<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1403719166;
mso-list-type:hybrid;
mso-list-template-ids:-77662252 403243023 403243033 403243035 403243023 403243033 403243035 403243023 403243033 403243035;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1631865351;
mso-list-type:hybrid;
mso-list-template-ids:1987205564 403243023 403243033 403243035 403243023 403243033 403243035 403243023 403243033 403243035;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Kosuke, Joseph<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Although the goal of the attack in the article is not token theft, some of the ideas on defending against attacks cross-device flows might be helpful here (</span><a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/00/">draft-ietf-oauth-cross-device-security-00
- Cross-Device Flows: Security Best Current Practice</a>)<span style="mso-fareast-language:EN-US">.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">The attack shares some properties with the “illicit consent grant” attacks in
</span><a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/00/">draft-ietf-oauth-cross-device-security-00 - Cross-Device Flows: Security Best Current Practice</a><span style="mso-fareast-language:EN-US">, most notably the lack of
an authenticated channel between the initiating service and the authenticating device. From reading the article, this unauthenticated channel is exploited by the attacker, who changes the context of the authorization request. In this case, the change in context
is achieved by calling the user and convincing them to trust the caller. The attack goes something like this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo1"><span style="mso-fareast-language:EN-US">Call the user from a number similar to the fraud line number (one-digit difference)<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo1"><span style="mso-fareast-language:EN-US">Initiate fraudulent transactions<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo1"><span style="mso-fareast-language:EN-US">Asking the user to decline the fraudulent transaction (imagine someone telling the user to “review the transaction your about to receive and
decline it if you did not perform this transaction”), thereby earning the users trust.<o:p></o:p></span></li><ol style="margin-top:0cm" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level2 lfo1"><span style="mso-fareast-language:EN-US">The user now considers the channel “authenticated” and will disclose sensitive information to the person who called them.<o:p></o:p></span></li></ol>
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo1"><span style="mso-fareast-language:EN-US">Initiating a fund transfer/request from the users account (details are sketchy – presumably there is some business process that allows this)<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo1"><span style="mso-fareast-language:EN-US">User receives authorization code in the app<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo1"><span style="mso-fareast-language:EN-US">User gives code to the attacker (who earned the users trust)<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo1"><span style="mso-fareast-language:EN-US">Attacker completes fund transfer.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">In terms of mitigations, I would consider:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo2"><span style="mso-fareast-language:EN-US">Proximity: If the OTP is being delivered to an app that is running in a different location from the one where the transaction is being initiated,
this may be an indicator of risk. There are several ways to do this and requires that the system issuing the OTP compares location information with the system where the transaction is initiated. Attackers may still be able to work their way around this, but
does raise the bar for a successful attack (see </span><a href="https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-00.html#name-establish-proximity">Cross-Device Flows: Security Best Current Practice (ietf.org)</a>)<span style="mso-fareast-language:EN-US">.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo2"><span style="mso-fareast-language:EN-US">Authenticated flow: Require that the user authenticates on the initiating device before initiating the flow. This prevents attackers from initiating
the flow unless they can authenticate first. Not sure it would have helped in this case, but worth considering (see
</span><a href="https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-00.html#name-authenticated-flow">Cross-Device Flows: Security Best Current Practice (ietf.org)</a>)<span style="mso-fareast-language:EN-US"><o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo2"><span style="mso-fareast-language:EN-US">Protocol selection: Choose cross-device protocols that are more resilient against exploits aimed at the unauthenticated channel (e.g. WebAuth/FIDO
passkeys </span><a href="https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-00.html#name-fido2-webauthn">Cross-Device Flows: Security Best Current Practice (ietf.org)</a><span style="mso-fareast-language:EN-US">)<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Defending against social engineering attacks is very hard, and at some point, technology cannot prevent a user who is convinced/intent on authorizing a transaction. At this point it is important
to help the customer recover if they were tricked.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Pieter<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net>
<b>On Behalf Of </b>Joseph Heenan via Openid-specs-fapi<br>
<b>Sent:</b> Thursday, February 9, 2023 5:29 PM<br>
<b>To:</b> Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Cc:</b> Joseph Heenan <joseph@authlete.com><br>
<b>Subject:</b> Re: [Openid-specs-fapi] Bristol man loses £8,000 in banking app scam<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left" width="100%" style="width:100.0%">
<tbody>
<tr>
<td style="background:#A6A6A6;padding:5.25pt 1.5pt 5.25pt 1.5pt"></td>
<td width="100%" style="width:100.0%;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 11.25pt">
<div>
<p class="MsoNormal" style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly">
<span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#212121">You don't often get email from
<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>.
<a href="https://aka.ms/LearnAboutSenderIdentification">Learn why this is important</a><o:p></o:p></span></p>
</div>
</td>
<td width="75" style="width:56.25pt;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 3.75pt;align:left">
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal">Hi Kosuke <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 9 Feb 2023, at 14:51, Kosuke Koiwai via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">FYI <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Is there anything we can do?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.com%2Fnews%2Fuk-england-bristol-64559260&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C67bacbbb04fc4732f28f08db0ac33155%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638115605911173526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=JyUloKeOql3qYuT%2FTVj%2BvbjNcXLEpv%2B6PBhy%2Fc2qrjs%3D&reserved=0">https://www.bbc.com/news/uk-england-bristol-64559260</a><o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">As I understand it, the scam works something like this:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The user’s debit card details have been obtained by the scammer.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The scammers try to make payments online using these details, which triggers Mastercard secure3d ( <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.starlingbank.com%2Fblog%2Fintroducing-3D-secure%2F&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C67bacbbb04fc4732f28f08db0ac33155%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638115605911173526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=OkvQfLKyyNFtO%2B3kCgsiypPub6s0Eeq9a7v8MrbGXUI%3D&reserved=0">https://www.starlingbank.com/blog/introducing-3D-secure/</a> ).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The user generates a code in their app, which has copious warnings not to share it (screenshots attached).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don’t understand the details/limitations of 3d secure, but this feels like the classic problem of OTPs not being context specific - i.e. it’s generally better to have a prompt like “Do you want to approve a transaction of £1523.43 to
Amazon Gift Cards?”, although for some reason many of the 3d secure prompts I’ve seen do have a fallback to an sms issued OTP (but again, at least they can include the context in the SMS).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Joseph<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><img border="0" width="296" height="640" style="width:3.0833in;height:6.6666in" id="Picture_x0020_1" src="cid:image001.jpg@01D93FC1.5D3B36A0"><img border="0" width="296" height="640" style="width:3.0833in;height:6.6666in" id="Picture_x0020_2" src="cid:image002.jpg@01D93FC1.5D3B36A0"><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>