The virtualization approach is interesting, certainly, but even it is subject to MITM problems, albeit more sophisticated ones. It's certainly possible to MITM a guest VM from a host, or terminal server session from a host, etc.

Hardware-based two-factor solutions can make a major dent in traditional phishing attacks, but none can fix "active" MITM phishing attacks, where the user's credentials (two-factor and all) are silently gatewayed through to the bank's website, along with a hidden transaction or two in realtime.

Bank websites could, in principle, do a lot about active phishing attacks, just by adding some sort of obfuscation to their sites such that they are easy for a human to parse but impossible to code to for a phishing attack. Think CAPTCHA here - not perfect, but dramatically better than nothing.

My company just launched a hardware-based two-factor product in the US market that uses mobile phones as the second factor, in an attempt to address passive phishing. Hopefully it will be available for EMEA soon.

Interesting article.

-Steve Dispensa (MVP - Windows DDK)

How about this technology that I found on you tube

Mutual Authentication with the bank server... Apparently no software to download etc...

See http://www.youtube.com/watch?v=cA8QZ7DvIts

Found a bit more info at www.gemalto.com/nim

I sent an email to the address there and someone contacted me.. Looke like this may do the job for our bank!

I see your point, but I think a hardware-based two-factor solution can still be effective even against browser toolbars and the like.

Think about our PhoneFactor product: no matter what information is stolen from the end user, *including* username and password, the thief still can't log into the user's bank account later, because the user's phone (not the thief's) would ring the instant the login was attempted.

Now, there is indeed a second class of "active" phishing attacks, where the thief manipulates the bank account in real-time after the user answers the confirmation call and presses # to allow the log-in. These attacks require a much higher level of sophistication, and there aren't really any solutions on the table that don't involve major changes to the browser access paradigm.

In the end, I'm obviously a strong believer in two-factor as a mitigation against a lot of phishing, including exactly the kind of toolbar phishing you point out. But, like any security technology, there are always some contexts into which a particular solution doesn't fit.

More about PhoneFactor: blog.phonefactor.net.

-Steve Dispensa (MVP - Windows DDK)

There's a chicken-and-egg problem here that's very hard to avoid.

Imagine a Virtual PC image that has known-good software for accessing online banking. You could even restrict the client software so that it would strongly authenticate the server (and *only* the real server) using some form of public key crypto.

Then, the bad guy starts distributing his own VPC image that looks *just like* the image that comes from the bank. Except, it's slightly modified... bang, you're dead.

You could have the user get a DVD with the VPC image directly from the bank, of course, which makes the problem much harder for thieves. Eventually, though, you have to rely on people's common sense and intelligence.