Attacker Motivations and Capabilities

Jump to: navigation, search


Attack Vectors

Phishing Link

Attacker deceives the user into thinking they are clicking on link in client to a site they have an account with while in fact the attacker controls that destination and it is an active proxy for the site they thought they were going to.

Man On The Side

Attacker can listen in on communications between client and server but does not interfere. For example on open WiFi with non-secure HTTP or if weak security implemented on communications or if attacker can listen in behind a servers SSL boundary device.

Man In The Middle

Attacker can listen in on communications between client and server and may or may not interfere. Required to proxy SSL connections that are end-to-end secure.

Attacker Gain

Session Hijack

Able to impersonate user for a single session

Replay Attack

Able to take previously captured credentials and impersonate user but for a limited time.

Identity Hijack

Able to authenticate as the user at any time in the future.

Denial Of Access

Able to prevent user from gaining access to server on a temporary basis.

Identity Switch

Able to authenticate the user to the attackers credentials.

Attacker Motivation

Account Destruction

Wants to vandalise users account.

Account Ownership

Wants to own account for its status alone, or to leverage that status so make other social gains.

Identity Theft

Wants to steal users information for identity impersonation or to sell information onwards.

Monetary Gain

Wants to directly gain from funds accessible via account.

Best Practice Integration

This section represents the best practice integration or SQRL authentication into traditional HTML authentication.