The security of Microsoft's Hotmail service was recently questioned when the login details of at least 10,000 users was posted to code-sharing website Pastebin. Microsoft wasn't alone; Yahoo and Gmail were also compromised. The malicious hackers used a technique known as 'phishing', masquerading as a trusted party to dupe people into handing over their credentials.
You would expect that Microsoft could protect its users from such scams (and if security firm Acunetix is right, the mechanics of this attack were particularly rudimentary, using phishing toolkits).
Microsoft has assured us that its systems weren't to blame but the obvious question is shouldn't Internet Explorer's anti-phishing features prevent users falling prey to a Hotmail scam?
What's interesting about the attack is that it's bucking the trend. As Symantec's monthly phishing report notes, the use of phishing toolkits (automated programs for crooks with little or no technical knowledge) is declining - down 21 percent last month.
Phishers seem to be dropping the scatter-gun approach in preference for niche attacks that are much more targeted and profitable. They shifted their focus from the mob to the individual.
The FBI (whose director almost had his own bank details phished) together with Facebook are warning users about an increase in a variant of the 419 scam where compromised Facebook accounts are used to request money from friends and family.
Twitter is under attack for similar reasons. As spotted by Mashable, phishers are harvesting users' passwords using a self-propagating worm which forwards a replica login page to Twitter followers.
While it's apparent that these types of targeted phishing attacks are going to become more popular, volume-based attacks won't vanish completely while there are still users who'll fall for them.
Phishers are now exploiting big news events such as Patrick Swayze's death or the recent tsunamis by using search engine optimisation (SEO) to promote pages that con visitors into paying for fake anti-virus software to remove fictitious infections.
These attacks take advantage of two things: user ignorance (obviously, with passwords such as '123456' and 'iloveyou', those who were duped by the recent Hotmail scam weren't exactly security conscious) and, secondly, a lack of security innovation when it comes to web browsers.
Web browser developers are lagging behind when it comes to practical security. It's plainly obvious that, as an authentication method, passwords have had their day. Browsers should be redesigned to support simplified public key infrastructure authentication through secure sockets layer.
Certificates are hard to deploy due to driver and certificate-management problems. But browsers could support a standardised, low-cost authentication method using a driverless USB token with self-signed raw key pairs.
Sites would register users based on the USB key's thumbprint; no certificate authority would be required. You could buy a secure password for a few dollars that could be used anywhere.
For such a system to work, native browser support would be mandatory, as the classic use of PKCS#11 (the Cryptographic Token Interface Standard) won't support such a simple, low-cost device without new drivers. From the user's perspective the login process would also need to be simple:
- insert your USB key, no driver or configuration required;
- enter a URL;
- type your PIN.
With such a system in place, users might still fall for a fake site, but any credentials they supplied would be useless to the phishers. Cases of mass phishing would come to an end and we'd be creating smarter users in the process.
Steven Willoughby is a security specialist dealing in key management. He is the technical director of ICT Networks.