Re: Hi-tech no panacea for ID theft woes
From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 09/09/05
- Next message: Moe Trin: "Re: A Little Help With Disk Cleaning/security"
- Previous message: Imhotep: "International Call for Open Standards"
- In reply to: Brett Michaels From Poison: "Re: Hi-tech no panacea for ID theft woes"
- Next in thread: Unruh: "Re: Hi-tech no panacea for ID theft woes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 09 Sep 2005 13:31:17 -0600
"Brett Michaels From Poison" <jms504@gmail.com> writes:
> I'm talking along the lines of end users, which I beleive are the
> number one weakness in any security structure. Most end users don't
> know a hammer from a nail when it comes to computer security. I'm
> not speaking common sense on a specific user, but rather a general
> base of common sense.
>
> If these end users were more educated and used more common sense
> measures, eg. not opening unknown attachments, not writing your pin
> on your mac card, this would allow IT Admins to concentrate their
> efforts on more difficult security measures. Some end users
> actually do "dumb things" more than anyone realizes. As a security
> auditor, the place we find the largest pool of weaknesses is end
> user behavior/lack of policy adherance.
ref:
http://www.garlic.com/~lynn/2005p.html#24 Hi-tech no panacea for ID theft woes
nominally multi-factor authentication requires that the different
factors be subject to different vulnerabilities ... i.e. from
3-factor authentcation model
http://www.garlic.com/~lynn/subpubkey.html#3factor
* something you have
* something you know
* something you are
... a "something you know" PIN is nominal a countermeasure to
lost/stoeln "something you have" physical card.
an institutional-centric view has been that shared-secret pin/password
based "something you know" implementations require that the person
have a unique pin/password for every unique security environment (as
countermeasure to somebody in one environment attacking another
environment ... say, part-time employee in garage ISP accessing
people's online web financial services ... assuming common password
for both environments).
http://www.garlic.com/~lynn/subpubkey.html#secrets
from a person-centric view, as the number of electronic proliferated,
people may now be faced with memorizing scores of unique & different
pin/passwords. one of the consequences is that you find people making
lists and storing them in their wallet. also some study claimed that
something like 30 percent of the people write their PINs on their
debit cards.
so a common lost/stolen scenario is the wallet is lost ... which
includes any lists of pin/passwords and all cards (including cards
that have pins separately written on the cards. as a result, there is
a common vulnerability (failure mode) for lost/stolen wallet that
effects all cards and some number of recorded pins/passwords
... defeating the objecting of having multi-factor authentication.
another threat/exploit for account fraud is getting people to divulge
the information on their cards and related information (phishing
attacks).
so there is a requirement for two countermeasures
1) making valid account transactions based on a "something you have"
physical object ... which uses some paradigm where the owner of the
physical object isn't able to verbally disclose the information
2) eliminate the enormous proliferation of the shared-secret paradigm
... resulting in the impossible requirement for people to memorize scores
of different pieces of information.
so one implementation uses asymmetric cryptography where keys are
generated inside a chip/token and the private key is never divulaged.
proof of possesing the chip/token ("something you have"
authentication) is done with digital signatures ... which doesn't
expose the private key. It is possible for the person possessing the
token to proove that they have the token ... but they aren't able to
divulge the information required for the proof (i.e. the private key
contained in the token). The digital signature methodology generates a
new value on every use ... so the operation is resistant to replay
attacks (somebody having recorded a previous use).
That still leaves shared-secret vulnerabilities associated with
memorizing human factors (and countermeasure against lost/stolen
token). Using a chip/token would allow a PIN to be used for correct
operation of the chip/token ... w/o requiring the PIN to be recorded.
That makes the PIN a *secret* (as opposed to shared-secret) and
eliminates the shared-secret based security requirement for having a
unique PIN for every environment (if person has a single PIN for
everything they do ... it is less of a problem to memorize ... and
also opens the possibility of making it more complex than four numeric
digits).
Such an approach makes phishing attacks for account fraud much more
difficult ... since the person can't even divulge information in the
token that they don't now (crooks can't simply ask tens of thousands
of people to type in their account numbers and PINs and then go off
and extract money, they now actually require the exact physical
token).
it also makes crooks work harder for physical stealing tokens and also
obtaining the associated PIN (much higher effort in order to perform a
fraudulent transaction).
note also that a countermeasure associated with online transaction
environment and lost/stolen (physcial) tokens ... is the owner is
likely to notice that it is missing and report it, resulting in the
associated account access being deactivated. In the phishing (also
record/replay, key logger, etc) scenarios, the victim might not
realize that there is money leaking out of their account until weeks
later.
so much of the current electronic based account fraud could be
eliminated ... forcing it purely to stealing physical object (where a
crook actually has to physically take them one or two at a time, can't
program a computer to lift millions)... which also will nominally have
a much shorter window of (crime) opportunity (unitl it is reported
lost/stolen).
The other way of looking at it is that the fraud *ROI* (return on
investment) is significantly reduced (enormous increase in physical
effort, limited window of opportunity).
You still have some number of social engineering attacks (other than
the phishing kind) ... where the crook convinces the victim to
perform the actual transaction (as opposed to the crook obtaining
sufficient information to perform the transactions themselves). Some
of these are currently getting wide-spread coverage under the heading
of some sort of scam.
misc. past person-centric related postings:
http://www.garlic.com/~lynn/aadsm12.htm#0 maximize best case, worst case, or average case? (TCPA)
http://www.garlic.com/~lynn/2003e.html#22 MP cost effectiveness
http://www.garlic.com/~lynn/2003e.html#31 MP cost effectiveness
http://www.garlic.com/~lynn/2004e.html#8 were dumb terminals actually so dumb???
http://www.garlic.com/~lynn/2005g.html#47 Maximum RAM and ROM for smartcards
http://www.garlic.com/~lynn/2005g.html#57 Security via hardware?
http://www.garlic.com/~lynn/aadsm19.htm#14 To live in interesting times - open Identity systems
http://www.garlic.com/~lynn/aadsm19.htm#41 massive data theft at MasterCard processor
http://www.garlic.com/~lynn/aadsm19.htm#47 the limits of crypto and authentication
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/2005m.html#37 public key authentication
http://www.garlic.com/~lynn/2005p.html#6 Innovative password security
-- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
- Next message: Moe Trin: "Re: A Little Help With Disk Cleaning/security"
- Previous message: Imhotep: "International Call for Open Standards"
- In reply to: Brett Michaels From Poison: "Re: Hi-tech no panacea for ID theft woes"
- Next in thread: Unruh: "Re: Hi-tech no panacea for ID theft woes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
