Any creative solution to make it harder for hackers to copy your IdP login page?

Richard Frovarp richard.frovarp at ndsu.edu
Mon Mar 26 17:22:27 EDT 2018 

It's perfectly possible for the attackers to show that image and phrase.

The user inputs their username in to the attacker system
Attacker system inputs the username into the real system
Attacker system reads image and phrase from real system
Attacker system displays image and phrase to use


On 03/26/2018 04:20 PM, Shweta Kautia wrote:
> Hello,
>
> Not sure how you would implement this.. but some banks I've seen, have 
> a user pick out their "image and phrase", that only they would know 
> when setting up account profile. When a user revisits the login page, 
> they first enter their username- then the page loads with their image 
> and phrase.. which they need to verify is what they had selected when 
> setting up the account.
>
> The phishers wouldn't be able generate that image and phrase-hence 
> securing the IdP login page.
>
> Thanks,
>
> Shweta
>
>
> On Mar 26, 2018, at 5:07 PM, Liam Hoekenga <liamr at umich.edu 
> <mailto:liamr at umich.edu>> wrote:
>
>> > I had considered this, too, Liam. Not only is referrer not terribly 
>> reliable, but there’s nothing stopping the
>> > hacker from grabbing the images and CSS when they grab the page 
>> course and hosting it, too.
>>
>> Right.
>>
>> We also have a problem with phishers copying our login page for 
>> nefarious purposes. I know that our security group would be very 
>> interested in potential solutions.
>>
>> Liam
>>
>> On Mon, Mar 26, 2018 at 3:05 PM, Wessel, Keith <kwessel at illinois.edu 
>> <mailto:kwessel at illinois.edu>> wrote:
>>
>>     I had considered this, too, Liam. Not only is referrer not
>>     terribly reliable, but there’s nothing stopping the hacker from
>>     grabbing the images and CSS when they grab the page course and
>>     hosting it, too.
>>
>>     Keith
>>
>>     *From:*users <users-bounces at shibboleth.net
>>     <mailto:users-bounces at shibboleth.net>> *On Behalf Of *Liam Hoekenga
>>     *Sent:* Monday, March 26, 2018 2:52 PM
>>     *To:* Shib Users <users at shibboleth.net <mailto:users at shibboleth.net>>
>>     *Subject:* Re: Any creative solution to make it harder for
>>     hackers to copy your IdP login page?
>>
>>     We had played with the idea of replacing all of the images or css
>>     files for the login page if the referrer wasn't the login page..
>>     but referrer isn't the most reliable data.
>>
>>     On Mon, Mar 26, 2018 at 2:47 PM, Wessel, Keith
>>     <kwessel at illinois.edu <mailto:kwessel at illinois.edu>> wrote:
>>
>>         Hi, all,
>>
>>         We've had a couple recent phishing attempts where hackers
>>         have hosted their own stolen copy of our IdP login page in
>>         order to trick users into giving them their usernames and
>>         passwords. Our move toward MFA is going to make this much
>>         more difficult (I'm not naive enough to say impossible), but
>>         we're hoping to make it harder for this trick to work in the
>>         meantime. Our security folks asked if we could add some
>>         javascript that would bring up an impossible-to-close pop-up
>>         if the hostname didn't match what it should be. This is, of
>>         course, possible but also easy for a hacker to remove.
>>
>>         We already have text at the bottom of our IdP login page
>>         stating what the hostname should be in the address bar, but
>>         nobody reads that part. Amusingly, the hackers didn't even
>>         change that part in their login page knock-offs. But our
>>         security folks didn't even notice that text until I pointed
>>         it out to them.
>>
>>         I'm wondering if anyone has come up with creative solutions
>>         to slow down hackers from doing this kind of thing.
>>
>>         Thanks for any thoughts,
>>         Keith
>>
>>         --
>>         For Consortium Member technical support, see
>>         https://wiki.shibboleth.net/confluence/x/coFAAg
>>         <https://wiki.shibboleth.net/confluence/x/coFAAg>
>>         To unsubscribe from this list send an email to
>>         users-unsubscribe at shibboleth.net
>>         <mailto:users-unsubscribe at shibboleth.net>
>>
>>
>>     --
>>     For Consortium Member technical support, see
>>     https://wiki.shibboleth.net/confluence/x/coFAAg
>>     <https://wiki.shibboleth.net/confluence/x/coFAAg>
>>     To unsubscribe from this list send an email to
>>     users-unsubscribe at shibboleth.net
>>     <mailto:users-unsubscribe at shibboleth.net>
>>
>>
>> -- 
>> For Consortium Member technical support, see 
>> https://wiki.shibboleth.net/confluence/x/coFAAg 
>> <https://wiki.shibboleth.net/confluence/x/coFAAg>
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net 
>> <mailto:users-unsubscribe at shibboleth.net>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180326/fc360075/attachment.html>

More information about the users mailing list