Re: The wisdom of the ill informed
On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote: My experience with European banks is quite limited -- my consulting practice is pretty much US centric. My general understanding, however, is that they are doing better, not worse, with login security. As a data point, the largest bank in Croatia used to mail customers pre-printed TAN lists. Some number of years ago, they switched to (non- SecurID) tokens which require a 4-digit PIN to turn on, and then provide two functions: a login OTP and a challenge/response system for authorizing individual transactions. Your username is simply the token's serial number, though it's not clear if these are in fact serial. -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Ivan Krstić [EMAIL PROTECTED] writes: On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote: My experience with European banks is quite limited -- my consulting practice is pretty much US centric. My general understanding, however, is that they are doing better, not worse, with login security. As a data point, the largest bank in Croatia used to mail customers pre-printed TAN lists. Some number of years ago, they switched to (non- SecurID) tokens which require a 4-digit PIN to turn on, and then provide two functions: a login OTP and a challenge/response system for authorizing individual transactions. Your username is simply the token's serial number, though it's not clear if these are in fact serial. That is far, far better than the average US bank. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
On Jun 30, 2008, at 7:22 PM, Perry E. Metzger wrote: One of the most interesting things I find about most fields is the fact that people who are incompetent very often fancy themselves experts. There's a great study on this subject -- usually the least competent people are the ones that feel highly confident in their skills, while the people who aren't have more doubts. One sees this very phenomenon on this very list, and not infrequently. Indeed: http://en.wikipedia.org/wiki/Lake_Wobegon_effect http://en.wikipedia.org/wiki/Dunning-Kruger_effect How security non-experts screwed up security in systems like WEP and PPTP is no mystery to me. How, on the other hand, a real expert at _anything_ feels comfortable entering another hard technical field without screaming for assistance is something I don't get at all. That a roomful of network experts designing 802.11 didn't hold hands and all together chant bring us a good cryptographer with such maniacal monophony as to rival any Gregorian choir makes me highly suspicious about their supposed expertise with _networks_. -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
On Jul 1, 2008, at 17:39, Perry E. Metzger wrote: Ed, there is a reason no one in the US, not even Wells Fargo which you falsely cited, does what you suggest. None of them use 4 digit PINs, none of them use customer account numbers as account names. (It is possible SOMEONE out there does this, but I'm not aware of it.) Many German savings banks use account numbers as account names (see, e.g., https://bankingportal.stadtsparkasse-kaiserslautern.de/banking/) http://www.stadtsparkasse-kaiserslautern.de ), as does, for example, the Saarländische Landesbank (https://banking.saarlb.de/cgi/anfang.cgi ). Most will not use 4-digit PINs, though. I understand some European banks even do stuff like mailing people cards with one time passwords. Do you mean TANs (TransAction Numbers)? TANs are used to authorize transactions that could affect your account balance. So stealing the PIN will let you look at the balance, but will not let you steal money (through this channel). (Or maybe you knew all this already and I just missed the irony.) Fun, Stephan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Stephan Neuhaus [EMAIL PROTECTED] writes: On Jul 1, 2008, at 17:39, Perry E. Metzger wrote: Ed, there is a reason no one in the US, not even Wells Fargo which you falsely cited, does what you suggest. None of them use 4 digit PINs, none of them use customer account numbers as account names. (It is possible SOMEONE out there does this, but I'm not aware of it.) Many German savings banks use account numbers as account names (see, e.g., https://bankingportal.stadtsparkasse-kaiserslautern.de/banking/) http://www.stadtsparkasse-kaiserslautern.de ), as does, for example, the Saarländische Landesbank (https://banking.saarlb.de/cgi/anfang.cgi ). Most will not use 4-digit PINs, though. And, Wells Fargo will let you use your PIN as part of a lost password procedure, although I believe they require a lot of other pieces of information at the same time like account number, online account name and SSN. My experience with European banks is quite limited -- my consulting practice is pretty much US centric. My general understanding, however, is that they are doing better, not worse, with login security. I understand some European banks even do stuff like mailing people cards with one time passwords. Do you mean TANs (TransAction Numbers)? TANs are used to authorize transactions that could affect your account balance. So stealing the PIN will let you look at the balance, but will not let you steal money (through this channel). (Or maybe you knew all this already and I just missed the irony.) I knew part of it, but your additional information was worthwhile. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
