Re: Citibank discloses private information to improve security

2005-06-02 Thread Anne Lynn Wheeler

Heyman, Michael wrote:

Defense in depth can help against spoofing - this includes valid
certificates, personalization (even if it is the less-than-optimal
Citibank-like solution), PetName, etc. Man-in-the-middle is harder given
that we have such a high false positive rate on our best weapon.


i would claim that SSL-like protocol with both countermeasure for 
MITM-attack and eavesdropping attacks should be adequate.


many of the current problems is that browsers and email clients have 
tended to added multiple layers of obfuscation around the URL process 
... so it may be difficult for even experience users to realize what is 
happening


a semi-counter argument for defense-in-depth is KISS ... lots of complex 
 layers tend to create all sorts of cracks for the attackers to get thru.


in theory, the KISS part of SSL's countermeasure for MITM-attack ... is 
does the URL you entered match the URL in the provided certificate. An 
attack is inducing a fraudulent URL to be entered for which the 
attackers have a valid certificates.


so some of the recent internet phishing countermeasures are trying to 
rely on clear, un-obfuscated indications recognizable by even naive 
users. however, the tend to be add-ons, non-integrated with existing 
countermeasures (like SSL MITM-attack countermeasures) and leave 
existing systemic vulnerabilities in place. When purely static data 
un-obfuscated recognizable indications are used independently of MITM 
countermeasures  a MITM can create active channels between 
themselves and the end-user and themselves and the website and 
transparently pass information between the two end-points.


Rather than complex defense in depth ... all with cracks and 
vulnerabilities that attackers can wiggle around ... a better approach 
would be KISS solution that had integrated approach to existing systemic 
vulnerabilities. For instance, some sort of clear, un-obfuscated 
indications integrated with URL selection that can leverage the existing 
SSL MITM-attack countermeasures.


The downside of a KISS integrated solution that eliminates existing 
systemic problems (and avoids creating complex layers, each with their 
individual cracks that the attackers can wiggle thru) ... is that the 
only current special interest for such a solution seems to be the 
victims. Some sort of fix that allows naive users to relate and enter 
specific trusted URLs associated with specific tasks could fix many of 
the existing infrastructure vulnerabilities. The issue is what 
institutions have financial interest in designing, implementing, and 
marketing such a likely free add-on to existing mostly free based 
infrastructure. It appears to be much easier justify the design, 
implementation and marketing of a totally new feature that can be 
separately charge for.


some some topic drift ... one person's history of priced software:
http://www.garlic.com/~lynn/2005g.html#51
http://www.garlic.com/~lynn/2005g.html#53
http://www.garlic.com/~lynn/2005g.html#54
http://www.garlic.com/~lynn/2005g.html#57

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Citibank discloses private information to improve security

2005-06-02 Thread Peter Gutmann
Heyman, Michael [EMAIL PROTECTED] writes:

The false positive I was referring to is the something is telling me
something unimportant positive. I didn't mean to infer that the users
likely went through a thought process centered around the possible causes of
the certificate failure, specifically the likelihood of an active man-in-the-
middle vs. software bug, vs. setup error, vs. etc..

Oh, I see.  So we were actually in violent agreement :-).

I've probably seen hundreds of signature validation warnings from various
web-sites for certificates and Active-X and possibly other signed content. I
can't recall needing to heed even one of the warnings. We are trying to
detect man-in-the-middle or outright spoofing with signatures and our false
positive rate is through the roof. The false positive rate must be zero or
nearly zero to work as a useful detector in real world situations.

It's not just passive false-positive acceptance, users are actively encouraged
by software vendors to accept verification-failed content.  For example every
other hardware device you install, as part of it's connect-the-dots sequence
of screen shots in the install guide, shows a shot of some sort of signature-
warning dialog, along with an arrow pointing to the Ignore this warning
button to click and text telling users to, well, do what the button says. Even
things like WHQL-certified drivers, which should have all the correct
credentials, end up being installed in non-certified ways because the vendors
submit a safe-but-slow configuration to get certified and then ship the
unsafe-but-fast one to be installed (this is standard practice for any
hardware where performance is the main selling point, i.e. video drivers, RAID
drivers, network drivers, etc etc).  Alternatively, the latest bugfix drivers
are several steps ahead of the certified WHQL'd ones, so you get the same
thing.

