panis


Doesn't this open up the possibility that a malicious site or a hacker that gains access to a Windows Live ID enabled site - can forward the user to a fake Windows Live Login ID site and collect their username and password

Other than creating user awareness against this is there anything built in to the Windows Live site to prevent such a thing



Re: Preventing Phising Windows Live Login ID

Alex Media


The Windows Live ID-server sends an encrypted token to a website, that is decrypted and verified. Unless you know the site's application ID and secret key, it's impossible to fake such a token.






Re: Preventing Phising Windows Live Login ID

panis

It doesn't matter if token can be decrypted or not. Let me use a couple of examples:

Example a)
1. www.mysite.com implements windows live id and provides a link to use to login using windows live id.
2. a hacker hacks into www.mysite.com and replaces windows live id link with link to his/her own phishing site.
3. unaware users of www.mysite.com unknowingly click on windows live id login link and get taken to the phishing site that looks same as windows live id.
4. they enter in their login details and bam the hacker has access to their Live user id and password.

It wouldn't matter if the original site was able to login or not - at this point the original site could just be redirected with invalid data and be made to believe that the user was not able to login using Live id - or a sophisticated hack could "forward" to real live id site - making user believe that they entered their password incorrectly.

Example b)
1. www.mysite.com is set up by bad elements and claims to have windows live id support.
2. link on www.mysite.com takes users to fake live id login site
3. user enters in their live id username and password - has no idea they are not being validated by windows live.
4. www.mysite.com pretends validation went through and logs them into their "protected area" and in a few days has a list of windows live user ids and passwords.










Re: Preventing Phising Windows Live Login ID

Alex Media

That are problems that Microsoft has already had with Windows Live ID. I've seen a lot of fake Hotmail-logon-pages, so I don't expect opening up WL ID will cause the number of WL ID-phishing-sites will increase.

Also, a lot of users use the Sign-In Assistent, which presents users with another way of logging on to WL ID. I hope users will notice this assistent missing on phishing-sites, but I'm afraid only time will tell..





Re: Preventing Phising Windows Live Login ID

Aaron Small

As Alex said, these are existing issues, and issues that all identity providers must deal with. I do not see how a growing number of sites accepting Windows Live ID will affect this.

When all is said and done, the responsibility lies on the user to ensure that his location bar reads "login.live.com" before entering his credentials.

-Aaron





Re: Preventing Phising Windows Live Login ID

Alex Media

And to look at the green address bar if he uses IE 7 or Firefox 3 (or other browsers support EV-SSL). Since a few days I notice the address bar flickering between white and green when I visit a site that authenticates me via Live ID.

If I notice it, other users should notice it too. Maybe MS should redirect the users to the secure logon-page by default (in stead of after form submission), so the user sees the green bar.