Avoid Phishing in Struts Applications plugin

[Oscar <os...@gmail.com>]

Hi to all. I'm working in a project for Bank using Struts 2.1.8 and i have
to implement an anti-phishing mehcanism into the application, but i don't
know where to start. I understand the basics of phishing but i never applied
to a project. Do you know if in Struts exists something like a security
plugin to avoid phishing or another plugin or library for J2EE applications
that achieves that?

Thanks in advance

-- 
Oscar Calderón
SCJP 6  <http://javahowto.net>

Re: Avoid Phishing in Struts Applications plugin

[Dale Newfield <da...@newfield.org>]

On 9/6/10 11:42 AM, Oscar wrote:
> anti-phishing mehcanism into the application

If I understand what people generally refer to as phishing, it's someone 
else making pages appear enough like yours to fool the customers, but 
with the submitted data going to a third party.  As such, there's not a 
whole lot you can do to prevent someone copying your site, but you can 
make some feature on your site different from customer to customer and 
try to train the customers to look for that personal feature before 
trusting that they are where the page claims they are.  For example, 
Bank of America has an image that they ask you to select when setting up 
your account.  They call this a "SiteKey". 
http://en.wikipedia.org/wiki/SiteKey There are obvious flaws with this 
technique, but it can help somewhat.  I don't know if there are any 
relevant patents/etc. but you should look into them before copying this 
idea in case there are requisite licenses/royalties due to EMC.  Of 
course using https with a known key is a technical way of doing the 
reverse side of mutual authentication, but it really does come down to 
user training, as if the bank's users don't notice a different URL in 
the address bar, they're also not going to notice http instead of https.

http://en.wikipedia.org/wiki/Mutual_authentication

Basically phishing involves mimicking your web application, and there's 
very little you can do within your application to prevent that.  I fear 
there are no good solutions that don't involved training the bank's 
customers to be more vigilant.  If you come up with a good, clean 
solution, please let us know.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Avoid Phishing in Struts Applications plugin

[Paweł Wielgus <po...@gmail.com>]

Hi all,
one of the banks i use, uses standard login and password to log on,
but after login, when one want to transfer money or do any cash
related operation
one need to provide a special token from your secret list or from
hardware token.
That way stealing my login and password won't do much for a thief.
So any phising that will collect my login and password
will not succed in transfering money from my account.
Combine this with a pesonal picture uploaded by bank to my profile
(like on credit cards)
and You have pretty strong system that any user will understand.
Of course when some one will do "man in the middle"
no defense can be applied at all.

Best greetings,
Paweł Wielgus.


2010/9/6 Oscar <os...@gmail.com>:
> Ok, i got it. Thanks so much for the info.
>
> 2010/9/6 Dale Newfield <da...@newfield.org>
>
>> Examples of why SiteKey really isn't sufficient:
>> http://antivirus.about.com/b/2010/03/23/bank-of-america-sitekey-scam.htm
>>
>> http://www.aviransplace.com/2007/02/05/study-finds-bank-of-america-sitekey-is-flawed/
>> (As well as the fact that it's possible for a phishing site to use the same
>> provided ID to ask the real site what sitekey should be shown to the end
>> user, effectively a man-in-the-middle attack, illustrated at
>> https://www.sestus.com/vt/sitekeyMITM.asp )
>>
>> Some other company's solution that appears to involve users having to store
>> a keyfile on their machine, but it seems that would make it impossible to
>> log into the site from a random machine (or a mobile device like the iphone
>> that doesn't have an available filestore), and I don't see what prevents
>> those users from being duped into providing that keyfile to a phisher.
>> https://www.sestus.com/vt/comparesitekey.asp
>>
>> It's a hard problem, and it mostly happens *outside* your app, so good luck
>> solving it within your app. :-(
>>
>> -Dale
>>
>
>
>
> --
> Oscar Calderón
> SCJP 6  <http://javahowto.net>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Avoid Phishing in Struts Applications plugin

[Oscar <os...@gmail.com>]

Ok, i got it. Thanks so much for the info.

2010/9/6 Dale Newfield <da...@newfield.org>

> Examples of why SiteKey really isn't sufficient:
> http://antivirus.about.com/b/2010/03/23/bank-of-america-sitekey-scam.htm
>
> http://www.aviransplace.com/2007/02/05/study-finds-bank-of-america-sitekey-is-flawed/
> (As well as the fact that it's possible for a phishing site to use the same
> provided ID to ask the real site what sitekey should be shown to the end
> user, effectively a man-in-the-middle attack, illustrated at
> https://www.sestus.com/vt/sitekeyMITM.asp )
>
> Some other company's solution that appears to involve users having to store
> a keyfile on their machine, but it seems that would make it impossible to
> log into the site from a random machine (or a mobile device like the iphone
> that doesn't have an available filestore), and I don't see what prevents
> those users from being duped into providing that keyfile to a phisher.
> https://www.sestus.com/vt/comparesitekey.asp
>
> It's a hard problem, and it mostly happens *outside* your app, so good luck
> solving it within your app. :-(
>
> -Dale
>



-- 
Oscar Calderón
SCJP 6  <http://javahowto.net>

Re: Avoid Phishing in Struts Applications plugin

[Dale Newfield <da...@newfield.org>]

Examples of why SiteKey really isn't sufficient:
http://antivirus.about.com/b/2010/03/23/bank-of-america-sitekey-scam.htm
http://www.aviransplace.com/2007/02/05/study-finds-bank-of-america-sitekey-is-flawed/
(As well as the fact that it's possible for a phishing site to use the 
same provided ID to ask the real site what sitekey should be shown to 
the end user, effectively a man-in-the-middle attack, illustrated at 
https://www.sestus.com/vt/sitekeyMITM.asp )

Some other company's solution that appears to involve users having to 
store a keyfile on their machine, but it seems that would make it 
impossible to log into the site from a random machine (or a mobile 
device like the iphone that doesn't have an available filestore), and I 
don't see what prevents those users from being duped into providing that 
keyfile to a phisher.
https://www.sestus.com/vt/comparesitekey.asp

It's a hard problem, and it mostly happens *outside* your app, so good 
luck solving it within your app. :-(

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org