For non-Windows users who haven't seen this sort of user-conditioning in
documentation, here's the first half-dozen online examples of this (to save me
having to scan install guides to demonstrate it):

  http://www.msha.gov/TECHSUPP/ACC/shortcircuit/install.htm
  http://support.academic.com/knowbase/root/public/acdm9103.htm
  http://mail.regent-college.edu/wireless/printer/w98/
  http://home.cfl.rr.com/dogone/Download.htm
  http://129.171.91.6/firewall/InstallConfig/msie_instruction.cfm
  http://www.rochester.edu/its/wireless/win_IE_certificate.html

Note also that the warnings for valid and invalid signed content are extremely
similar, and both contain lots of text, jargon, and incomprehensible (to the
average user) information.  Both in effect state Mumble mutter fnord fnord,
do you want to go ahead, with the fnord-level for the valid-signature dialog
being at least as high as the invalid-signature one.  It'd be interesting to
see if users can tell the difference between the two.

This one is particularly cool: Don't get worried by the JPilot Security
Warning! Just click YES to install  run applet. If you don't, you can't
chat!:

  http://mc2.vicnet.net.au/help/chathelp.html

(Don't worry about those nasty warnings, just close your eyes and click your
heels tog^H^H^H^Hclick OK).

Just to show that it's not just ActiveX signing under Windows that's training
users in this manner, here's a Unix one too:

  
http://apps.cybersource.com/library/documentation/dev_guides/Microsoft_Commerce_Server_2002/html/install.htm

Peter.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-06-02 Thread Ian G
On Wednesday 01 June 2005 23:38, Anne  Lynn Wheeler wrote:
 in theory, the KISS part of SSL's countermeasure for MITM-attack ... is
 does the URL you entered match the URL in the provided certificate. An
 attack is inducing a fraudulent URL to be entered for which the
 attackers have a valid certificates.

Firefox have added a cert domain into the status bar
on the bottom of the browser.  This is part way to what
you suggest and a very welcome improvement to
browser security.

It falls short for (IMHO) 3 reasons:  1. the domain that
is shown isn't the certificate domain, but is something
amalgamated from the URL and the cert;  which then
breaks the independent check you are hoping for above.

2., the CA should be listed so as to complete the
security statement.  Something like ThisCA signed the
This.Domain.Com cert.  This is done in the Mouseover,
but not displayed all the time, and it is possible to get a
Mouseover that shows a statement that is strictly false
because of 1. above.  (Bugs filed and all the rest...)

3. Another issue is that it is not big enough nor loud enough
in the Trustbar sense to break through the current user
teachings that they can ignore everything as its all safe.

 Rather than complex defense in depth ... all with cracks and
 vulnerabilities that attackers can wiggle around ... a better approach
 would be KISS solution that had integrated approach to existing systemic
 vulnerabilities. For instance, some sort of clear, un-obfuscated
 indications integrated with URL selection that can leverage the existing
 SSL MITM-attack countermeasures.

Yes, this would be a much better way forward.  Now,
bear in mind that the people writing the plugins would
give their left legs to get the attention and respect of
the browser manufacturers so as to create this
integrated solution.  See various other rants...

 The downside of a KISS integrated solution that eliminates existing
 systemic problems (and avoids creating complex layers, each with their
 individual cracks that the attackers can wiggle thru) ... is that the
 only current special interest for such a solution seems to be the
 victims. Some sort of fix that allows naive users to relate and enter
 specific trusted URLs associated with specific tasks could fix many of
 the existing infrastructure vulnerabilities. The issue is what
 institutions have financial interest in designing, implementing, and
 marketing such a likely free add-on to existing mostly free based
 infrastructure. It appears to be much easier justify the design,
 implementation and marketing of a totally new feature that can be
 separately charge for.

