RE: Proposal to anti-phishing

["Lyal Collins" <lyal.collins () key2it com au>]

USB and indeed all plugin tokens are susceptable to keystroke monitoring IF
the device doesn't have a keypad and display on the device. 
If the password/PIN is ever sniffed, then any malware of the host PC can
simulate the human to whom the device is registered, and enact transactions
to the benefit of the attacker without the genuine user ever being able to
repudiate the false transactions under this security/authentication model
(to the bank, device = genuine transaction, period).


Putting keypads and displays can makes the the devices more or less
customised to the issuing bank. If there is downloadable updates or content
of any form, there is the real risk of breaking the device's security model.
Certainly, PSCS isn't any good where keypads or displays are used, while
STIP may help a bit.

Even with displays/keypads on devices, the user still can't be sure that the
transaciton their device 'signs' is actually the transaciton they want to
do.
If you think about it, 'secure devices' only work when they can do the
entire transaction, from conneciton to the Bank, selection and input of
transaction, and commitment for completion. 

The devices used today are called PCs and workstations - they just aren't
secure.  Secure PCs would answer all these problems - but we are never
likely to get them 

Even so, the user education cycle is long (how long did it take for ATMs to
be widely accepted?) and there are still no guarantees. 

In short, so called security devices merely delay the inevitable
sophistication of attacks, by a few days in the worst case, weeks or maybe
months if we are real lucky. 

In the meantime, live with risk.

Lyal

> -----Original Message-----
> From: Jimi Thompson [mailto:jimi.thompson () gmail com] 
> Sent: Friday, 21 January 2005 5:24 PM
> To: webappsec () securityfocus com
> Cc: Florian Weimer; Rafael San Miguel; Enrique.Diez () dvc es
> Subject: Re: Proposal to anti-phishing
>
>
> <SNIP>
> > Zero-setup online banking will be possible again (with SSL 
> client certs,
> > hear me beat the drum once more) once enough clients have smart card
> > readers as standard equipment, properly integrated with the 
> operating
> > system and the browsers.
> >
> > For an example, I look to the Dell Latitude D600, which 
> comes with an
> > integrated smart card reader. Maybe a good feature addition 
> for the new
> > LCD monitors would be a smart card reader slot, connected 
> via USB. The
> > more people use them, the more ubiquitous they will be, and the less
> > "setup" will be required by new users/clients.
> </SNIP>
>
> Why not use something like the Rainbow Ikey that uses a USB connection
> which virtually every computer has nowdays?  It too is an EPROM with a
> PKI public/private key pair.  That way there's not extra hw to install
> and you don't have to wait for the item to percolate through the
> market place.  Remember betamax?  Consumer are used to carrying around
> bar code tabs for their shopping/store club/discount/credit cards and
> such on their key chains, why not that too?
>
> The caveat is this - all authentication is based on one of 2 things -
> something you have (token, thumb print, etc.)  or something you know
> (PIN, password, etc.).  The "something you have" can be stolen.  Right
> now, we have people going after the "something you know" by placing
> devices on ATM machines to record information, identity theft on line,
> phishing for id10ts, etc.  Now instead of realatively non-violent
> (although highly annoying) crimes like phishing, we'll see an
> escalation in muggings, purse snatchings, and the general category of
> beating people up and taking their stuff.
>
> As an aside, my big fear with biometrics is that some criminal groups
> will start cutting off pertinent pieces of people in order to gain
> access to accounts.  Before someone pipes up and says that it'll never
> happen, I can tell you from personal eye-witness experience that there
> are more than a few people on this planet who are perfectly willing to
> cut off another person's hand or fingers to get their rings, watch,
> bracelet, etc.  If they'll do it for some jewelry, which will hock at
> the pawn shop for about $20, they'll definitely do it get into your
> checking account.
>
> One thing that I've not seen discussed here is non-repudiation.  
> Non-repudiation was a major portion of the last PKI wg.  It's very
> important in dealing with legal and money matters.  What do you when
> my on line identity gets used and I say it wasn't me?  Just how good
> is your system?  Will it stop me from buying a Lexus or transferring
> all my money to the Cayman Islands and saying that I didn't?
>
> While I agree with the "zero setup" stuff, it's probably not legal in
> the USA.  We have laws that require you physically show identification
> and few other things when opening a checking account.  There are more
> laws that require the reporting of large sums of money.  This is to
> prevent the laundering of drug money (for example) as well as other
> illegal activites.    The federal laws are pretty minimal, but some
> states have stricter laws about this.  Any bank that isn't doing
> something to physically look at ID's is probably in voilation of
> something.  I admit that these aren't well inforced but they should
> be.
>
>
> 2 cents (as usual) 
>
> -- 
> Thanks,
>
> Jimi