[Moderator's note: I'll let Ed have the last word. I'm sure everyone knows what I'd say anyway. --Perry] Perry E. Metzger wrote: Ed Gerck [EMAIL PROTECTED] writes: In any case, there are a large number of reasons US banks don't (generally) require or even allow anyone to enter PINs for authentication over the internet. Wells Fargo allows PINs for user authentication. No they don't. Since you are not fully aware how Wells Fargo operates, let me clarify. What you say below is true for users entering the system /today/: The new users of their online system get a temporary password by phone or in the mail, and Wells Fargo requires that they change it on first log in. The temporaries expire after 30 days, too. They don't their bank account numbers as account names, either. Where did you get the idea that they'd use 4-digit PINS from? It is totally false. No. Any Wells Fargo user today that has an /older/ account (eg, opened in 2001), can login with their numeric PINs if that is how their online access was done then and they did not change it. So, even though WF /today/ does not accept /new/ users to use only numbers for their password, WF is happy to continue to accept /older/ rules, including accepting the PIN for online account login. (Anyone who doesn't believe me can just go through their web site -- it explains all of this to their customers.) Their website today is what they use today. Older account users that have not changed their login can still use their PINs for login. I know one company that used way back when their numeric PIN for login, because that's what WF told them to do, and that just very recently changed to a safer password. While it is good that WF has improved its rules, it would better if they had made it compulsory for all users (not just newer) to renew their passwords when the rules started prohibiting using only numbers and /not/ requiring the PIN for first login. I imagine that there are lots of sites out there that have likewise improved their front-end password acceptance rules but have not bothered to ask all their users to renew their passwords, and thus force compliance with newer, safer rules. The system you propose as safe isn't used by anyone that I'm aware of, and for good reason, too -- people who've done things like that have been successfully attacked. BTW, if anyone was this foolish, the fun you could have would be amazing. You could rent a botnet for a few bucks and lock out half the customer accounts on the site in a matter of hours. You could ruin banks at will. It would be great fun -- only it isn't possible. No one is stupid enough to set themselves up for that. WF does that, still today, for their most valued customers -- their older customers. May our words be a good warning for them! I suspect that currently invalid accounts are probably even cheaper than valid ones we all know that invalid accounts are of no use to attack, so this issue is not relevant here. You would use the invalid accounts to reverse engineer the account number format so you don't have to do exhaustive search. Any practitioner in this field can tell you how useful intelligence like that would be. I suggest you consult one. When you do the math, you will see that knowing a few hundred invalid accounts will not considerably reduce your search space for the comparison we are talking about. Remember, we are talking about 4-digit PINs that have a search space of 9,000 choices (before you complain about the count, note that all 0xxx combinations are usually not accepted as a valid PIN for registration) versus an account number that is a sparse space with 12-digits and that (by the sheer number of valid users) must have at least /millions/ of valid accounts. It is easy enough to blacklist all of the cable modems in the world for SMTP service. ISPs voluntarily list their cable modem and DSL blocks. It is a lot harder to explain to people that they can't do their at-home banking from home, though. With half the windows boxes in the world as part of botnets, and with dynamic address assignment, it is hard to know who's computer *wouldn't* be on the blacklists anyway... Please check with actual banks. Bank users logging in from a static IP account are treated differently by the servers than users from a dynamic IP account. As they should. The dialogue disconnect here is classical in cryptography, as we all have probably seen in practice. In the extreme, but not too uncommon position, a crypto guy cries for a better solution (which, more often than not, is either not usable or too expensive) while dismissing a number of perfectly valid but incomplete solutions that, when used together, could mount a good-enough (and affordable) defense. Many people have frequently made this point here, including yourself with EV certs. Yes, blocking by IP is not a panacea, and may fail to block, but when it works it is mostly correct
Re: The wisdom of the ill informed
