| Popular » |
 Can't Buy The Top
|
Copycat Spammers
|
Online Obstacles
|
Crimes On YouTube
|
eBay Fair Trade
|
eBay Feedback
|
Usernames and passwords stopped being the end-all to online security years ago. Yet it's the model touted by OpenID as a way to make one's browsing more convenient.
Big name Internet players have bought in to the promise of a system where one's OpenID just works across a variety of sites. But security pros know that their tasks require finding a balance between convenience and security, and Marco Slot demonstrated how OpenID could be too much convenience and too little security.
Slot presented three scenarios where phishing someone's OpenID credentials presents little more of a challenge than writing (or copying) some PHP code. Two of the methods can be guarded against by providers who prudently consider the consequences.
The third scenario, a basic OpenID login box set up on a malicious web page, cuts the OpenID provider out entirely. Someone enters their credentials, and the evil people end up with a login combo that probably works on more sensitive sites.
Feed the login combo to a script that checks it against common financial and retail sites, and if the person used that username and password to login to any such site that does not offer an additional security factor, it's game over.
As noted in a lengthy roundup of commentary on the Identity Corner blog from last August, the issues presented by OpenID don't end with phishing. Tracking visits to websites by OpenID users is one example.
This discussion comes about as Google's App Engine project debuted, and one coder created an application that turns a Google Account login into an OpenID credential. AdWords/AdSense clients in particular should be wary of using their Google Account this way. One bad phish could make finances very sick.
SEO Step Six of Ten: Social MediaSocial Media Marketing StrategiesResources for New Media and Social Media PRSES New York: Successful Tactics for Social Media OptimizationA Strategic Approach to Social Media MarketingWhat is Social Media Traffic Worth?New Rules for Social Media Optimization Social Media and PR 911 Social Media as a DistractionSocial Media Optimization 
Comments
OpenID does not tout passwords
The statement that "Usernames and passwords ... [are] the model touted by OpenID" is incorrect - OpenID says nothing whatsoever about how the user is to be authenticated. You can use passwords, secure tokens, out-of-band authentication, retinal scans, or no authentication at all. That's a provider policy decision that has nothing to do with OpenID.
The general point that phishing becomes more valuable in a world of OpenID shared credentials is fair enough. On the other hand, shared credentials are already widespread in practice anyway. I'd hope that as OpenID becomes more popular providers will take the lead in providing and encouraging more secure forms of authentication than simple passwords.
Paypal and Skype
I had a recent experience that is very similar... the issue of shared credentials being hacked.
My Skype account was hacked and stolen, and as we had been - until this happened - happy paying skype users, we had setup the autorecharge function to add skype credit from our paypal account as needed. i am sure you can guess where this is going.
The skype thief drained $150 from my paypal before reaching the transfer limit, using it to buy skype credit on the network for other people.
When I reported this to Skype and Paypal, neither company could give a damn that this happened. Skype out right refused to do anything. Paypal said, sorry, but the charges "look legitimate to us, so you will have to get Skype to reverse it". No big surprise that both companies are a part of the ebay mafia.
Eventually I was able to threaten Paypal enough times that they reversed the charges - but only because I use paypal in my business, and $150 is about a weeks fees. I am amazed it took as long as it did for them to get the business case. As for Skype, they prefer to keep their network for thieves and criminals, rather than having paying customers. No problem. We will never use it again.
So, will I share my credentials on social networking sites? Not on your life.
I might even go back to rotary phone.
Phishing Resistant OpenID provider
Interesting post, I would agree that OpenID by itself is not any kind of great leap forward in regards to security. It is up to the OpenID provider to add layers of security beyond a simple l/p.
I work for Vidoop and we run a password less OpenID provider which addresses many of the concerns you note about OpenID. Instead of a password, each user chooses from a number of “categories”, like airplanes, cars or keys. At time of login, myVidoop displays an array of images including an airplane, a car, or a key, along with several other unrelated images. Without knowledge of the secret, the display appears completely random to other observers. The user spots the secret categories known only to him and sees a series of digits that act as the one-time access code. Since other observers do not know the user’s categories, they do not know which of the displayed access codes to use as the key. Only the user can interpret the one-time access code from the display.
Its pretty neat technology, we also have a password manager to store your normal logins/passwords…
With regards to spam I believe once you add a reputation component to OpenID and only allow accounts with reputation threshold of X to comment then that will be a valuable tool to help reduce spam. In the mean time I dont see it being any worse or better for spammers than what is currently available.
Cheers,
Kevin
Problem with OpenID
I cannot send e-mails since I have OpenID. It presents a series of wiggly combinations of letters and numbers. When I enter the challange in the provided box, it offers another set of combinations to copy for entry. It will not allow me to proceed past this point. I was not aware that I joined OpenID but I noticed that I have it now.
Can you help me?
Power Spam
I'm personally thrilled at the opportunities OpenID would unlock for blog spam. I'd only have to defeat one CAPTCHA/Turing Test and I could use my spam account at multiple sites everywhere.
It should bring exponential increases in spam and click farm efficiency.
Password-less OpenID
Regarding credentials theft, it's possible to use a <a href="http://norman.rasmussen.co.za/107/xmpp-auth-for-openid/>password-less OpenID mechanism</a>.
Post new comment