I wish to comment about the stupid/lacking security.This is not a one time pad. For one thing, it's not one time. This can be more correctly called "broken zero knowledge proof". You must admit that it does provide SOME protection from replay attacks.
First, a description.
3. To unlock the teller's terminal, you have to answer a
challange provided by the terminal. The teller aids you
by reading the challange to you and typing your vocal
reply into the terminal. The challange is derived from
a one-time-pad that you have filled out during your
Other than the name this analysis is, more or less, correct.
1. Replay attack - the "1 time pad" I filled upon signup isI'm not sure that part is correct. Did you take into account the chances that some of those 10 calls I listened on will not yeild me new questions?
5x8=40 characters. Authentication is done based on the first few letters of the one time pad (I was never asked
to provide a char farther than 5th) so it is 25 possible
characters. If someone has been listening to 10 random
calls they have a 33% chance of making it in the 1st try
and 56% on both attempts, without guessing.
That's where the implementation is broken beyond the chosen security level. This security is a constant tradeoff between needing the human to remember the passwords and securing the authentication. I don't really care about that level, because I'm not the one taking responsibility for it. Everything I do over the phone is insured against identity theft.2. The users are asked to choose hebrew names for the OTP. This increases the chance of success considerably. If the evesdropper can pick out enough characters they can guess at the responses, without resorting to social engineering notwithstanding. Some of the questions are damn right easy to guess - name of the city you were born? from a 26**8 = 2e11 possibilities this field is now only the number of cities in Israel (less than 1000, I think), with some large cities with a higher probability. Names are not much better. IMHO the strongest question is the name of the school attended, which is usualy not mentioned and doesn't follow any pattern, except the word "IRONI" (××××××)
A while back, however, I noticed that I get asked ONLY THE SAME 4 LETTERS THE WHOLE TIME!!!!!! This means that if I listen in to a single call, and then call you ONCE, I have a 50% chance of breaking the system. Like I wrote in the fax, I never got around to actually telling anyone about it. I even worked out a scheme where I can do this practically using only a cell-phone frequency scanner. I feel this problem has been fixed, since.
The problem I have today is not that bad, but still negligant. When I have to answer a question with one of the final letters, I have to specifically say whether it's a final form or not. This gives Eve more information about the word in question than intended.
Answering two questions is a nice idea! I'll suggest it if/when someone gets back to me. Increasing the size of the shared secret (that's what it is) is nice.3. Sometimes they call you back. When they do, THEY ask YOU to identify yourself to THEM. Hilarious! When I demanded that they first prove to me that they are indeed the Y1, they put me on hold SO I CAN LISTEN TO THE HOLD MUSIC!!! which is very vulnerable to a replay attack.
I think the system is not bad to begin with. If you are not paranoid enough to suspect a wiretap, you can disregard #1, although the size of the OTP is really small. I'd be happy with a longer one, from which you have to reply with 4-5 letters. Even replying with two letters reduces the chance of a random attack from 9% to below 0.5%. The chance of someone reaching that stage is low, because they have to guess the 6-digit password first.
Please remember that humans are notorious for not remembering important stuff.To counter point #2, you obviously have to disregard the stupid questions they ask you and invent your own scheme for filling up the OTP with random or pseudo-random data. My OTP does NOT have any hebrew words in it.
Maybe you can remember a random sequence of characters, but most can't.
I usually force out of them the general reason for their call, and then say "I'll call you back". It gets worse with their calling from a blocked ID number, and not having a direct line to call back to. Someone defenitely didn't get it on this one.And the 3rd point can be countered by refusing to supply the teller (or imposter) with any details that can aid in a MitM attack. Demand that they supply you with verifyable information. Put them on hold while you call and verify. I had them tell me the last two digits of my balance, which I could verify by calling back.
Shachar
-- Shachar Shemesh Open Source integration & consulting Home page & resume - http://www.shemesh.biz/
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
