Re: Banks Test ID Device for Online Security
Bill Stewart wrote: Yup. It's the little keychain frob that gives you a string of numbers, updated every 30 seconds or so, which stays roughly in sync with a server, so you can use them as one-time passwords instead of storing a password that's good for a long term. So if the phisher cons you into handing over your information, they've got to rip you off in nearly-real-time with a MITM game instead of getting a password they can reuse, sell, etc. That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. in general, it is something you have authentication as opposed to the common shared-secret something you know authentication. while a window of vulnerability does exist (supposedly something that prooves you are in possession of something you have), it is orders of magnitude smaller than the shared-secret something you know authentication. there are two scenarios for shared-secret something you know authentication 1) a single shared-secret used across all security domains ... a compromise of the shared-secret has a very wide window of vulnerability plus a potentially very large scope of vulnerability 2) a unique shaerd-secret for each security domain ... which helps limit the scope of a shared-secret compromise. this potentially worked with one or two security domains ... but with the proliferation of the electronic world ... it is possible to have scores of security domains, resulting in scores of unique shared-secrets. scores of unique shared-secrets typically results exceeded human memory capacity with the result that all shared-secrets are recorded someplace; which in turn becomes a new exploit/vulnerability point. various financial shared-secret exploits are attactive because with modest effort it may be possible to harvest tens of thousands of shared-secrets. In one-at-a-time, real-time social engineering, may take compareable effort ... but only yields a single piece of authentication material with a very narrow time-window and the fraud ROI might be several orders of magnitude less. It may appear to still be large risk to individuals ... but for a financial institution, it may be relatively small risk to cover the situation ... compared to criminal being able to compromise 50,000 accounts with compareable effort. In some presentation there was the comment made that the only thing that they really needed to do is make it more attactive for the criminals to attack somebody else. It would be preferabale to have a something you have authentication resulting in a unique value ... every time the device was used. Then no amount of social engineering could result in getting the victim to give up information that results in compromise. However, even with relatively narrow window of vulnerability ... it still could reduce risk/fraud to financial institutions by several orders of magnitude (compared to existing prevalent shared-secret something you know authentication paradigms). old standby posting about security proportional to risk http://www.garlic.com/~lynn/2001h.html#61 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
oh, and this is old discussion of a unit that has been in use in europe ... it basically is very inexpensive calculator with 7816 contacts that you can slip a smartcard into. it is used in a challenge/response scenario, a numeric keypad is used to enter the challenge, which is passed to the smartcard, which does something and the response is displayed. the person enters the displayed response. http://www.garlic.com/~lynn/2001g.html#57 Q: Internet banking works with anything that can present a challenge and has a numeric keypad for the response (even works over telephone with VRU). note that in any online scenario ... the server-side can do security proportional to risk by making a decision to ask or not ask for additional inputs. possible scenario is bill pay in home banking, use authentication for initial access and then if total transactions exceed some value ... ask for additional authentication input (trading off convenience and risk, in online scenario it doesn't need to be all just one way or another way, there is some amount of latitude for adaptive implementation). Note that the additional authentication input can also be used for interpreting the (human specific) input as evidence of approval for the transaction(s) as opposed to simply authentication. other pieces of the previous mentioned thread on security proportional to risk: http://www.garlic.com/~lynn/aepay7.htm#netbank net banking, is it safe?? ... power to the consumer http://www.garlic.com/~lynn/aepay7.htm#netbank2 net banking, is it safe?? ... security proportional to risk http://www.garlic.com/~lynn/2001g.html#57 Q: Internet banking http://www.garlic.com/~lynn/2001h.html#53 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#58 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#61 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#62 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#64 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#68 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#70 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#75 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#9 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#10 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#16 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#25 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#35 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#36 Net banking, is it safe??? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Banks Test ID Device for Online Security
