At 11:26 PM -0500 8/14/04, Bruce Schneier wrote: > Websites, Passwords, and Consumers > > > >Criminals follow the money. Today, more and more money is on the >Internet. Millions of people manage their bank accounts, PayPal >accounts, stock portfolios, or other payment accounts online. It's a >tempting target: if a criminal can gain access to one of these >accounts, he can steal money. > >And almost all these accounts are protected only by passwords. > >If you're reading this essay, you probably already know that passwords >are insecure. In my book "Secrets and Lies" (way back in 2000), I >wrote: "Over the past several decades, Moore's Law has made it >possible to brute-force larger and larger entropy keys. At the same >time, there is a maximum to the entropy that the average computer user >(or even the above-average computer user) is willing to >remember.... These two numbers have crossed; password crackers can now >break anything that you can reasonably expect a user to memorize." > >On the Internet, password security is actually much better than that, >because dictionary attacks work best offline. It's one thing to test >every possible key on your own computer when you have the actual >ciphertext, but it's a much slower process when you have to do it >remotely across the Internet. And if the website is halfway clever, >it'll shut down an account if there are too many -- 5?, 10? -- >incorrect password attempts in a row. If you shut accounts down soon >enough, you can even make four-digit PINs work on websites. > >This is why the criminals have taken to stealing passwords instead. > >Phishing is now a very popular attack, and it's amazingly >effective. Think about how the attack works. You get an e-mail from >your bank. It has a plausible message body, and contains a URL that >looks like it's from your bank. You click on it and up pops your bank >website. When asked for your username and password, you type it >in. Okay, maybe you or I are aware enough not to type it in. But the >average home banking customer doesn't stand a chance against this kind >of social engineering attack. > >And in June 2004, a Trojan horse appeared that captured passwords. It >looked like an image file, but it was actually an executable that >installed an add-on to Internet Explorer. That add-on monitored and >recorded outbound connections to the websites of several dozen major >financial institutions and then sent usernames and passwords to a >computer in Russia. Using SSL didn't help; the Trojan monitored >keystrokes before they were encrypted. > >The computer security industry has several solutions that are better >than passwords: secure tokens that provide one-time passwords, >biometric readers, etc. But issuing hardware to millions of electronic >banking customers is prohibitively expensive, both in initial cost and >in customer support. And customers hate these systems. If you're a >bank, the last thing you want to do is to annoy your customers. > >But having money stolen out of your account is even more annoying, and >banks are increasingly fielding calls from customer victims. Even >though the security problem has nothing to do with the bank, even >though the customer is the one who made the security mistake, banks are >having to make good on the customers' losses. It's one of the most >important lessons of Internet security: sometimes your biggest security >problems are ones that you have no control over. > >The problem is serious. In a May survey report, Gartner estimated that >about 3 million Americans have fallen victim to phishing >attacks. "Direct losses from identity theft fraud against phishing >attack victims -- including new-account, checking account and credit >card account fraud -- cost U.S. banks and credit card issuers about >$1.2 billion last year" (in 2003). Keyboard sniffers and Trojans will >help make this number even greater in 2004. > >Even if financial institutions reimburse customers, the inevitable >result is that people will begin to distrust the Internet. The average >Internet user doesn't understand security; he thinks that a gold lock >icon in the lower-right-hand corner of his browser means that he's >secure. If it doesn't -- and we all know that it doesn't -- he'll stop >using Internet financial websites and applications. > >The solutions are not easy. The never-ending stream of Windows >vulnerabilities limits the effectiveness of any customer-based software >solution -- digital certificates, plug-ins, and so on -- and the ease >with which malicious software can run on Windows limits the >effectiveness of other solutions. Point solutions might force >attackers to change tactics, but won't solve the underlying >insecurities. Computer security is an arms race, and money creates >very motivated attackers. Unsolved, this type of security problem can >change the way people interact with the Internet. It'll prove that the >naysayers were right all along, that the Internet isn't safe for >electronic commerce. > >Phishing: ><http://www.msnbc.msn.com/id/5184077/> ><http://www.internetweek.com/e-business/showArticle.jhtml?articleID=2210 >0149> or <http://tinyurl.com/54b4g> > >The Trojan: ><http://news.com.com/Pop-up+program+reads+keystrokes%2C+steals+passwords >/2100-7349_3-5251981.html> or <http://tinyurl.com/yqeoe> ><http://www.pcworld.com/news/article/0%2Caid%2C116761%2C00.asp> > >A shorter version of this essay originally appeared in IEEE Security >and Privacy: ><http://csdl.computer.org/comp/mags/sp/2004/04/j4088abs.htm>
-- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]