Re: Circle Bank plays with two-factor authentication

[Jason Axley]

The question is what the threat model is.  We all know that email can be
intercepted over the wire.  We also know that that's not very common or
very easy, except for wireless hotspots.  I assert that *most* email does
not flow over such links, and that the probability of a successful
interception by someone who's staked out a hotspot is quite low.
Residential wireless?  Sure, there's a lot of it, mostly unencrypted.  If
you're a bad guy, is there any reason you should be watching for that
particular piece of email?  You don't even know who the customers of that
bank are.  (Sure, there can be targeted attacks aimed at a given
individual.  Unless you're a member of the HP board of directors or a
prominent technology journalist, that risk is low, too)

Again -- the scheme isn't foolproof, but it's probably *good enough*.

What is their threat?  There are two obvious answers: phishing and
keystroke loggers.



The threat model that does not get enough attention (especially by
purported anti-phishing security mechanisms) is that if a phisher can
obtain your password, and most people use the same password all over the
place, then the adversary can simply log into your email and read any
sensitive information directly.  They don't need to eavesdrop.  They don't
need to put spyware on your box to busy-poll your email inbox.
Traditional phishing attacks _still work_, just with a level of
indirection.

Ultimately, these kinds of anti-phishing schemes that require sending
secret information to your email inbox are no more secure than your email
password.  Presumably, the reason that these schemes are required is to
combat password theft (phishing) and password guessing so at the end of
the day, how much do they really buy you?  One level of indirection?  One
minor change in tactics?

-Jason

- The
Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]






-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [spam]::Re: [Clips] Banks Seek Better Online-Security Tools

[Jason Axley]

> I would never use online banking, and I advise all my friends and
colleagues (particularly those who _aren't_ computer-security-geeks) to
avoid it.
>

I have to say that I am puzzled by the way that this thread has unfolded.

It started off with Dan Geer:

"You know, I'd wonder how many people on this list use or have used online
banking.

To start the ball rolling, I have not and won't."

John Gilmore also agreed that he doesn't and won't.

And the thread has continued with other people either saying similar
things or admitting that they do use it or may use it in limited ways, as
if it was somehow shameful to manage risk rather than avoid it.  I think
there was just one posting that actually explicitly talked about a risk
evaluation and decision to use OLB.  I'm surprised to see how much "risk
avoidance" is practiced by members of the list.

I personally think that the "why" is the more interesting question, not
the original binary question.  Why do you not use OLB?  What would need to
be fixed for you to use OLB in the future?  What is your threat model
(WIYTM)?  What risks are present in OLB that are not present in the
offline world?
What about the risks of the offline financial world?  For example, all of
the information that someone needs to put money in, or take it out, of
your checking account via ACH is nicely printed in magnetic ink on your
checks in the US.  And you give it out to anyone when you write them a
check.

This reminded me of how I laughed when I saw an interview with a local
security person where he said that he didn't even connect a computer to
the Internet at home due to the risk.  To me, this seems akin to deciding
to not leave your house because you "can't be sure" someone won't shoot
you dead.

-Jason


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]