Re: security questions

[John Levine]

> IIRC, it used personal data already available to DEC -- so they
> didn't have to ask their employees for it

That works great so long as the personal data is accurate.

Banks these days are supposed to verify your identity when you open an
account.  Online banks pull your credit report anyway, so they make up
some verification questions from historical info in the report.  I'm
regularly asked which of four street addresses I've lived at.

Unfortunately, in my case the correct answer is invariably "none of
them".  I'm part owner of a relative's house in New Jersey, and the
credit bureaus all are sure that since my name is on the deed, that
must be where I live.  So that's the address that shows up.  Adding to
the excitement, they often ask what city, to which the answer would
still be none of them even if I lived in that house.  It's in
Lawrenceville, but I guess it gets mail delivered from the Trenton
P.O. so the allegedly correct answer is Trenton.

It's not too hard for me to figure these out, but given the amount of
plain wrong info in credit reports, this approach must lead to some
pretty frustrating failures.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Judge approves TRO to stop DEFCON presentation

[Steven M. Bellovin]

On Sat, 09 Aug 2008 19:38:45 -0400
Ivan Krsti__ <[EMAIL PROTECTED]> wrote:

> On Sat, 09 Aug 2008 17:11:11 -0400, "Perry E. Metzger"
> <[EMAIL PROTECTED]> wrote:
> > Las Vegas - Three students at the Massachusetts Institute of
> > Technology (MIT) were ordered this morning by a federal court
> > judge to cancel their scheduled presentation about
> > vulnerabilities in Boston's transit fare payment system, violating
> > their First Amendment right to discuss their important research.
> 
> 
> 
And the vulnerability assessment they prepared -- filed by the MBTA in
court, and hence a matter of public record -- is at
http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf


--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Judge approves TRO to stop DEFCON presentation

[Jim Youll]

On Aug 9, 2008, at 8:46 PM, Jim Youll wrote:

these have been circulating for hours, but they are content-free  
title slides...


[Moderator's note: I've read them and they're far from content
free. They give you a recipe for doing things like rewriting the mag
stripes on stored value cards to give you arbitrary balances, and
they even include actual examples.


Apologies to all. it's a UI issue with the PDF reader I was using and  
the layout of the PDF file.
Pages other than the title slides - are obscured and it's not clear  
they're even present

(the pages are readily visible in Acrobat Reader)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Judge approves TRO to stop DEFCON presentation

[David G. Koontz]

Jim Youll wrote:
> these have been circulating for hours, but they are content-free title
> slides...
> 
> On Aug 9, 2008, at 7:38 PM, Ivan Krstić wrote:
> 
>> On Sat, 09 Aug 2008 17:11:11 -0400, "Perry E. Metzger"
>> <[EMAIL PROTECTED]>
>> wrote:
>>>Las Vegas - Three students at the Massachusetts Institute of
>>>Technology (MIT) were ordered this morning by a federal court
>>>judge to cancel their scheduled presentation about vulnerabilities
>>>in Boston's transit fare payment system, violating their First
>>>Amendment right to discuss their important research.
>>
>> 

There's also the synopsis as an exhibit to the case found in the Wired
article.  Note the recommendations for corrective action are familiar from
the  previous reported weaknesses to the MIFARE system.


http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html
DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks --
Update: Restraining Order Issued; Talk Cancelled

http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
Vulnerability Assessment of the MTBA System (Exhibit 1 to Case
1:08-cv-11364-GAO).

A report on the Dutch Public Transit Card:
http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/report.pdf

Recently updated Dutch information by Andy Tanenbaum:
http://www.cs.vu.nl/~ast/ov-chip-card/

The fellows at Raboud University Nijmegan:
http://www.ru.nl/ds/research/rfid/

(Where we'll probably be able to find the Esorics 2008 presentation.
'Dismantling MIFARE Classic', in October.)

I'd imagine there is sufficient information available to replicate the
attack, there's info on the MIFARE Classic cryptographic algorithm.

http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf
http://www.cs.virginia.edu/~kn5f/pdf/OV-card_security.pdf

Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic
http://eprint.iacr.org/2008/166.pdf

Security Evalution of the disposable OV-chipkaart v1.7  updated 13 April 08
http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/Report.pdf
(which has a description of the memory structure found on the cards as well
as a lot of useful protocol information.)

And the Translink Netherlands report on why disclosure doesn't matter:
http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis_OV-Chipkaart_-_public_report.pdf
(translation: security through obscurity? still obscure enough)

And of course we've seen the Raboud video link found on Youtube:
http://www.youtube.com/v/NW3RGbQTLhE&hl=en


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: security questions

[Thor Lancelot Simon]

On Thu, Aug 07, 2008 at 08:53:58AM -0400, John Ioannidis wrote:
>
> Does anyone know how this "security questions" disease started, and why 
> it is spreading the way it is?  If your company does this, can you find 
> the people responsible and ask them what they were thinking?

When I worked at DEC, in 1991, at least one internal purchasing system
used this method of authentication.  As a summer hire, I couldn't use it,
but my boss had to authenticate this way whenever he made any major
equipment order or transfer for our group.  IIRC, it used personal data
already available to DEC -- so they didn't have to ask their employees
for it -- emergency contact phone numbers, names of other insured parties
on their health care, license plates of cars authorized to park in the work
lot, etc -- and asked a small number of random questions for each
transaction.

I thought it was pretty clever.  I still do, actually.

Thor

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]