Marsh Ray wrote:
You know that ATM cards are frauded all the time, right?
Indeed. However, what makes these - and many such attacks
possible, is the fact that modern systems still rely on a
4-decade old scheme of authentication, based on shared
secrets - something I classified at Identity Protection
Factor (IPF) Level 2:
http://middleware.internet2.edu/idtrust/2008/papers/01-noor-ipf.pdf
Why wouldn't the phished customer be willing authenticate with his
second factor as well as the first? Why couldn't the phisher be able to
forward that credential nearly as easily as a password?
With an authentication scheme based on SSL ClientAuth, that
relies on a digitally-signed nonce, while a MITM attack is
not infeasible, it is significantly more difficult to carry
out for credentials at IPF Level-6 (see IPF paper) or higher.
Dude, this is messed up.
You are entitled to your opinion, Marsh.
There are a couple of influential books you might consider reading:
http://en.wikipedia.org/wiki/Brave_New_World
http://en.wikipedia.org/wiki/Nineteen_Eighty-Four
However, I believe it is naive to bring up the "Orwellian
Society" as a "bugaboo" because of a concept that enables the
tracking of every legitimate, non-anonymous transaction through
strong authentication/digital-signatures. You are already
living in an Orwellian society whether you like it or not:
http://www.eff.org/issues/nsa-spying. Any assumption on your
part that you have any modicum of privacy on the internet, is
fallacious.
When a child goes to enroll at a preschool or kindergarten, proof of
residency and the date of birth can be provided to the school by
having the hospital of birth e-mail a digitally signed birth
certificate to the school admissions office (the guardian will
actually request it through an application on the hospital's site,
after authenticating him/herself with their own healthcare
credential, or their child's credential).
Is there really such a problem today with preschoolers being enrolled
with fake identities that it could possibly justify such an infrastructure?
The problem isn't about fake identities; it is about
improving archaic business processes through the use of
technology - and doing it securely, and across a sector,
in one fell swoop.
Most people – including security-conscious professionals – resort to
using similar passwords (or small set of passwords), or writing them
on a piece of paper for the multitude of credentials in their
possession. [...] access to sensitive information, which was
controlled in the past, is now a mere login-screen away to anyone in
the world with an Internet connection. This has given rise to new
forms of attacks – most notably, phishing and keystroke-loggers - to
siphon away credentials to valuable service accounts.
All this, to fix that?
When an entire system is breaking down, there are many
parts that need fixing; however, to stanch the problem, one
has to begin at the point where you can slow down the rate
of current compromises before you fix the problems inside.
The only solution is common sense and an adaptable, organic system which
recognizes the limitations of technology to address what are inherently
human problems. Maybe sometimes it is a little extra work to apply good
judgment rather than cranking the handle of some mechanistic rules
engine. But we certainly can do without creating a machine which
(literally) runs off the blood of newborn babies.
Notwithstanding the hyperbole (you do know that DNA can be
profiled based on spit), common sense is *always* necessary
at all times. However, events of the last decade have shown
that there is very little of it exercised everywhere.
The world's population is approaching 7 billion people, with
projections of 10-billion by 2050. The richest country in
the world (the USA) with a mere 300M people has a trillion-
dollar deficit, cannot fix roads, schools and is watching the
resurgence of polio, TB and lice (aside from anti-biotic
resistant bacteria). Like it or not, solving problems for
the next century is going to require some very different kind
of thinking.
Arshad Noor
StrongAuth, Inc.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