This will change,.  I predict that the banks will end up
with the liability for phishing, for good or for bad, and
they will then find it in their hearts to finance the add-ons,
which will battle it out, thus leading to the 'best practices'
which will be incorporated into the browsers.

(Seeing as this is prediction time, I'll stick my neck
out another several kms and say it will be in about 6
months that the banks are asked to take on the liability.)

iang
-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Citibank discloses private information to improve security

2005-06-01 Thread Heyman, Michael
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann
 Sent: Tuesday, May 31, 2005 1:29 PM
 
 In this situation, I believe that the users, through hard won 
 experience with computers, _correctly_ assumed this was a 
 false positive.

 Probably not.
 [SNIP text on user's thoughts on warning dialogs]

The false positive I was referring to is the something is telling me
something unimportant positive. I didn't mean to infer that the users
likely went through a thought process centered around the possible
causes of the certificate failure, specifically the likelihood of an
active man-in-the-middle vs. software bug, vs. setup error, vs. etc..

So, when the box popped up, in the unimportant vs. important choice
that the users went through, they correctly chose unimportant. These
warning dialogs pop up regularly and usually they are crying wolf.

I've probably seen hundreds of signature validation warnings from
various web-sites for certificates and Active-X and possibly other
signed content. I can't recall needing to heed even one of the warnings.
We are trying to detect man-in-the-middle or outright spoofing with
signatures and our false positive rate is through the roof. The false
positive rate must be zero or nearly zero to work as a useful detector
in real world situations.

Defense in depth can help against spoofing - this includes valid
certificates, personalization (even if it is the less-than-optimal
Citibank-like solution), PetName, etc. Man-in-the-middle is harder given
that we have such a high false positive rate on our best weapon.

-Michael

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Adam Fields
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
 With bank web sites, experience has shown that only 0.3% 
 of users are deterred by an invalid certificate, 
 probably because very few users have any idea what a 
 certificate authority is, what it does, or why they 
 should care.  (And if you have seen the experts debating 
 what a certificate authority is and what it certifies, 
 chances are that those few who think they know are 
 wrong)

Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.

I've tried. They won't/can't.

 Do we have any comparable experience on SSH logins? 
 Existing SSH uses tend to be geek oriented, and do not 
 secure stuff that is under heavy attack.  Does anyone 
 have any examples of SSH securing something that was 
 valuable to the user, under attack, and then the key 
 changed without warning?  How then did the users react? 

Every time this has happened to someone I know who uses SSH, it's been
immediate cause for alarm, causing a phone call to the person who
administers the box asking what the? did you reinstall the OS
again?.

-- 
- Adam

** I can fix your database problems: http://www.everylastounce.com/mysql.html **

Blog... [ http://www.aquick.org/blog ]
Links.. [ http://del.icio.us/fields ]
Photos. [ http://www.aquick.org/photoblog ]
Experience. [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Peter Gutmann
James A. Donald [EMAIL PROTECTED] writes:

With bank web sites, experience has shown that only 0.3% of users are
deterred by an invalid certificate, probably because very few users have any
idea what a certificate authority is, what it does, or why they should care.

James (and others): I really wouldn't cite the BankDirect figure as a hard
value, since it represents just a single user, who may in turn have clicked on
the wrong button (i.e. the real figure could have been 0%).  It'd be better to
say statistically insignificant or negligible or some other close-to-or-
equal-to-zero synonym.

Peter.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Citibank discloses private information to improve security

2005-05-31 Thread Heyman, Michael
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
 Sent: Saturday, May 28, 2005 1:48 PM
 
 With bank web sites, experience has shown that only 0.3% of 
 users are deterred by an invalid certificate, probably 
 because very few users have any idea what a certificate 
 authority is, what it does, or why they should care.