Allen wrote: Very. The (I hate to use this term for something so pathetic) password for the file is 6 (yes, six) numeric characters! My 6 year old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible. Not so fast. Bank PINs are usually just 4 numeric characters long and yet they are considered /safe/ even for web access to the account (where a physical card is not required). Why? Because after 4 tries the access is blocked for your IP number (in some cases after 3 tries). The question is not only how many combinations you have but also how much time you need to try enough combinations so that you can succeed. I'm not defending the designers of that email system, as I do not know any specifics -- I'm just pointing out that what you mention is not necessarily a problem and may be even safer than secure online banking today. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Arshad Noor wrote: While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. Committees of experts regularly get cryptography wrong - consider, for example the Wifi debacle. Each wifi release contains classic and infamous errors - for example WPA-Personal is subject to offline dictionary attack. One would have thought that after the first disaster they would have hired someone who could do it right, but as Ian long ago pointed out, in the market for silver bullets, they are unable to tell who can do it right. The only people who know who the real experts are, are the real experts. If you knew who to hire, you could do it yourself, and probably should do it yourself. So they hire expert salesmen, not cryptography experts. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Arshad Noor wrote: While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. This is the reason why we in the OASIS Enterprise Key Management Infrastructure Technical Committee have made educating IT Auditors and providing them guidelines on how to audit symmetric key-management infrastructures, one of the four (4) primary goals of the TC. While the technology is well understood by most people on this forum, until we educate the gate-keepers, we have failed in our jobs to secure IT infrastructure. Yep. It seems like we've had a bit of this conversation recently, haven't we? ;- And it is not just the gatekeepers, but also the users who need education. We know that we will not have enough gatekeepers to watch all users and uses. Given this, the real question is, /Quis custodiet ipsos custodes?/ (Given as either Who will watch the watchers themselves? or Who will guard the guardians? from Juvenal.) Here we have the perfect examples of the conundrum in No Such Agency or the Company, who evade oversight or it is so obfuscated that the watchers at the political level either don't know what is really going on or they are complicit. Funny how something as off the main track of society as cryptography still reflects the identical problems of the greater whole, isn't it? I also argue that badly structured protocol requirements that potentially obfuscate what is going on is a serious issue as well. Then too, there is documentation that does not get down to the bare metal, so to speak, so that those who are not skilled at reading code, and its implications, can understand what is going on. The Romans knew that and mad it law: /Quod non est in actis, non est in mundo./ (What is not in the documents does not exist) All of this requires team thinking so that everyone who is looking at the issues involved, no matter from what direction, creator, auditor or end user, gets it. Allen Arshad Noor StrongAuth, Inc. Allen wrote: Hi gang, All quiet on the cryptography front lately, I see. However, that does not prevent practices that *appear* like protection but are not even as strong as wet toilet paper. I had to order a medical device today and they need a signed authorization for payment by my insurance carrier. No biggie. So they ask how I want it set to me and I said via e-mail. Okay. /Then/ they said it was an encrypted file and I thought, cool. How wrong could I be? Very. The (I hate to use this term for something so pathetic) password for the file is 6 (yes, six) numeric characters! My 6 year old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
James A. Donald wrote: Committees of experts regularly get cryptography wrong - consider, for example the Wifi debacle. Each wifi release contains classic and infamous errors - for example WPA-Personal is subject to offline dictionary attack. One would have thought that after the first disaster they would have hired someone who could do it right, but as Ian long ago pointed out, in the market for silver bullets, they are unable to tell who can do it right. The only people who know who the real experts are, are the real experts. If you knew who to hire, you could do it yourself, and probably should do it yourself. So they hire expert salesmen, not cryptography experts. the other scenario was that the cryptography part was done from such a myopic standpoint ... that they failed to consider the end-to-end infrastructure. I've repeatedly heard excuses that the cryptographers in the wifi debacle believed that they could only design a solution based on significant hardware restrictions/constraints. part of what i observed ... by the time any of them shipped ... the hardware restrictions/constraints no longer existed . the other thing that i observed was that with relatively trivial knowledge about chips ... it was possible to come up with an integrated solution that incorporated both the necessary hardware and the necessary cryptography ... there has got to be some analogy here someplace about the blind trying to describe an elephant; in addition to the point solution analogy, failing to take in the overall infrastructure. i've repeatedly claimed that we did that in the AADS chip strawman solution http://www.garlic.com/~lynn/x959.html#aads that including addressing all the issues that showed up in scenarios like with the yes cards http://www.garlic.com/~lynn/subintegrity.html#yescards - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: Given this, the real question is, /Quis custodiet ipsos custodes?