Login Pages - The Flaw In Challenge/Response : They're Out to Get You

Tom's Guide > News and Reviews > All Reviews > Computing > They're Out to Get You - An Introduction to Internet Security

Shop for All
	X90 Thin Client 512MB Flash / 512MB...	Compare the top 5 lowest prices by hovering your mouse over the product names on the left	$719.99 $59.99 $79.99 $99.99 $79.99 $719.99
	WRT54G2 Wireless Router		Compare the top 5 lowest prices by hovering your mouse over the product names on the left	$679.86 $49.00 $74.99 $99.99 $59.99 $59.99
	Wireless-N Home Wireless Router		Compare the top 5 lowest prices by hovering your mouse over the product names on the left	$679.99 $59.99 $79.99 $94.95 $79.99 $79.99
	DI-655 Xtreme N Gigabit Router		Compare the top 5 lowest prices by hovering your mouse over the product names on the left	$689.00 $59.99 $67.99 $129.99 $59.99 $99.99
	WRT54GL Wireless Router		Compare the top 5 lowest prices by hovering your mouse over the product names on the left	$695.99 $70.00 $68.99 $99.00 $59.99 $79.99
See More Products...

Newsletters

Download games

7 Wonders of the Ancient World

Bricks of Egypt 2

Login Pages - The Flaw In Challenge/Response

By Pat McKenna, published on March 21, 2006
Source: Tom's Guide US | Keywords: out, to, get, you

Contents

5. Credit Card Fraud
6. Login Pages - The Flaw In Challenge/Response
7. So If We Understand The Problem, Why Can't It Be Fixed?

6. Login Pages - The Flaw In Challenge/Response

Virtually all username and password vulnerability is predicated on the fact that the vast majority of user-to-site communication follows a distinct pattern:

Upon requesting entry to a site, a user is challenged for a username and password. After verifying a user, the site and user engage in a sequence of navigation and transaction management.

Most online financial institutions use a combination of username, password, and a partially transmitted PIN in a standard HTML (type) page. This is a very simple solution that is central to the success of online thieves, because it offers no practical resistance to phishing or spyware/trojans.

Once the user has succeeded in logging in, it is assumed that the user is who they say they are for the duration of the session. This is where the man in the middle attack gains an advantage. There is no need for the MITM to read or break the username and password; the user is allowed to successfully login and the session is piggybacked and/or hijacked.

SSL: Utterly Useless

"But SSL will save us, every place I use to purchase stuff says that I'm using 128-bit encrypted SSL, and that I'm completely safe."

SSL is an acronym for Secure Sockets Layer, a technology created to encrypt data traveling between two points on a network, such as two computers on the Internet. You can see SSL at work when you connect to your bank; a small padlock symbol typically appears in the bottom status line of your browser to show that SSL is in use. You may also see "https:" at the start of the Web address instead of the usual "http:".

SSL does improve security between two network points, but here is the catch; one of those points could be a computer controlled by a MITM. Another vulnerability with SSL is pharming, which redirects you somewhere that you don't expect. So you could connect to the false site and get their SSL icon in your browser; you feel protected, but are still at risk.

Desktop attacks occur on the user's own computer, where SSL has no actual practical application. This is because SSL works between your browser and the Internet site to which you are connected. If a trojan or spyware is working on the desktop, the data will be captured as it is entered into the computer, before it is encrypted.

And as if this weren't bad enough, all the SSL in the world isn't going to defend against rogue employees who have access to personal and sensitive data. It will protect against phishing if the user knows what to do when presented with an unauthorized certificate notification. How many ordinary users do, however?