It’s time again for our biweekly meeting. We’ll be meeting at Rudolphs Bar-B-Que again starting at 18:30 (6:30 p.m.).
This week we’re going to discuss how cryptography can help defend against phishing.
Phishing, the act of sending fraudulent e-mails that appear to be from legitimate people or organizations for the purpose of scamming the recipients, is a major problem on the Internet. Every day new phishing scams are created and every day people are suckered into them. Some people such as company executives and activists are specifically targeted and those specifically targeted phishing scams can be difficult to defend against.
Over the years advice about defending against phishing has evolved. Initially the advice was to be very careful with e-mails. With the sophisticated nature of many phishing scams this advice was basically worthless. Another attempt to defend against phishing scams, one that is still used by many bank websites, is requiring the user to verify their identity by asking “security” questions. But this mechanism is also of limited value, especially if the user answers the questions honestly since the answers to such questions are often available via publicly accessible data.
Cryptography offered more useful solutions against phishing. RSA SecurID, for example, is a fob that displays a one-time use password that changes frequently. Each fob has a unique key so you need a user’s specific fob in order to log into their SecurID accounts. Another similar tool is second factor authentication apps, such as Google Authenticator, that use Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP) to generate one-time use passwords that also change frequently. Both of these tools limit a phisher’s ability to gain access to your account since they require both your user name and password, which are the values phishers have traditionally targeted, and the one-time password that expires frequently (usually between 30 and 60 seconds).
Yet another solution to this problem is Universal 2nd Factor (U2F). U2F relies on a hardware token that must be connected to your device in order to log into your account. The advantage of U2F is that it’s tied to a hardware token so it cannot be easily obtained by a phisher via a maliciously crafted website designed to steal your credentials.
Today’s meeting will consist of discussing these various tools as well as their strengths and weaknesses. We will also discuss whether teaching people how to use two-factor authentication tools such as TOTP, HOTP, and U2F is a more viable means of helping the average user defend against phishing that teaching them how to spot malicious e-mails.