/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about social institutions. There are well-attended conferences, papers published online and in many journals, etcetera. So it's not so difficult for people who don't know anything about security and crypto to eventually figure out who does, in the process also learning who else knows who the experts are. For example, in the IETF there's an institutional structure that makes finding out who to ask relatively simple. Large corporations tend to have some experts in house, even if they are only expert in finding the real experts. We (society) have new experts joining the field, with very low barriers to entry (financial and political barriers to entry are minimal -- it's all about brain power), and diversity amongst the existing experts. There's no major personal gain to be had, besides fame, and too much diversity and openness for anyone to have a prayer of manipulating the field undetected for too long. When it comes to expertise in crypto, Quis custodiet ipsos custodes seems like a relatively simple problem. I'm sure it's much, much more difficult a problem for, say, police departments, financial organizations, intelligence organizations, etc... Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Ed Gerck writes: -+-- | ... | Not so fast. Bank PINs are usually just 4 numeric characters long and | yet they are considered /safe/ even for web access to the account | (where a physical card is not required). | | Why? Because after 4 tries the access is blocked for your IP number | (in some cases after 3 tries). | ... So I hold the PIN constant and vary the bank account number. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
[EMAIL PROTECTED] wrote: Ed Gerck writes: -+-- | ... | Not so fast. Bank PINs are usually just 4 numeric characters long and | yet they are considered /safe/ even for web access to the account | (where a physical card is not required). | | Why? Because after 4 tries the access is blocked for your IP number | (in some cases after 3 tries). | ... So I hold the PIN constant and vary the bank account number. Dan, This is, indeed, a possible attack considering that the same IP may be legitimately used by different users behind NAT firewalls and/or with dynamic IPs. However, there are a number of reasons, and evidence, why this attack can be (and has been) prevented even for a short PIN: 1. there is a much higher number of combinations in a 12-digit account number; 2. banks are able to selectively block IP numbers for the /same/ browser and /same/ PIN after 4 or 3 wrong attempts, with a small false detection probability for other users of the same IP (who are not blocked). I know one online system that has been using such method for protecting webmail accounts, with several attacks logged but no compromise and no false detection complaints in 4 years. 3. some banks reported that in order to satisfy FFIEC requirements for two-factor authentication, but without requiring the customer to use anything else (eg, a dongle or a battle ship map), they were detecting the IP, browser information and use patterns as part of the authentication procedure. This directly enables #2 above. I also note that the security problem with short PINs is not much different than that with passwords, as users notoriously choose passwords that are easy to guess. However, an online system that is not controlled by the attacker is able to likewise prevent multiple password tries, or multiple account tries for the same password. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Nicolas Williams wrote: On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: Given this, the real question is, /Quis custodiet ipsos custodes?/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about social institutions. Well, I wouldn't say they aren't custodians. Perhaps not in the sense that the word is commonly used, but most certainly in the sense custodians of the wisdom used to make the choices. This is exemplified by Bruce Schneier, an acknowledged expert, changing his mind about the way to do security from encrypt everything to monitor everything. Yes, I have simplified his stance, but just to make the point that even experts learn and change over time. There are well-attended conferences, papers published online and in many journals, etcetera. So it's not so difficult for people who don't know anything about security and crypto to eventually figure out who does, in the process also learning who else knows who the experts are. Actually I think it is just about as difficult to tell who is a trustworthy expert in the field of cryptography as it is in any field of science or medicine. Just look at the junk science and medical studies. One retrospective study of 90+ clinical trials found that over 600 potentially important reaction to the drugs occurred but only 39 were reported in the papers. I suspect if we did the same sort of retrospective study for cryptography we would find some similar issues, just, perhaps, not as large because there is not as much money to be made with junk cryptography as junk pharmaceuticals. For example, in the IETF there's an institutional structure that makes finding out who to ask relatively simple. Large corporations tend to have some experts in house, even if they are only expert in finding the real experts. We (society) have new experts joining the field, with very low barriers to entry (financial and political barriers to entry are minimal -- it's all about brain power), and diversity amongst the existing experts. There's no major personal gain to be had, besides fame, and too much diversity and openness for anyone to have a prayer of manipulating the field undetected for too long. I'm curious, how does software get sold for so long that is clearly weak or broken? Detected, yes, but still sold like Windows LANMAN backward compatibility. When it comes to expertise in crypto, Quis custodiet ipsos custodes seems like a relatively simple problem. I'm sure it's much, much more difficult a problem for, say, police departments, financial organizations, intelligence organizations, etc... Well, Nico, this is where I diverge from your view. It is the police departments, financial organizations, intelligence organizations, etc... who deploy the cryptography. Why should they be able to do that any better than they do anything else? I suspect that a weakness in oversight in one area is likely to reflect a weakness in others as well. Not total failure, just not done the best possible. