💡This is a reader's perspective on the paper written by Enis Ulqinaku (from the Department of Computer Science, ETH Zürich) and published at the USENIX Security Symposium 2021.
Brief Description
The authors propose a different attack perspective on the FIDO authentication mechanism. Since most websites have other account verification techniques, besides FIDO, the authors thought of faking the FIDO verification dialog prompting the user for an OTP number and faking the FIDO authentication in the benign websites. Unfortunately, it was only a preliminary study on the topic, since they were unable to provide any information on whether the users really fell for that attack since most had already identified the websites as phishing from the email message or the website characteristics (URL/content).
Observations
One very strange thing is that they claim that FIDO is the solution for MITM phishing attacks, but I don't see how that is. I see it just as another OTP-like verification system.
In all, I think that a user study regarding this topic is still a very large study GAP since it was hard to really evaluate that attack's effectiveness.
I also don't like that they do not implement any crawler to interact with the benign page, even as a POC. From my point of view, the correct interaction with the benign webpage is as important as making the user believe in the full process
Initial Questions
The first question I had on the paper was about the crawler they used on benign pages to correctly interact with them. But they didn't any, since they claimed it was an only "user study", so meh...
Where do the experiment ideas come from?
Might have come from an insight on the studies. While the methodology in the paper is nice, they could've focused on other important things, such as making a full POC.
What are the interesting ideas/results?
Nice methodology for the user study. Very detailed
No comments:
Post a Comment