Re: Banks Test ID Device for Online Security
Bill Stewart wrote: Yup. It's the little keychain frob that gives you a string of numbers, updated every 30 seconds or so, which stays roughly in sync with a server, so you can use them as one-time passwords instead of storing a password that's good for a long term. So if the phisher cons you into handing over your information, they've got to rip you off in nearly-real-time with a MITM game instead of getting a password they can reuse, sell, etc. That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. in general, it is something you have authentication as opposed to the common shared-secret something you know authentication. while a window of vulnerability does exist (supposedly something that prooves you are in possession of something you have), it is orders of magnitude smaller than the shared-secret something you know authentication. there are two scenarios for shared-secret something you know authentication 1) a single shared-secret used across all security domains ... a compromise of the shared-secret has a very wide window of vulnerability plus a potentially very large scope of vulnerability 2) a unique shaerd-secret for each security domain ... which helps limit the scope of a shared-secret compromise. this potentially worked with one or two security domains ... but with the proliferation of the electronic world ... it is possible to have scores of security domains, resulting in scores of unique shared-secrets. scores of unique shared-secrets typically results exceeded human memory capacity with the result that all shared-secrets are recorded someplace; which in turn becomes a new exploit/vulnerability point. various financial shared-secret exploits are attactive because with modest effort it may be possible to harvest tens of thousands of shared-secrets. In one-at-a-time, real-time social engineering, may take compareable effort ... but only yields a single piece of authentication material with a very narrow time-window and the fraud ROI might be several orders of magnitude less. It may appear to still be large risk to individuals ... but for a financial institution, it may be relatively small risk to cover the situation ... compared to criminal being able to compromise 50,000 accounts with compareable effort. In some presentation there was the comment made that the only thing that they really needed to do is make it more attactive for the criminals to attack somebody else. It would be preferabale to have a something you have authentication resulting in a unique value ... every time the device was used. Then no amount of social engineering could result in getting the victim to give up information that results in compromise. However, even with relatively narrow window of vulnerability ... it still could reduce risk/fraud to financial institutions by several orders of magnitude (compared to existing prevalent shared-secret something you know authentication paradigms). old standby posting about security proportional to risk http://www.garlic.com/~lynn/2001h.html#61 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
oh, and this is old discussion of a unit that has been in use in europe ... it basically is very inexpensive calculator with 7816 contacts that you can slip a smartcard into. it is used in a challenge/response scenario, a numeric keypad is used to enter the challenge, which is passed to the smartcard, which does something and the response is displayed. the person enters the displayed response. http://www.garlic.com/~lynn/2001g.html#57 Q: Internet banking works with anything that can present a challenge and has a numeric keypad for the response (even works over telephone with VRU). note that in any online scenario ... the server-side can do security proportional to risk by making a decision to ask or not ask for additional inputs. possible scenario is bill pay in home banking, use authentication for initial access and then if total transactions exceed some value ... ask for additional authentication input (trading off convenience and risk, in online scenario it doesn't need to be all just one way or another way, there is some amount of latitude for adaptive implementation). Note that the additional authentication input can also be used for interpreting the (human specific) input as evidence of approval for the transaction(s) as opposed to simply authentication. other pieces of the previous mentioned thread on security proportional to risk: http://www.garlic.com/~lynn/aepay7.htm#netbank net banking, is it safe?? ... power to the consumer http://www.garlic.com/~lynn/aepay7.htm#netbank2 net banking, is it safe?? ... security proportional to risk http://www.garlic.com/~lynn/2001g.html#57 Q: Internet banking http://www.garlic.com/~lynn/2001h.html#53 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#58 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#61 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#62 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#64 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#68 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#70 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#75 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#9 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#10 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#16 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#25 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#35 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#36 Net banking, is it safe??? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Banks Test ID Device for Online Security
R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? At 12:24 PM 1/4/2005, Trei, Peter wrote: The slashdot article title is really, really misleading. In both cases, this is SecurID. Yup. It's the little keychain frob that gives you a string of numbers, updated every 30 seconds or so, which stays roughly in sync with a server, so you can use them as one-time passwords instead of storing a password that's good for a long term. So if the phisher cons you into handing over your information, they've got to rip you off in nearly-real-time with a MITM game instead of getting a password they can reuse, sell, etc. That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. Bill Stewart [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
On Tue, Jan 04, 2005 at 03:24:56PM -0500, Trei, Peter wrote: R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH The slashdot article title is really, really misleading. In both cases, this is SecurID. In some cases this also may be VASCO DigiPass, which is system very similar to SecurID, only cheaper. This technology seems to be quite popular in Europe as couple banks in Poland routinely issue tokens, both VASCO and SecurID to their customers for online authorization, and the tokens are used both in password generation (as described in article) and challenge-response modes. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
Bill Stewart wrote: That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. Here in Brazil it's common to ask for a new pin for every transaction Mads - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Banks Test ID Device for Online Security
R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH The slashdot article title is really, really misleading. In both cases, this is SecurID. Peter - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