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
On Mon, Jun 30, 2008 at 11:47:54AM -0700, Allen wrote: Nicolas Williams wrote: On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: Given this, the real question is, /Quis custodiet ipsos custodes?/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about social institutions. Well, I wouldn't say they aren't custodians. Perhaps not in the sense that the word is commonly used, but most certainly in the sense custodians of the wisdom used to make the choices. This is exemplified by Bruce Schneier, an acknowledged expert, changing his mind about the way to do security from encrypt everything to monitor everything. Yes, I have simplified his stance, but just to make the point that even experts learn and change over time. What does that have to do with anything? Expert != knowledge cast in stone. There are well-attended conferences, papers published online and in many journals, etcetera. So it's not so difficult for people who don't know anything about security and crypto to eventually figure out who does, in the process also learning who else knows who the experts are. Actually I think it is just about as difficult to tell who is a trustworthy expert in the field of cryptography as it is in any field of science or medicine. Just look at the junk science and medical studies. One retrospective study of 90+ clinical trials found that over 600 potentially important reaction to the drugs occurred but only 39 were reported in the papers. I suspect if we did the same sort of retrospective study for cryptography we would find some similar issues, just, perhaps, not as large because there is not as much money to be made with junk cryptography as junk pharmaceuticals. The above does not really refute what I wrote. It takes effort to figure out who's an expert. But I believe that the situation w.r.t. crypto is similar to that in science (cold fusion frauds were identified rather quickly, were they not?) and better than in medicine (precisely because there is not much commercial incentive to fraud here; there is incentive for intelligence organizations to interfere, I suppose, but here the risk of getting caught is high and the potential cost of getting caught high as well). I'm curious, how does software get sold for so long that is clearly weak or broken? Detected, yes, but still sold like Windows LANMAN backward compatibility. I thought we were talking about cryptographers, not marketing departments, market dynamics, ... If you want to include the latter in custodes then there is a clear custody hierarchy: the community of experts in the field is above individual implementors. Thus we have reports of snake oil on this list, on various blogs, etc... So we're back to quis custodiet ipsos custodes? Excluding marketing here is the right thing to do (see above). Which brings us back to my answer. When it comes to expertise in crypto, Quis custodiet ipsos custodes seems like a relatively simple problem. I'm sure it's much, much more difficult a problem for, say, police departments, financial organizations, intelligence organizations, etc... Well, Nico, this is where I diverge from your view. It is the police departments, financial organizations, intelligence organizations, etc... who deploy the cryptography. Why should they In my experience market realities have much more to do with what gets deployed than the current state of the art does; never mind who the experts are. We'd love to deploy technology X, but in our heterogeneous network only one quarter of the vendors support X, and only if we upgrade large number systems, which requires QA testing, which... -- surely you've run into that sort of situation, amongst others. Legacy, broken code dwarfs snake oil in terms of deployment; legacy != snake oil -- we're allowed to learn, as you yourself point out. Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Allen wrote: During the transmission from an ATM machine 4 numeric characters are probably safe because the machines use dedicated dry pair phone lines for the most part, as I understand the system. This, combined with triple DES, makes it very difficult to compromise or do a MIM attack because one can not just tap into the lines remotely. We are in agreement. Even short PINs could be safe in a bank-side authenticated (no MITM) SSL connection with 128-bit encryption. What's also needed is to block multiple attempts after 3 or 4 tries, in both the ATM and the SSL online scenarios. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