I assume you refer to the BankDirect case with the accidentally invalid
certificate.

In this situation, I believe that the users, through hard won experience
with computers, _correctly_ assumed this was a false positive. If an
attack had actually occurred, the users would have been wrong. Luckily
for them, they were correct and did not let the mistake interfere with
their commerce. The one in 300 users that did let the mistake interfere
wasted their time and, perhaps, money if they lost money due to the
delay in access.

As it stands, the system works reasonably well (of course it still has
its share of problems). If 300 out of 300 users wasted time and money
because of the mistake (say if the system were designed so users could
not bypass the possibly bad certificate warning), the security folks in
ivory towers may pat themselves on the back saying, look, the system
works great! - the actual users of the technology would be more then a
little ticked. A brittle system that cannot accept failures will always
have trouble dealing with us fallible types.

I'm not familiar with the BankDirect site, but if it like banking sites
I am used to, it is fairly impersonal and easy to spoof. One way to
reduce the ease-of-spoof factor is to add many ways to identify the bank
web site. If one or two of them fail, the web site is probably still
valid. Ways to identify a site include certificates, personalized
greetings (Hello Michael, Welcome back, you haven't been here in 4 days
and we've missed you), code words, the PetName tool, green light by
anti-phishing software, even the URL and overall look-and-feel. So what
if a couple of them fail? That happens all the time and we have to
expect that and design our systems to work in spite of it.

-Michael Heyman


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Ian G
On Saturday 28 May 2005 18:47, James A. Donald wrote:

 Do we have any comparable experience on SSH logins?
 Existing SSH uses tend to be geek oriented, and do not
 secure stuff that is under heavy attack.  Does anyone
 have any examples of SSH securing something that was
 valuable to the user, under attack, and then the key
 changed without warning?  How then did the users react?

I've heard an anecdote on 2 out of 3 of those criteria:

In a bank that makes heavy use of SSH, the users have
to phone the help desk to get the key reset when the
warning pops up.  The users of course blame the tool.

I suspect in time the addition of certificate based
checking into SSH or the centralised management
of keys will overcome this.

iang
-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Amir Herzberg


With bank web sites, experience has shown that only 0.3% 
of users are deterred by an invalid certificate, 
probably because very few users have any idea what a 
certificate authority is, what it does, or why they 
should care.  (And if you have seen the experts debating 
what a certificate authority is and what it certifies, 
chances are that those few who think they know are 
wrong)


Well, I have some usability tests that seem to prove your intuitive 
claim that most users don't know what's a CA. I don't know about 
arguments between experts on this. I think however that even naive users 
understand quite the TrustBar UI for SSL protected sites. We display 
something like name/logo of site identified by name/logo of CA. I'll 
 appreciate your thoughts/feedback, try it at http://TrustBar.MozDev.org.


--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame.html


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Victor Duchovni
On Tue, May 31, 2005 at 02:45:56PM +0100, Ian G wrote:

 On Saturday 28 May 2005 18:47, James A. Donald wrote:
 
  Do we have any comparable experience on SSH logins?
  Existing SSH uses tend to be geek oriented, and do not
  secure stuff that is under heavy attack.  Does anyone
  have any examples of SSH securing something that was
  valuable to the user, under attack, and then the key
  changed without warning?  How then did the users react?
 
 I've heard an anecdote on 2 out of 3 of those criteria:
 
 In a bank that makes heavy use of SSH, the users have
 to phone the help desk to get the key reset when the
 warning pops up.  The users of course blame the tool.
 
 I suspect in time the addition of certificate based
 checking into SSH or the centralised management
 of keys will overcome this.
 

The solution for intramural use of SSH is to use Kerberos for mutual
authentication, this obviates the need for per-user known hosts files.

Though it took some time for the code that correctly integrates Kerberos
into OpenSSH to be adopted, AFAIK this is now done. If it is not (please
apply suitable prods to maintainers, as the code has been available for
some time).

