Re: Circle Bank plays with two-factor authentication
Have you seen the technique used at http://www.griddatasecurity.com ? Sounds a lot like your original idea. Screen shot here: http://blogs.zdnet.com/threatchaos/?p=374 -Richard Stiennon At 02:40 PM 9/28/2006, Leichter, Jerry wrote: | Circle Bank is using a coordinate matrix to let | users pick three letters according to a grid, to be | entered together with their username and password. | | The matrix is sent by email, with the user's account | sign on ID in plaintext. | | Worse, the matrix is pretty useless for the majority of users, | with less usability than anything else I saw in a long time. | This is what the email says: | | The following is your Two Factor code for Online Banking for | username (sign on ID changed here for privacy reasons). You will be | required to enter the grid values associated with the three | Two Factor boxes presented with each sign-on to Online Banking. | Please save and store this Matrix in a safe yet accessible place. | The required entries will be different each time you sign-on. | | | Two Factor Matrix | | ABCDEFGH | ________ | | 108421175 | | 274992420 | | 336069906 | | 464514684 | | 517686592 | ... Wow. A variation of an idea I suggested back in the '70's The problem then was with telephone calling cards. As those of us old enough will remember, at one time you didn't have a cell phone with you at all times (or at any times). You had to use these things called pay phones. Long distance calls were expensive, and you had to dump a whole bunch of change in to make them work. Very annoying. So you got a calling card, which often charged to your home phone number. Calling cards had a fixed PIN on them. Shoulder surfers would hang around heavily used phones - commuter train stations were a good spot - watch as you entered your account number/PIN, memorize it on the spot and then sell it. These could move remarkably quickly - my wife's PIN was stolen this way, and in use within seconds after she hung up. Over the next hour or so, until the fraud people picked it up, it was used to make several hundred dollars worth of calls from several locations in New York. Anyhow ... my suggestion was that a similar table be printed on the back of the card. (I would have put a multi-digit number at each intersection point and only ask for one value. All told, I'm not sure which approach is better - but with good printing technology you can use much smaller fonts than when you rely on people printing things out themselves.) I also suggested that the numbers be printed in a color - light blue, red against a grey background - that would make it hard to photocopy. No one ever did anything like this with phone cards. Interesting to see the idea re-invented for a different purpose. (Hmm, if I'd patented it, the patent would be running out soon, even assuming I went for the renewal.) Now if only they hadn't done the actual implementation so stupidly -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] Richard Stiennon The blog: http://www.threatchaos.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: encrypted tapes
I spent several years as such a security auditor for PwC. While yes, they do hire a bunch of kids out of MBA school they also have extremely experienced senior managers supervising them.We always delved into business processes as well as using off the shelf tools. Invariably I would find major flaws in the way security was implemented at utilities, railroads, major banks, and computer manufacturers. At Gartner I always advised my clients that if the purpose of the audit was to find a bunch of stuff and fix it then you should select a local boutique firm who will do a faster, more in-depth assessment and give you actionable items to address at a very reasonable cost. If your purpose in doing a security audit is to convince the board of directors that you need to invest more in security then go with a big audit firm because their opinion holds much more weight. Stiennon blog: www.threatchaos.com At 10:14 AM 6/8/2005, Perry E. Metzger wrote: [EMAIL PROTECTED] writes: One thing that irritates me is that most security audits (that verify compliance with regulations) are done by accountants. No disrespect for accountants here, they are smart people, but most of them lack the security knowledge needed to really help with the security posture of a company, and often they don't work with a security expert. I saw allot of requirements by security auditors that looked pretty silly. I believe a mix of accountants with security experts should be used for security audits It is worse than that. At least one large accounting company sends new recruits to a boot camp where they learn how to conduct security audits by rote. They then send these brand new 23 year old security auditors out to conduct security audits, with minimal supervision from a partner or two. The audits are inevitably of the lowest possible quality -- they run automated security scanners no better than open source ones you could download on your own, and they run through checklists. If an automated tool doesn't say there is a problem, or if you obey the mindless checklist items, you pass. Of course, for all the good such an audit does, you would as well roll dice and claim that the output was somehow correlated with the quality of your security infrastructure. Such an audit is totally worthless except as a bureaucratic dodge. We hired a world class accounting company to check our security! the executives can cry, so these security problems aren't our fault! (Would that fiduciary responsibility was not so often equated with make sure there is enough window dressing that we can't be blamed.) By the way, selling such audits is extremely profitable, given the discrepancy between the pay for the kids doing the audits and the price the customer is charged. What is pathetic is not that companies would try to foist such worthless services upon their customers, but that their customers would willingly buy. Incidently, my understanding is that at least some accounting companies use similar techniques for doing audits of the bookkeeping practices at their customers, which makes them at least somewhat consistent, if nearly useless to relying parties. When you hear things to the effect that accounting audits can only detect unintended bad process and not deliberate malfeasance, that's part of the reason why. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] Richard Stiennon The blog: http://www.threatchaos.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Opinion on Israeli espionage plot
While I completely agree that the TH case in Israel must represent the tip of the iceberg and for sure there will be similar cases in Europe and the US (have already been). But it is pretty useless to blow this particular horn.I am sure many Israeli firms are scanning their machines to look for the presence of Trojans, but apparently the impact in the US has been close to zero.Not until security incidents actually occur do most companies respond. So just wait -Stiennon www.threatchaos.com At 03:58 AM 6/4/2005, Hagai Bar-El wrote: List, In the following link is an opinion about the espionage act discovered in Israel a week ago. In short: This case is probably one of dozens, but the only one that was discovered probably due to three non-typical mistakes that were done. http://www.hbarel.com/Blog/entry0004.html Hagai. --- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] Richard Stiennon The blog: http://www.threatchaos.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]