Hacked Bank of India Site Labeled Trustworthy 54
SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."
Re:iframes... (Score:4, Informative)
They're useful for doing in-place file uploads without refreshing the page (e.g., in a web app like Gmail where you'd want to add an attachment to a message), because that's the only way to do that.
Re:now if it were me... (Score:4, Informative)
PayPal, eBay, and Verisign offer a rebranded Vasco keyfob that one can use. Enter in username, tab to the password field, enter in your password, then append the six digit number from the Digipass Go 3 (the OEM name), and you are in. Though this is not as well engineered as a SecurID system, it still forces a would-be thief to have physical custody of the keyfob and the password to the account.
Some European banks use a system similar to the age-old one time password system found in BSD (S/Key or OPIE). You obtain a list of one time passwords on a piece of paper that you scratch off in the mail, and every time you log in, you scratch off the next one on the list. This can be attacked (there are some targeted phishing attacks to try to get users to type in multiple lines off the OTP paper), but it keeps a compromised user PC from becoming an entry point for an attacker.
Lastly, there are always Aladdin eTokens that store a private client certificate. This is one of the more secure ways, because there are zero passwords used. The server asks the client (any web browser pretty much) for a certificate similar to how a SSL enabled web browser asks the web server for its cert, the web browser passes the signing request to the eToken, the eToken signs it on the physical card (the private key never leaves the eToken), and the server checks the validated cert against the user list and lets the user in. For academic places (universities), this is one of the absolute best ways to do things.
All and all, probably the best solution would likely be a hybrid system, similar to an eToken NG-OTP keyfob, that allows a user to plug the token in and use it online with client certificates, or offline, typing the six digit number off the LCD screen.
Disclaimer: I don't work for Aladdin, RSA, or Vasco, but like their products.
Re:Anti-phishing tools shouldn't be used to determ (Score:2, Informative)