The key obstacle was to allow Kerberos mutual auth to not only log the
user in, but to also authenticate the server despite any mismatch in the
(now ephemeral) RSA keys.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Citibank discloses private information to improve security

2005-05-31 Thread Peter Gutmann
Heyman, Michael [EMAIL PROTECTED] writes:

In this situation, I believe that the users, through hard won experience with
computers, _correctly_ assumed this was a false positive.

Probably not.  This issue was discussed at some length on the hcisec list,
(security usability, http://groups.yahoo.com/group/hcisec/), e.g:

-- Snip --

In my experience with helping out non-technical users, certificates are
treated as a purely boolean option, either they're valid or they're not.  In
fact usually the validity of certificates isn't even an option, either you get
a warning dialog or you don't, the actual text may as well be written in
Swahili.  People don't understand (or maybe don't want to understand) the
technical explanations that browsers throw up for them.  So an expired cert
would have the same status as one for the wrong site or a dozen other reasons
why the browser would throw up a warning.

I did some even less rigorous checking (i.e. asked a few users who were handy)
why they would have done something like this if they'd been one of the 300 and
their response was that since it was a known site that they'd dealt with
before, they'd assume it was some config error and continue anyway.  Several
of them had had similar problems with things like hotmail (that is, not SSL-
related but just general it didn't work when I tried it problems), where
clicking OK to get rid of warnings or waiting half an hour and trying again
had fixed things.  This was just another random site error that they would
have navigated around.

-- Snip --

For more discussion, see the list archives.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Lance James

Ed Gerck wrote:
Suppose you choose A4RT as your codeword. The codeword has no privacy 
concern
(it does not identify you) and is dynamic -- you can change it at will, 
if you

suspect someone else got it.

Compare with the other two identifiers that Citibank is using. Your full 
name
is private and static. The ATM's last-four is private and static too 
(unless

you want the burden to change your card often).



I agree on the privacy issue, your point is well taken there.


Lance James wrote:

But from your point, the codeword would be in the clear as well. 
Respectively speaking, I don't see how either solution would solve this.



Ed Gerck wrote:


List,

In an effort to stop phishing emails, Citibank is including in a 
plaintext
email the full name of the account holder and the last four digits of 
the

ATM card.







--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Have Phishers stolen your customers' logins? Find out with DIA
https://slam.securescience.com/signup.cgi - it's free!  


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Anne Lynn Wheeler

Adam Fields wrote:

Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.

I've tried. They won't/can't.


one might claim then that a solution is to go to a PGP-like repository 
of trusted public keys (in addition to and/or in conjunction of typical 
browser repostiory of trusted certification authority public keys). the 
URL  public key are loaded into the repository and some out-of-band 
process is used to establish the trust level of the information ... 
and you are involving the end-user in the trust establishment process.


For convenience ... enable this from bookmark and end-user clicks on 
trusted URLs. then rather than browser using webserver supplied 
certificate as part of SSL process, the browser uses the onfile trusted 
public key for that URL.

http://www.garlic.com/~lynn/subpubkey.html#certless

a threat is social-engineering can convince some number of naive users 
to do just about anything ... including things like updating a trusted 
public key repository ... and clicking on email obfuscated URLs (what 
the email claims to be the URL ... in unrelated to what the URL actually 
is). a major problem is that a large percentage of the population seems 
to be extremely naive about trust.


some large amount of the skimming and harvesting related fraud is 
because of existing authentication paradigms that make extensive use of 
static data and shared-secrets

http://www.garlic.com/~lynn/subpubkey.html#secrets

a countermeasure could be public key and digital signature verification 
based authentication. extensive use of file-based private keys make them 
vulnerable to harvesting by viruses ... but also vulnerable to social 
engineering attacks getting naive users to divulge contents of private 
key files.