R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? At 12:24 PM 1/4/2005, Trei, Peter wrote: The slashdot article title is really, really misleading. In both cases, this is SecurID. Yup. It's the little keychain frob that gives you a string of numbers, updated every 30 seconds or so, which stays roughly in sync with a server, so you can use them as one-time passwords instead of storing a password that's good for a long term. So if the phisher cons you into handing over your information, they've got to rip you off in nearly-real-time with a MITM game instead of getting a password they can reuse, sell, etc. That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. Bill Stewart [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
On Tue, Jan 04, 2005 at 03:24:56PM -0500, Trei, Peter wrote: R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH The slashdot article title is really, really misleading. In both cases, this is SecurID. In some cases this also may be VASCO DigiPass, which is system very similar to SecurID, only cheaper. This technology seems to be quite popular in Europe as couple banks in Poland routinely issue tokens, both VASCO and SecurID to their customers for online authorization, and the tokens are used both in password generation (as described in article) and challenge-response modes. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
Bill Stewart wrote: That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. Here in Brazil it's common to ask for a new pin for every transaction Mads - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Banks Test ID Device for Online Security
Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH http://www.nytimes.com/2004/12/24/technology/24online.html?oref=loginpagewanted=printposition= The New York Times December 24, 2004 Banks Test ID Device for Online Security By JENNIFER A. KINGSON or years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. E*Trade Financial intends to introduce such a product in the first few months of 2005. And U.S. Bancorp says it will test a system, though it has not given a timetable. The devices, which are hand-held and small enough to attach to a keychain, are expected to cost customers roughly $10. They display a six-digit number that changes once a minute; people seeking access to their accounts would type in that number as well as a user name and password. The devices are freestanding; they do not plug into a computer. Some banks, like Wachovia of Charlotte, N.C., and Commerce Bancshares of Kansas City, Mo., already use these hardware tokens to identify employees and corporate customers, and say they are evaluating the technology for retail banking use. Others, like Fidelity Investments and Bank of America, are researching the matter. Every single major bank is considering it, said James Van Dyke, principal and founder of Javelin Strategy and Research of Pleasanton, Calif., which advises financial services companies on payments and technology issues. Although there are drawbacks in terms of cost and convenience - as well as questions about what would happen if a customer lost the device or it were stolen - there is growing pressure from bank regulators to add safeguards of this type to online financial services. In a report last week, the Federal Deposit Insurance Corporation, which insures bank deposits, said that existing authentication systems were not secure enough and that an extra layer of security should be added to the sign-in process. The financial services industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security, the F.D.I.C.'s report said. Two-factor authentication, which typically includes a memorized password and a hardware security device, has the potential to eliminate, or significantly reduce, account hijacking, it said. To be sure, there are many ways to add the kind of security that the agency is seeking, and any number of technology vendors eager to supply products. The F.D.I.C. evaluated some possible alternatives, including smart cards, which are plastic cards with embedded microprocessor chips; biometrics, which identify people by their fingerprints, voice or physical characteristics; and shared secrets, in which a customer is asked a question that, in theory, only he or she could answer. But the system that has so far taken root in the market is the one that relies on number-changing hardware tokens, which have the shape and feel of the plastic security devices that people click to unlock their cars. Several large banks in Europe and Australia - including Credit Suisse, ABN Amro and Rabobank - already issue these tokens to customers, sometimes making them bear the cost of the device. In the United States in September, America Online introduced a program, AOL Passcode, that lets subscribers buy the keychain device for $9.95 and use it for authentication purposes, at a subscriber fee of $1.95 to $4.95 a month, depending on the number of screen names linked to it. Proponents of these devices are aware that they present other problems. Financial companies are concerned about making online banking less convenient and about adding fees for the hardware token. Customers with accounts at several institutions may wind up with an unwieldy number of tokens or swamp call centers with questions about the new systems. Several foreign banks have made the tokens mandatory for online customers. E*Trade, which is expected to be the first United States financial institution to introduce the program for retail customers, will make it optional and charge for the device. Joshua S. Levine, chief technology officer at E*Trade, said the technology seemed to provide the comfort that most people want. And when you have your money at stake, he said, you really want to feel comfortable. E*Trade has been testing its program for the last two months, giving the devices free to 200 interested customers. So far, the tests have attracted customers with high incomes who conduct many transactions and tend to be knowledgeable about technology, Mr. Levine said. Based on the feedback these customers have been giving us, he added, we feel
RE: Banks Test ID Device for Online Security
R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH The slashdot article title is really, really misleading. In both cases, this is SecurID. Peter - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