James A. Donald [EMAIL PROTECTED] writes: Arshad Noor wrote: While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. Committees of experts regularly get cryptography wrong - consider, for example the Wifi debacle. Each wifi release contains classic and infamous errors - for example WPA-Personal is subject to offline dictionary attack. The initial WEP design was done without cryptography experts. The design of subsequent generations of WiFi security was designed in the face of backward compatibility constraints that severely limited the space of possible designs. I would claim that this is not an example of crypto experts getting it wrong at all -- it is, in fact, an example of what can go wrong when people who don't know what they're doing design cryptography into something that's very widely deployed. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Ed Gerck [EMAIL PROTECTED] writes: [EMAIL PROTECTED] wrote: So I hold the PIN constant and vary the bank account number. This is, indeed, a possible attack considering that the same IP may be legitimately used by different users behind NAT firewalls and/or with dynamic IPs. However, there are a number of reasons, and evidence, why this attack can be (and has been) prevented even for a short PIN: You're completely wrong here. Lets go through just two of the ways. 1. there is a much higher number of combinations in a 12-digit account number; There is a lot of structure in most bank account numbers. The space is pretty easy to narrow down if you do a nickel's worth of homework. For example, a typical bank bank might have the first three digits code for the branch (and a list of branches is easy to find), and several of the additional numbers code for account type, plus the space of remaining numbers is not exactly randomly assigned. If you need typical account numbers to examine to learn such secrets, you can buy them in bulk online these days. I suspect that currently invalid accounts are probably even cheaper than valid ones, though they're not a stock item -- you would have to ask to get them. 2. banks are able to selectively block IP numbers for the /same/ browser and /same/ PIN after 4 or 3 wrong attempts, Not really. These days, there are people hijacking huge IP blocks for brief periods for spamming. People also hijack vast numbers of zombie machines. Either technology is easily used to prevent block-by-IP from doing squat for you. I'm sure you will now go on about some other way to evade Dan's crucial point, but it should be obvious to almost anyone that you're not thinking like the bad guys. If you really want to go on about this, though, I'll let you have as much rope as you like, though only for a post or two as I don't want to bore people. In any case, there are a large number of reasons US banks don't (generally) require or even allow anyone to enter PINs for authentication over the internet. I don't know much about the practices of foreign banks, as for the most part I consult in the US. Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Allen [EMAIL PROTECTED] writes: There are well-attended conferences, papers published online and in many journals, etcetera. So it's not so difficult for people who don't know anything about security and crypto to eventually figure out who does, in the process also learning who else knows who the experts are. Actually I think it is just about as difficult to tell who is a trustworthy expert in the field of cryptography as it is in any field of science or medicine. Indeed. In fact, one even finds many people who post to public mailing lists who know less than they should. However, it is reasonably straightforward to figure out who knows what in a given field. Things like citation indexes, journal impact factors and such make a number of these things reasonably easy even for the outsider, provided that outsider knows what they're doing. One can also go through the expedient of finding what a substantial number of practitioners think. If most have one opinion, and one or two who don't seem terribly sane have a very different one, you know who's who. One of the most interesting things I find about most fields is the fact that people who are incompetent very often fancy themselves experts. There's a great study on this subject -- usually the least competent people are the ones that feel highly confident in their skills, while the people who aren't have more doubts. One sees this very phenomenon on this very list, and not infrequently. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
[Moderator's note: Top posting considered uncool. --Perry] While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. This is the reason why we in the OASIS Enterprise Key Management Infrastructure Technical Committee have made educating IT Auditors and providing them guidelines on how to audit symmetric key-management infrastructures, one of the four (4) primary goals of the TC. While the technology is well understood by most people on this forum, until we educate the gate-keepers, we have failed in our jobs to secure IT infrastructure. Arshad Noor StrongAuth, Inc. Allen wrote: Hi gang, All quiet on the cryptography front lately, I see. However, that does not prevent practices that *appear* like protection but are not even as strong as wet toilet paper. I had to order a medical device today and they need a signed authorization for payment by my insurance carrier. No biggie. So they ask how I want it set to me and I said via e-mail. Okay. /Then/ they said it was an encrypted file and I thought, cool. How wrong could I be? Very. The (I hate to use this term for something so pathetic) password for the file is 6 (yes, six) numeric characters! My 6 year old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]