a countermeasure might be hardware tokens where the private key can't be 
divulged ... even by the token owner. however, social engineering 
attacks can still get naive users to perform fraudulent transactions on 
behalf of crooks (even in hardware token based infrastructures). 
however, the percentage of the population vulnerabile to such attacks 
might go down as complexity of the social engineering and/or the 
awareness of the user population goes up.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Steven M. Bellovin
Bank of America is adopting some new schemes that might help.  First, 
they're asking users to select a picture the user selected at 
registration time.  The theory is presumably that a phishing site won't 
have the right image for you.  Second, you can register your 
computer; if your account is accessed from another computer, additional 
authentication is demanded, thus rendering a compromised password much 
less useful.

I think both schemes will help; I doubt that either will stop the 
problems.


http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050526.03.htm

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Anne Lynn Wheeler

Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help.  First, 
they're asking users to select a picture the user selected at 
registration time.  The theory is presumably that a phishing site won't 
have the right image for you.  Second, you can register your 
computer; if your account is accessed from another computer, additional 
authentication is demanded, thus rendering a compromised password much 
less useful.


I think both schemes will help; I doubt that either will stop the 
problems.



http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050526.03.htm


but they appear to be vulnerable to MITM-attacks

a recent thread
http://seclists.org/lists/fulldisclosure/2005/May/0629.html
http://seclists.org/lists/fulldisclosure/2005/May/0637.html
http://seclists.org/lists/fulldisclosure/2005/May/0639.html
http://seclists.org/lists/fulldisclosure/2005/May/0644.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Anne Lynn Wheeler

Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help.  First, 
they're asking users to select a picture the user selected at 
registration time.  The theory is presumably that a phishing site won't 
have the right image for you.  Second, you can register your 
computer; if your account is accessed from another computer, additional 
authentication is demanded, thus rendering a compromised password much 
less useful.


I think both schemes will help; I doubt that either will stop the 
problems.


a couple more

BofA rolls out authentication tools after data breach incident
http://eyeonit.itmanagersjournal.com/article.pl?sid=05/05/27/1816200
Bank of America looks to protect Online users with SiteKey
http://tech.monstersandcritics.com/news/article_1002765.php/Bank_of_America_looks_to_protect_Online_users_with_SiteKey
Payments News: Bank of America Launches SiteKey
http://www.paymentsnews.com/2005/05/bank_of_america.html
Bank of America | Sign up for the SiteKey Service
http://www.bankofamerica.com/privacy/passmark/
Bank of America takes on cyberscams
http://news.com.com/Bank+of+America+takes+on+cyberscams/2100-1029_3-5722035.html
Bank Of America Fights Phishing With New Authentication
http://informationweek.smallbizpipeline.com/news/163701500
Bank of America Announces Industry-Leading Security Feature ...
http://money.cnn.com/services/tickerheadlines/prn/200505261000PR_NEWS_USPR_CLTH009.htm
Bank of America's SiteKey scrutinized
http://news.com.com/2061-10789_3-5723556.html?part=rsstag=5723556subj=news

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Anne Lynn Wheeler

just for the heck of it ... something today more from the physical world

ATM scams added to GASAs fraud library
http://www.atmmarketplace.com/news_story_23307.htm

CAPE TOWN, South Africa and BROOKINGS, S.D.  The ATM Industry 
Association's Global ATM Security Alliance launched its online library 
of ATM fraud, according to a news release. The library is part of 
Cognito, GASAs global ATM crime data management system.


... snip ...

... and
http://www.globalasa.com/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Anne Lynn Wheeler

oops, sorry, forgot to include this one

Hong Kong banks to introduce two-factor authentication for online 
transactions

http://www.finextra.com/fullstory.asp?id=13744

Banks in Hong Kong are set to introduce two-factor authentication 
services to the country's 2.7 million Internet banking customers next month.


