Middle phishing

Chris Soghoian, a graduate student in informatics at Indiana University (Bloomington, IN, US), has demonstrated how phishing schemes can be implemented using man-in-the-middle methods— Sitekey image, Passmark image, or Yahoo personalized sign-in seal—that circumvent what banks are touting as a means of avoiding them. He has a video demonstrating how it works, and it’s getting some press coverage.

We present this demonstration of a “deceit-augmented man in the middle attack” against the SiteKey ® service used by Bank of America (the underlying technology is also used by other companies). This, or a similar attack, could be used by a phisher to deceive users into entering their login details to a fraudulent website.

On his blog, Mr. Saghoian describes steps that users can take to ensure that they are making a trustworthy connection to their banks and other financial institutions. Mac users, don’t feel smug; this problem has nothing to do with a computer’s operating system, but with what happens to the data transmitted over the Internet.

Link to Mr. Soghoian’s blog entry on the topic and to the video documenting it. His work’s been covered by three sources that I often read: the Washington (DC, US) Post, the University of Virginia Cavalier Daily, and the Chronicle of Higher Education.

Advertisements

2 Comments

Filed under Neighborhood, News, Science, Skepticism, Technology

2 responses to “Middle phishing

  1. Right, indeed. I’m wondering if he’s kin to Sal, who plays music sometimes around our neighborhood. At Mr. Soghian’s blog you can see an image of the letter he got demanding that he take the boarding pass forger down. (Nice fish eye, by the way. I meant to comment on it when I was at your site.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s