Perry,
You may well think that "You're completely wrong here," as you wrote.
However, a first evidence that I'm correct is that the online banking
system has /not/ collapsed under this attack (Dan's point) in many
years... even though bad guys do have access to large blocks of
different IP numbers, etc.
In any case, there are a large number of reasons US banks don't
(generally) require or even allow anyone to enter PINs for
authentication over the internet.
Wells Fargo allows PINs for user authentication. Passwords are
optional and PINs are used for password setting. This is just to name
one key US bank.
Further, when you wrote:
> I suspect that currently invalid accounts are probably even cheaper
> than valid ones
we all know that invalid accounts are of no use to attack, so this
issue is not relevant here.
But let me address your other points.
> I'm sure you will now go on about some other way to evade Dan's
> crucial point, but it should be obvious to almost anyone that you're
> not thinking like the bad guys. If you really want to go on about
> this, though, I'll let you have as much rope as you like, though
> only for a post or two as I don't want to bore people.
(don't worry, you never bore people)
Dan's question has to do with how to protect online access from
multiple tries on the account number for a given PIN. Of course, the
reverse (repeated use of the same account for different wrong PINs)
can easily trigger a block.
As I replied to Dan, a counter-measure is for the server to
selectively block IP numbers for the /same/ browser and /same/ PIN
after 4 or 3 wrong attempts.
You present a valid objection in that there are people hijacking huge
IP blocks for brief periods for spamming. People also hijack vast
numbers of zombie machines. Either technology is easily used to
prevent block-by-IP from doing squat for you, you wrote.
Not so fast. Block-by-IP is not that useless. Many anti-spam
blacklists use block-by-IP and it works. Further, if the PIN is held
constant (eg, a common PIN such as 1111) and the IP as well as the
browser identification are changed while different account numbers are
targeted, this pattern can trigger a block by that PIN that repeatedly
(3 or more times) causes an access error, for any IP number and
browser. Excessive errors/minute can also trigger inspection and blocks.
You can find many other ways to try to trick the system. For example,
you can space out the attacks and rotate the trivial PINs to reduce
suspicion -- but you will also reduce the number of tries per hour
that you can perform for each account.
What makes a good difference in preventing an attack as mentioned by
Dan is to /not/ allow weak passwords in the first place! But, because
this is not really possible with PIN systems (even with 6 digits), the
security designer can detect attack patterns and use them to trigger a
block even for an a priori unknown IP.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]