OpenID phishing risks - BE CAREFUL!

It is a great shame that things like these do happen, but it is VITAL that you know about the risks you face whenever you adopt or use a new technology.

OpenID is great. It makes your life simpler and a lot easy in that you don’t have to remember thousands of username and password combinations. Unfortunately, its great for malicious phishers too!

So what is phishing? Here is what Wikipedia says about it:

“In computing, phishing is a criminal activity using social engineering techniques.^[1] Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.”

So how do you run at risk falling prey to phishers using OpenID? Here is how:

Mr Phisher sets up a beautiful, intriguing web site that uses OpenID for registeration and authentication. You unsuspectingly likes the site and log in using your OpenID to see all the wonderful pics and videos that is only available to members…

So Mr Phisher takes your OpenID URL you’ve entered, lets say http://claimid.com/koos, and writes some scripts that checks what OpenID server your use. In this case he sees that you are using ClaimID. He then redirects you to his FAKE ClaimID server that sports a log in page that looks like the ClaimID server’s log in page. He might even go through LOTS of trouble and register a domain like http://claimid.net to make it even more difficult for you to spot that this is a phishing attempt.

You land on his fake ClaimID login page and you don’t look at the URL or the page too closely and you enter your username and password. BOOM! You’ve been caught, hook, line and sinker! Mr Phisher now has your login details for your real ClaimID account. He can now get ALL your personal details. He can see which sites you use your ClaimID on. He can access those sites and others as you. Lord knows what he want to do with your identity, but he has got it and he can misuse it to his liking… (and we’ve seen what a Dark Web this web can be!).

So let this be a warning. Be careful! Don’t trust anybody. Look carefully before you use your OpenID. Look at the login page and make SURE that it is your OpenID server you are logging into and not a rogue one.

I’m sure Dominique White can shed a lot more light on this for us and make you crap your best set of underpants. BE CAREFUL!

technorati tags:openid, openid-phishing, openid-security, phishing, security-risk

Blogged with Flock

4 Comments to "OpenID phishing risks - BE CAREFUL!"

• Tara said: On 03/29/2007 at 10:41 am

  Phishing is a *major* problem for OpenID users. Right now a bunch of services are popping up around OpenID, which is great, but as users mature into this technology they’ll start to learn how to shop around.

  The real winners will be the services that will manage to build security layers on top of OpenID. Maybe we’ll see some new anti-phishing patterns being born as a result.

• Dominic White said: On 03/29/2007 at 6:08 pm

  To be honest I know very little about Open ID. I imagine one possible solution could be some sort of browser extension where you could hardcode your open ID provider. The extension would essentially proxy the authentication (or at least the requests) and ensure the correct open ID server was used.

  Who wants to write a firefox extension?

• Dmitry Shechtman said: On 03/29/2007 at 6:16 pm

  OpenID Phishing Primer

• Paul Jacobson said: On 03/30/2007 at 6:03 am

  The prospect of someone spoofing my claimID page is a scary one!

Spit it out!

Filed in: Semantic Web by: Stii