I wish to comment about the stupid/lacking security.
First, a description.
The Y1 authentication mechanism relies on the following two
methods:
1. Upon calling, you have to type in your account number and
a 6 digit password. You can only try the password 3 times
before you are locked out. The system forces the user to
replace the password every few months. The password is
sent using touch-tone dialing, which makes it vulnerable
to a replay attack on the audio signal and to a replay
attack where the attacker can decode and re-encode the
signal. New passwords are sent in-band. Chance of a
brute-force attack: << 1% (due to the lockout)
After the password is supplied you have read-only access
to a lot of information that can be either read to you
over the phone or faxed to you. It is rumored that there
are some operations that you may perform on your account
from some obscured menu, but I was never successful
(although I tried) and the actions are limited and non-
destructive.
2. When you request it, you can ask to talk to a teller. The
system then puts you on a queue and connects you to a
human. The human has very limited read-only access to your
account information, and cannot be social-engineered to
give it to you - it is unavailable.
3. To unlock the teller's terminal, you have to answer a
challange provided by the terminal. The teller aids you
by reading the challange to you and typing your vocal
reply into the terminal. The challange is derived from
a one-time-pad that you have filled out during your
account set-up. The size of the challange is a position
on the OTP, and the response size is one Hebrew character
from that position on the OTP. You are locked out after
two attempts. The OTP has a 5x8=40 positions. Each row
has a name, and each column has an ordinal number.
The chance of a successful brute force attack is 9%, in
theory, due to the small length of the response.
3a. A relatively new system has been installed, which
replaces step 3, identifies the user's voice to the
terminal. If the voice identification is successful
the terminal is unlocked, while if it is unsuccessful
the terminal reverts to method 3. I have no data
regarding the accuracy of that system. This provides
the bank with a true 2F authentication... with a
fallback to a 1F method. Go figure.
Although the system sounds good on paper, it is lacking in
these respects:
1. Replay attack - the "1 time pad" I filled upon signup is
5x8=40 characters. Authentication is done based on the
first few letters of the one time pad (I was never asked
to provide a char farther than 5th) so it is 25 possible
characters. If someone has been listening to 10 random
calls they have a 33% chance of making it in the 1st try
and 56% on both attempts, without guessing.
2. The users are asked to choose hebrew names for the OTP.
This increases the chance of success considerably. If the
evesdropper can pick out enough characters they can guess
at the responses, without resorting to social engineering
notwithstanding. Some of the questions are damn right easy
to guess - name of the city you were born? from a 26**8 =
2e11 possibilities this field is now only the number of
cities in Israel (less than 1000, I think), with some
large cities with a higher probability. Names are not
much better. IMHO the strongest question is the name of
the school attended, which is usualy not mentioned and
doesn't follow any pattern, except the word "IRONI" (××××××)
3. Sometimes they call you back. When they do, THEY ask YOU
to identify yourself to THEM. Hilarious! When I demanded
that they first prove to me that they are indeed the Y1,
they put me on hold SO I CAN LISTEN TO THE HOLD MUSIC!!!
which is very vulnerable to a replay attack.
I think the system is not bad to begin with. If you are not
paranoid enough to suspect a wiretap, you can disregard #1,
although the size of the OTP is really small. I'd be happy
with a longer one, from which you have to reply with 4-5
letters. Even replying with two letters reduces the chance
of a random attack from 9% to below 0.5%. The chance of
someone reaching that stage is low, because they have to
guess the 6-digit password first.
To counter point #2, you obviously have to disregard the
stupid questions they ask you and invent your own scheme
for filling up the OTP with random or pseudo-random data.
My OTP does NOT have any hebrew words in it.
And the 3rd point can be countered by refusing to supply
the teller (or imposter) with any details that can aid in
a MitM attack. Demand that they supply you with verifyable
information. Put them on hold while you call and verify.
I had them tell me the last two digits of my balance, which
I could verify by calling back.
It's not foolproof, but if you are security conscious you are
safer than most people. Regretfully the bank thinks that it
is safer to have less authentication for the price of easily
remembered authentication tokens, but that's a compromise I
am not at a position to argue.
-- Arik
**********************************************************************
This email and attachments have been scanned for
potential proprietary or sensitive information leakage.
PortAuthority(TM) Server
Keeping Information Inside
Vidius, Inc.
www.vidius.com
**********************************************************************N‹§²æìr¸›zÇvf¢–Ú%Š{±ŠZÞçX§»�+‚)pŠØm…ì(Û²æìr¸›z)í…éÆyº�Éè+º{ayÊ&™©ÝyÈhº{.nÇ+‰·¦j)eŠ{±ŠZÞçX§»�+‚)
