Assurance

[Steven Carmody <>]

Hi,

I'll summarize the long back story.. a student recently brought us an 
new app that they had recently built. Its 120 lines of javascript, and 
leverages both node.js and the meteor platform. This app sits in front 
of our Banner student system and acts as a proxy. It presents its own 
login page, and immediately navigates thru Banner and retrieves how many 
dining hall points that user currently has. The good news is that while 
the student actually deployed this in the cloud (bearbucks.meteor.com), 
he also brought it to our attention. It didn't take much effort to 
develop this app. We've also determined that a slightly modified version 
of this app works just fine with our IDP login page.

Up until now, we had been thinking that 2-factor would provide a defense 
against phished and stolen passwords.

But, this is a little different. This proxy sits in front of our apps; 
it isn't a dead end that's just trying to trick people into entering 
their passwords.

Most worrisome, tho, is that we think that if we implemented some forms 
of two factor in the authN process of our apps that this proxy could 
quickly evolve to handle the extra step. If we TXTed a code to the 
person's mobile phone and presented a web form, the proxy could easily 
handle that. We also expect that the proxy could evolve to deal with 
CAPTCHA style approaches.

So, beyond user education, what might people suggest as a way to detect, 
block, or prevent this sort of potentially-password-stealing approach, 
that could even handle some forms of two-factor ?