OK, you've all heard of phishing. New, and probably growing, is pharming, which seeks to use other means to send users to bogus websites. Quoting from the Register article's advice on how to mitigate the problem, this stands out: "Banking sites could adopt two-factor authentication as a comprehensive defence." And it's not just el reg saying this either: Microsoft is saying it along with pundits at RSA.
Here's the straight dope: identification of the user is not the problem. It's identification of the institution that is at issue. I won't go into the numerous ways that phishing is still possible even in a world of two-factor authentication - it would take too long to go through all the ways that it can still happen; suffice it to say that it is not only possible, but likely that phishing would still occur even in a world of ubiquitous two-factor user auth. In other words, phishing is about fooling the user into thinking that the rogue site is the real bank when it isn't, not about fooling the bank that the hacker is the real user when it isn't.
What we need, instead of more user authentication, is some authentication of the institution. And guess what? The current protocols in place for HTTPS support this already; it's already there, just not being used! Really, in order to support SSL, Bank of America has to get a cert from a (semi) reputable party that is stamped "BANK OF AMERICA" all over it. The problem isn't that the information isn't there, it's that today's browsers do not expose any of that information to the browser user - all the user sees is a lock icon. Divorced from all of the other associated data, the lock icon is binary - it's "secure" or it isn't. The question is: secure from what? If the lock icon is there, the session is secure from eavesdroppers but not necessarily secure from anything else (like impersonation.) If the words "BANK OF AMERICA" appeared next to the lock icon (or even at the top of the browser window) for the legit BOA site and came up as "shady h4xx0r" (or whatever the bogus site's address/owner information is) for bogus sites, do you think people would be as succeptible to this crap? I don't.
So, in conclusion of this rant: more user auth vs. more site auth? I see it like protecting a house. If your house has a front door which you keep locked and a back door that you keep unlocked, and robbers keep coming in through the back door - is the answer to put another lock on the front door? Of course not. But that's analogous to what's being proposed here and what's being proposed by the industry. It won't solve the problem.
Posted by Ed at June 15, 2005 12:52 PM