... snip ...

and lots of collected posts on 3-factor authentication paradigm
http://www.garlic.com/~lynn/subpubkey.html#3factor

* something you have
* something you know
* something you are

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-31 Thread Anne Lynn Wheeler

Ed Gerck wrote:
Also, in an effort to make their certs more valuable, CAs have made 
digitally
signed messages imply too much -- much more than they warrant or can 
even represent.
There are now all sorts of legal implications tied to PKI signatures, in 
my opinion

largely exagerated and casuistic.


as discussed in numerous non-repudiation posts, dual-use threat posts, 
and posts about human signatures  where the human signature implies 
that the person has read, understood, authorizes, approves, and/or 
agrees with what is read and understood .,...


the validation of a digital signature with a public key implies that the 
message hasn't been altered since transmission and there is something 
you have authentication (the originator has access and use of the 
corresponding private key). the simple validation of a digital signature 
doesn't carry with it any of the sense of a human signature and/or 
non-repudiation.


in most business scenarios ... the relying party has previous knowledge 
and contact with the entity that they are dealing with (making the 
introduction of PKI digital certificates redundant and superfluous). 
Furthermore, x.509 identity certificates possibly horribly overloaded 
with personal information would reprensent significant privacy issues.


i've claimed that in the aads effort
http://www.garlic.com/~lynn/index.html#aads

not having to be pre-occupied with trying to interest relying parties in 
digital certificates containing information they already had  we 
were more free to concentrate on general threat, risk and vulnerability 
analysis. for instance, one of the things that a relying party might be 
really interested in is the integrity of the environment housing a 
subject's private key (is it in a software file or a hardware token, if 
a hardware token, what are the characteristics of the hardware token, 
etc) and the integrity of the environment in which a digital signature 
was generated.


one possible scenario is that CAs wanted to convince relying parties in 
the value of the certificates and not distract them with fundamental 
business integrity issues ... which might have resulted in businesses 
diverting money to fundamental business integrity items ... rather than 
spending on redundant and superfluous digital certificates likely 
containing information that they already had (i.e. having digital 
certificates would result in magical fu-fu dust being sprinkled over the 
rest of the infrastructure automagically precluding any such integrity 
problems?). furthermore they could spread semantic confusion ... somehow 
implying that because the term digital signature contained the word 
signature ... it was somehow related to a human signature.


lots of collected past postings related to fraud, exploits. 
vulernabilities, etc

http://www.garlic.com/~lynn/subpubkey.html#fraud

some number of posts on account number harvesting
http://www.garlic.com/~lynn/subpubkey.html#harvest

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-30 Thread Lance James
But from your point, the codeword would be in the clear as well. 
Respectively speaking, I don't see how either solution would solve this.



Ed Gerck wrote:

List,

In an effort to stop phishing emails, Citibank is including in a plaintext
email the full name of the account holder and the last four digits of the
ATM card.

Not only are these personal identifiers sent in an insecure communication,
such use is not authorized by the person they identify. Therefore, I 
believe

that some points need to be made in regard to right to privacy and security
expectations.

It's the usual tactic of pushing the liability to the user. The account
holder gets the full liability for the security procedure used by
the bank.

A better solution, along the same lines, would have been for Citibank to
ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character combination
to be used in all emails from the bank to the account holder. This
combination would not be static, because it could be changed by the user
at will, and would not identify the user in any other way.

Private, identifying information of customers have been used before
by banks for customer login. The account holder's name, the ATM card
number, the account number, and the SSN have all been used, and abandoned,
for Internet banking login. Why? Because of the increased exposure
creating additional risks.

Now, with the unilateral disclosure by Citibank of the account holder's
name as used in the account and the last four digits of the ATM number,
Citibank is back tracking its own advances in user login (when they
abandoned those identifiers).

Of course, banks consider the ATM card their property, as well as the
number they contain. However, the ATM card number is a unique personal
identifier and should not be disclosed in a plaintext email without
authorization.

A much better solution (see above) exists, even using plaintext email --
use a codeword that is agreed beforehand with the user. This would be
a win-win solution, with no additional privacy and security risk.

