Monday, March 17, 2008

SecureAuth™ Secures Reported "Phishing" Weakness in Safari Browser

"Phishing" Inspection Automated by SecureAuth™ in Safari and other browsers, by Garret Grajek CISSP

In February 2008, PayPal released a list of recommended browsers for interaction with their e-commerce sites. (Source: Michael Barrett, PayPal’s Chief Information Security Officer).

PayPal notes lack of Safari support for a “builit-in” anti-phishing filter and lack of support for Extended Validation (EV) Certificates. These anti-phishing mechanisms are supported in browsers such as Microsoft's IE7 and IE8 and FireFox 2.0 and 3.0. The Extended Validation (EV) certificate mechanism is a web browser technology that turns the address bar green when the browser is legitimate Web Site.

It is important to note that both of these browser-based functionalities are designed to further educate and inform the user of a possible malicious hacker site “posing” as the legitimate SSL protected "target" site. PayPal accurately states that the Safari browser does not include these features.

It should be noted that neither the newer versions of IE (7.0 and 8.0) and FireFox (2.0 and 3.0) stop the user from progressing with the transaction. The user is simply given more information that the site appears to have technical incongruencies that could indicate a hacker site. E.G., the user informed - but still can proceed. (And often does - see the Microsoft/Standford study sited below.)

MultiFactor’s SecureAuth™ product, a webserver based software product that can be installed and utilized by e-commerce sites on their webservers, is designed to AUTOMATE this inspection. In fact in an authentication validated by SecureAuth™, the issue of education and improper usage is removed from the user via an automated process. SecureAuth™ by MultiFactor, includes a browser extension for Safari that automates the inspection of the endpoint. A bi-lateral key exchange is conducted by SecureAuth, between the legitimate web server and the end user. If a hacker site attempts to “phish” the user via a man-in-the-middle attack or some other replay mechanism – the authentication is automatically flagged by SecureAuth™ and the session is dropped. (See Diagram #1)Diagram #1SecureAuth™ Server and Web Components identify and automatically mitigate Man-In-the-Middle and other Identity theft attacks.

It is important to note that the SecureAuth™ plug-in, available to Safari users, provides a more secure internet e-commerce authentication than other browsers – regardless of their support of the “Anti-Phishing” bar or EV certificates. SecureAuth™ conducts the e-commerce authentication automatically and validates the bi-lateral session – without user knowledge or training.

SecureAuth™ also supports IE and FireFox browsers – thus users on all platforms can achieve this level of site validation – if the enterprise is wise enough to deploy MultiFactor SecureAuth™ for authentication.


It is important to note studies have shown that most browser “user education” mechanisms provide little to no value in the fight against on-line fraud. A study conducted by Stanford University and Microsoft revealed users, even after browser education, were still likely to judge all sites legitimate – regardless of whether the sites were fraudulent.

Garret Grajek is the president and founder of MultiFactor Corporation. He is a certified security engineer who has deployed 100s of security solutions while working for RSA, IBM, Cisco and others.

No comments:

Copyright 2008. MultiFactor Corporation. All Rights Reserved.