https://www.geotrust.com/uk/ssl/](https://www.geotrust.com/uk/ssl/)

~~~
rlpb
My issue with that is the users no longer know what to check - having two
types of certificates is confusing.

I'd be happy if you used domain-validated SSL but browsers didn't make any
claims about the security of connections without the EV cert though. For me
this means no padlock icon whatsoever. After all - from the perspective of an
ordinary user who cannot verify your domain, it _is_ insecure.

Edit: how about "No claims about security to be presented to the user without
EV certificates"?

~~~
dublinben
The connection to a website with a DV certificate is certainly secure, it just
isn't _authenticated_. TLS is designed to provide both, and EV follows through
on that second promise.

~~~
rlpb
This is a question of semantics - one that everyday users don't care about. To
them, unauthenticated _is_ insecure.

~~~
dublinben
I guess it was impossible to have a secure session before the introduction of
EV in 2007 then. I guess all these https sites (this one included) have been
fooling me all along, with their fake secure connections.

~~~
nailer
Well yeah, you could register a domain validated cert for hotmaillogin.com, or
for _._.company.com (and then register hotmail.com.company.com) at the time
just fine, and plenty of people did.

------
nickik
Is their some kind of addon that warns people about url that look the simular?
That might be easy and useful.

Edit: With certificate pinning you could put out a msg to the User to verfiy
if he understands that this is the first time he visits the site.

The problem is when to put out such a warning, i dont want to do that every
time I go on a new site.

