Friday, 30 November 2007
Federation as Anti-Phishing Technology
Chris Ceppi here at Ping writes a great blog post on how identity federation can directly combat Phishing attacks on SaaS and other On-Demand applications providers.
"The success of the recent phishing attacks at Salesforce.com should trigger a fresh look at the risks of collecting authentication credentials (especially user names and passwords) on public web forms. The public web forms are the fundamental point of attack for phishers and until they are eliminated, successful phishing attacks will continue to occur and continue to cause significant business damage to companies like Salesforce.com and their customers.
The public web form used for authentication is at the center of most phishing attacks, here is a common sequence -
- a phisher creates a copy of the real web form and puts it out on the public internet
- sends a disguised link to a larger group of users
- tricks a user into providing their real credentials to the fake form
- takes the real credentials to real public web form and get access to the application
Suggested remedies like training users and studying audit logs do not address the fundamental situation that makes phishing possible.
Removing the public web form from the process of accessing applications such as Salesforce.com would greatly lower the risk of getting fished. Adopting a federated SSO model for accessing Salesforce.com would allow for the elimination of public web forms."