Or is email becoming even more insecure, with our private information
being more and more disclosed by those who should actually guard it,
in the name of security?

Cheers,
Ed Gerck





--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Have Phishers stolen your customers' logins? Find out with DIA
https://slam.securescience.com/signup.cgi - it's free!  


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-30 Thread Ed Gerck

Suppose you choose A4RT as your codeword. The codeword has no privacy concern
(it does not identify you) and is dynamic -- you can change it at will, if you
suspect someone else got it.

Compare with the other two identifiers that Citibank is using. Your full name
is private and static. The ATM's last-four is private and static too (unless
you want the burden to change your card often).

Lance James wrote:
But from your point, the codeword would be in the clear as well. 
Respectively speaking, I don't see how either solution would solve this.



Ed Gerck wrote:


List,

In an effort to stop phishing emails, Citibank is including in a 
plaintext

email the full name of the account holder and the last four digits of the
ATM card.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-30 Thread Matt Crawford

On May 26, 2005, at 13:24, Ed Gerck wrote:
A better solution, along the same lines, would have been for Citibank 
to

ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character 
combination

to be used in all emails from the bank to the account holder.


Why couldn't they just use digitally signed S/MIME email?  I'm sure 
that works just as well as signed SSL handshakes.



Oh.  Answered my own question, didn't I?


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-30 Thread Ed Gerck

Wells Fargo reported to me some time ago that they tried using digitally
signed S/MIME email messages and it did not work even for their _own employees_.

Also, in an effort to make their certs more valuable, CAs have made digitally
signed messages imply too much -- much more than they warrant or can even 
represent.
There are now all sorts of legal implications tied to PKI signatures, in my 
opinion
largely exagerated and casuistic.

If someone forges a digitally signed Citibank message, or convincingly spoofs
it, the liability might be too large to even think of it.

Using a non-signed codeword that the user has defined beforehand allows the
user to have a first proof that the message is legitimate. Since the user
chooses it, there is no privacy concern or liability for the bank. Of course,
here trust decreases with time -- a fresh codeword is more valuable. But if
the user can refresh it at will, each user will have the security that he wants.


Matt Crawford wrote:

On May 26, 2005, at 13:24, Ed Gerck wrote:


A better solution, along the same lines, would have been for Citibank to
ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character combination
to be used in all emails from the bank to the account holder.



Why couldn't they just use digitally signed S/MIME email?  I'm sure that 
works just as well as signed SSL handshakes.



Oh.  Answered my own question, didn't I?


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-30 Thread James A. Donald
--
On 26 May 2005 at 11:24, Ed Gerck wrote:
 A better solution, along the same lines, would have 
 been for Citibank to ask from their account holders 
 when they login for Internet banking, whether they 
 would like to set up a three- or four-character 
 combination to be used in all emails from the bank to 
 the account holder. This combination would not be 
 static, because it could be changed by the user at 
 will, and would not identify the user in any other 
 way.

An even better solution would be if email clients 
silently did key continuity checking on a signature 
hidden in the email headers, if such a header is 
present, and then popped up an SSH style dialog if an 
accustomed key is absent or changed.

With bank web sites, experience has shown that only 0.3% 
of users are deterred by an invalid certificate, 
probably because very few users have any idea what a 
certificate authority is, what it does, or why they 
should care.  (And if you have seen the experts debating 
what a certificate authority is and what it certifies, 
chances are that those few who think they know are 
wrong)

Do we have any comparable experience on SSH logins? 
Existing SSH uses tend to be geek oriented, and do not 
secure stuff that is under heavy attack.  Does anyone 
have any examples of SSH securing something that was 
valuable to the user, under attack, and then the key 
changed without warning?  How then did the users react? 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 9xkPv5IiSbkDSyL+VmtW44PAr2ChEHEncpVVVLUp
 4PtEJ+TutEYw9poqnX74X8nSltnDV22OJDPqsG1cS



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]