Hi Shachar
> >3. To unlock the teller's terminal, you have to answer a
> > challange provided by the terminal. The teller aids you
> > by reading the challange to you and typing your vocal
> > reply into the terminal. The challange is derived from
> > a one-time-pad that you have filled out during your
> This is not a one time pad. For one thing, it's not one time. This can
> be more correctly called "broken zero knowledge proof". You must admit
> that it does provide SOME protection from replay attacks.
You are correct and I appologize - it's a shared secret.
> >1. Replay attack - the "1 time pad" I filled upon signup is
> > 5x8=40 characters. Authentication is done based on the
> > first few letters of the one time pad (I was never asked
> > to provide a char farther than 5th) so it is 25 possible
> > characters. If someone has been listening to 10 random
> > calls they have a 33% chance of making it in the 1st try
> > and 56% on both attempts, without guessing.
> I'm not sure that part is correct. Did you take into account the chances
> that some of those 10 calls I listened on will not yeild me new questions?
No, I didn't specify my assumption that they choose questions
in a pattern that repeats only after the pool is exhausted, but
you are correct. In reality they don't, which only improves on
the chances.
> >2. The users are asked to choose hebrew names for the OTP.
> > This increases the chance of success considerably. If the
> > evesdropper can pick out enough characters they can guess
> > at the responses, without resorting to social engineering
> > notwithstanding. Some of the questions are damn right easy
> > to guess - name of the city you were born? from a 26**8 =
> > 2e11 possibilities this field is now only the number of
> > cities in Israel (less than 1000, I think), with some
> > large cities with a higher probability. Names are not
> > much better. IMHO the strongest question is the name of
> > the school attended, which is usualy not mentioned and
> > doesn't follow any pattern, except the word "IRONI" (××××××)
> That's where the implementation is broken beyond the chosen security
> level. This security is a constant tradeoff between needing the human to
> remember the passwords and securing the authentication. I don't really
> care about that level, because I'm not the one taking responsibility for
> it. Everything I do over the phone is insured against identity theft.
Are you sure? What if John Doe does something to your account
which costs you a bundle. You call the bank to complain, and
they reply that YOU have committed those changes. You're
screwed, because they have the bank records to show you did,
and the phone conversation was conviniently erased.
> A while back, however, I noticed that I get asked ONLY THE SAME 4
> LETTERS THE WHOLE TIME!!!!!! This means that if I listen in to a single
> call, and then call you ONCE, I have a 50% chance of breaking the
> system. Like I wrote in the fax, I never got around to actually telling
> anyone about it. I even worked out a scheme where I can do this
> practically using only a cell-phone frequency scanner. I feel this
> problem has been fixed, since.
I will follow up on this. I rarely call today because I do
most stuff over the internet.
> The problem I have today is not that bad, but still negligant. When I
> have to answer a question with one of the final letters, I have to
> specifically say whether it's a final form or not. This gives Eve more
> information about the word in question than intended.
I wasn't aware of that, thanks.
> Answering two questions is a nice idea! I'll suggest it if/when someone
> gets back to me. Increasing the size of the shared secret (that's what
> it is) is nice.
And necessary, I'm afraid.
> Please remember that humans are notorious for not remembering important
> stuff.
>
> Maybe you can remember a random sequence of characters, but most can't.
It's not random, it's pseudo random in an associative way.
Let's say their question is "×× ×× ××× ×××× ××××××". I take the
identifying theme - ×××-×××× - and I invent a phrase which
associated with it: ××××"× ××××× ×××××× ××××××× ×× ××
×××× ×××
(which associates with another story of me contradicting my 6th
grade "nature" teacher regarding this issue)
Now take the first letter of each word, and fill as the 8 chars
in the shared secret: ×× ××× ×××× ×××××× = × × × × × × × ×. It's
easy to remember (I have to remember a sentence associatively)
and when asked the question I have to go over the phrase and
give the 1st letter of the word.
It's less strong than random, but it's not so weak. That's how
I choose passwords too, BTW.
And no, please don't try to hack my bank account, this is not
the sentence I used.
> >And the 3rd point can be countered by refusing to supply
> >the teller (or imposter) with any details that can aid in
> >a MitM attack. Demand that they supply you with verifyable
> >information. Put them on hold while you call and verify.
> >I had them tell me the last two digits of my balance, which
> >I could verify by calling back.
> I usually force out of them the general reason for their call, and then
> say "I'll call you back". It gets worse with their calling from a
> blocked ID number, and not having a direct line to call back to. Someone
> defenitely didn't get it on this one.
Yup, that hole is pretty large, but your and my defences against
it are effective. True, clueless people will get their identity
stolen, but what else is new?
-- Arik
**********************************************************************
This email and attachments have been scanned for
potential proprietary or sensitive information leakage.
PortAuthority(TM) Server
Keeping Information Inside
Vidius, Inc.
www.vidius.com
**********************************************************************N‹§²æìr¸›zÇvf¢–Ú%Š{±ŠZÞçX§»�+‚)pŠØm…ì(Û²æìr¸›z)í…éÆyº�Éè+º{ayÊ&™©ÝyÈhº{.nÇ+‰·¦j)eŠ{±ŠZÞçX§»�+‚)
