Merchants who *really* rely on their web site being
secure are those that take instructions for the
delivery of value over them. It's a given that they
have to work very hard to secure their websites, and
it is instructive to watch their efforts.
The cutting edge in making web sites secure is occuring
in gold community and presumably the PayPal community (I
don't really follow the latter). AFAIK, this has been
the case since the late 90's, before that, some of the
European banks were doing heavy duty stuff with expensive
tokens.
e-gold have a sort of graphical number that displays
and has to be entered in by hand [1]. This works against
bots, but of course, the bot writers have conquered
it somehow. e-gold are of course the recurrent victim
of the spoofers, and it is not clear why they have not
taken serious steps to protect themselves against
attacks on their system.
eBullion sell an expensive hardware token that I have
heard stops attacks cold, but suffers from poor take
up because of its cost [2].
Goldmoney relies on client certs, which also seems
to be poor in takeup. Probably more to do with the
clumsiness of them, due to the early uncertain support
in the browser and in the protocol. Also, goldmoney
has structured themselves to be an unattractive target
for attackers, using governance and marketing techniques,
so I expect them to be the last to experience real tests
of their security.
Another small player called Pecunix allows you to integrate
your PGP key into your account, and confirm your nymity
using PGP signatures. At least one other player had
decided to try smart cards.
Now a company called NetPay.TV - I have no idea about
them, really - have started a service that sends out
a 6 digit pin over the SMS messaging features of the
GSM network for the user to type in to the website [4].
It's highly innovative and great security to use a
completely different network to communicate with the
user and confirm their nymity. On the face of it,
it would seem to pretty much knock a hole into the
incessant, boring and mind-bogglingly simple attacks
against the recommended SSL web site approach.
What remains to be seen is if users are prepared to
pay 15c each time for the SMS message. In Europe,
SMS messaging is the rage, so there won't be much
of a problem there, I suspect.
What's interesing here is that we are seeing the
market for security evolve and bypass the rather
broken model that was invented by Netscape back in
'94 or so. In the absence of structured, institutional,
or mandated approaches, we now have half a dozen distinct
approaches to web site application security [4].
As each of the programmes are voluntary, we have a
fair and honest market test of the security results [5].
iang
[1] here's one if it can be seen:
https://www.e-gold.com/acct/gen3.asp?x=3061y=62744C0EB1324BD58D24CA4389877672
Hopefully that doesn't let you into my account!
It's curious, if you change the numbers in the above
URL, you get a similar drawing, but it is wrong...
[2] All companies are .com, unless otherwise noted.
[3] As well as the activity on the gold side, there
are the adventures of PayPal with its pairs of tiny
payments made to users' conventional bank accounts.
[4] Below is their announcement, for the record.
[5] I just thought of an attack against NetPay.TV,
but I'll keep quiet so as not to enjoy anyone else's
fun :-)
==
N E T P A Y. T V N E W S L E T T E R
October 3rd, 2003
Sent to NetPay members only, removal instructions at the
end of the message
==
1. SMS entry - Unique Patent pending entry system -
World first!
==
http://www.netpay.tv/news.htm
What is this new form of entry?
Do you own a mobile phone? Can you receive SMS
messages? Would you like to have your own personal
NetPay security officer contact you when entry to your
account is required? Netpay would like to introduce a world
first in account security. This new feature is so simple, yet
so effective - we believe every member will utilize it.
If you answered yes to the above, then your SMS capable
mobile is a powerful security device, which will stop any
unforced attempts of entry into your Netpay account. No
need to purchase expensive security token hardware, no
need to be utterly confused on how to use the security
device. If you know how to use your mobile, then you know
how to totally protect your Netpay account from any
possible unlawful entry.
This new system sends you an automated 6 digit secure
random PIN direct to your phone whenever you try to
access your account. Without this PIN, it is impossible to
login. The PIN arrives direct to your mobile within seconds!
It is as good as having your own personal security officer
calling you whenever someone is trying to access your
account!
SMS AUTHENTICATED
