Any creative solution to make it harder for hackers to copy your IdP login page?

Mon Mar 26 17:20:00 EDT 2018

Hello,

Not sure how you would implement this.. but some banks I've seen, have a user pick out their "image and phrase", that only they would know when setting up account profile. When a user revisits the login page, they first enter their username- then the page loads with their image and phrase.. which they need to verify is what they had selected when setting up the account.

The phishers wouldn't be able generate that image and phrase-hence securing the IdP login page.

Thanks,

Shweta

On Mar 26, 2018, at 5:07 PM, Liam Hoekenga <liamr at umich.edu<mailto:liamr at umich.edu>> wrote:

> I had considered this, too, Liam. Not only is referrer not terribly reliable, but there's nothing stopping the
> hacker from grabbing the images and CSS when they grab the page course and hosting it, too.

Right.

We also have a problem with phishers copying our login page for nefarious purposes.  I know that our security group would be very interested in potential solutions.

Liam

On Mon, Mar 26, 2018 at 3:05 PM, Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
I had considered this, too, Liam. Not only is referrer not terribly reliable, but there's nothing stopping the hacker from grabbing the images and CSS when they grab the page course and hosting it, too.

Keith

From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Liam Hoekenga
Sent: Monday, March 26, 2018 2:52 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Any creative solution to make it harder for hackers to copy your IdP login page?

We had played with the idea of replacing all of the images or css files for the login page if the referrer wasn't the login page.. but referrer isn't the most reliable data.

On Mon, Mar 26, 2018 at 2:47 PM, Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
Hi, all,

We've had a couple recent phishing attempts where hackers have hosted their own stolen copy of our IdP login page in order to trick users into giving them their usernames and passwords. Our move toward MFA is going to make this much more difficult (I'm not naive enough to say impossible), but we're hoping to make it harder for this trick to work in the meantime. Our security folks asked if we could add some javascript that would bring up an impossible-to-close pop-up if the hostname didn't match what it should be. This is, of course, possible but also easy for a hacker to remove.

We already have text at the bottom of our IdP login page stating what the hostname should be in the address bar, but nobody reads that part. Amusingly, the hackers didn't even change that part in their login page knock-offs. But our security folks didn't even notice that text until I pointed it out to them.

I'm wondering if anyone has come up with creative solutions to slow down hackers from doing this kind of thing.

Thanks for any thoughts,
Keith

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180326/7eadf1e4/attachment.html>