Domain: passwindow.com
Stories and comments across the archive that link to passwindow.com.
Comments · 12
-
Re:How about not?
Forget about needing expensive hardware. Just use a system like PassWindow
http://www.passwindow.com/Would work on any device from a mobile phone through to that shiny new 100" plasma TV you bought (the one with the inbuilt web browser)
No I dont have any connection to these guys, I just think their product is a brilliant idea and it could eliminate phishing almost entirely with far less cost to the banks than any of the electronic devices (SecurID, little calculators to generate special hashes etc) currently being used by some institutions.
-
Re:Those key fob things should be universal
Even better than RSA keyfobs (and cheaper too) would be something like
http://www.passwindow.com/
Employers could put the PassWindow on the front of employee ID cards.
Banks could put the PassWindow on the front of the ATM card.
etcAnd unlike the RSA keyfobs it hasn't been cracked yet.
No I dont work for them, I just LOVE their product and want to see it gain traction.
-
Re:PassWindow could have prevented this
My Passwindow method could have prevented this and cost practically nothing to implement too,
I suppose you mean http://www.passwindow.com/index.html ?
As far as I can tell, there are two problems with this:
- A Trojan could intercept enough data to reconstruct the mask. The whitepaper claims that you need to capture between 30 and 1000 transactions. That doesn't account for the fact that the trojan does not need to be 100% sucessful (probably the user can try 3 times).
- Unlike an embedded EMV chip, the mask is trivial to copy; the owner will not notice that his passwindow card is missing. With a telephoto lens, an attacker could photograph you from a distance while you use an ATM. This means that you still need a password or cryptographic authentication.
-
Re:Electronic OTP card is highly vulnerable
Ah cheers, thanks mate, its hard pushing an entirely new method in such a conservative industry but ive finally got some banks implementing it and some online service networks in Asia where security was important. (Not in Australia yet however) Actually since the show ive improved it enormously, the main discovery was that I can do transaction authentication which prevents any type of trojan attack at a fundamental level and give it a security edge over the electronic OTP devices many banks currently use. The other difference is that you would have seen the static challenges on the show with static digits however I figured out that by animating single digits in an animated gif any deduction analysis on the challenge becomes exponentially more difficult and usability seems to have improved. You can see a demo at http://www.passwindow.com/ I wanted to show it on the grand final episode but the producers of the show had rules about introducing new material. Thanks again for the support.
-
Electronic OTP card is highly vulnerable
Like all OTP devices including the RSA OTP tokens the modern trojans simply MITB Man-In-The-Browser their way past these devices including the electronic card pictured in the article. Most of the new trojans (Zeus etc) have this feature or module and they simply hijack the browser dll and then create a second connection in the background. Often the banks require a second OTP value to authenticate the outgoing transaction and so the trojans usually just bounce the user to a "session expired, please login again" page and use the new OTP to validate the outgoing transaction. My own method http://www.passwindow.com/ does OTP without electronics and at zero cost of implementation, but more importantly it can do transaction authentication (including transaction details into the challenge itself) without any extra requirement from the user (ie no requirements to enter in long transaction account details into a separate device). The trojans are unable to bypass transaction authentication and I know of no other online 2 factor authentication method which is as cheap or usable.
-
Why are banks wasting effort on things like this?
There are solutions out there for this, all of which will be secure even if someone deliberatly set up a system with the goal of capturing bank account info (such as hacker messing with machines at an internet cafe):
Little calculator type devices where you enter transaction details and it gives you a 1-time-use code that goes into the online bank form
One-time-use codes sent by SMS or snail mail (or by picking them up directly from the bank)
Keyfobs that display codes you enter into your online bank form
USB keypads where you enter your ATM PIN (possibly inserting your chip enabled card into it also), the data encrypted by the keypad and sent to your PC via USB that then sends it on to the bank.One of the best systems I have seen is PassWindow which doesn't require extra hardware.
http://www.passwindow.com/ (no I have no connection to these guys, I just really like their product and think its far more secure than the methods most banks are trying like challenge questions, pictorial passwords/challenges whilst not having the extra costs of PIN pads, keyfobs or calculator devices. Its more reliable than the one-time use codes (SMSs may not always make it through, people may accidentally erase the SMS and loose the codes, people may misplace the physical letter with the codes on it, whatever)And it can work on essentially any device with a full web browser that can display images including mobile phones, games consoles, internet kiosk terminals, locked down corporate PCs
All of these solutions (with the exception of the USB pin pad) do not require any installation or use of software which mean they can be used for internet cafes/kiosks, locked down corporate PCs or anywhere else where internet access is available but using "unauthorized" software or hardware is not permitted.
This "live CD" solution will only work in situations where the end user is able to run whatever software they like (and where the PC has an optical drive). And it assumes that the "live CD" has drivers for all the hardware in the PC its being used on (given the state of linux wireless, I doubt its even possible, especially if you need support for WEP, WPA etc)
-
A simple solution might be on the horizon...
The key to solving this problem is secure and cheap transaction authentication, which is what IBM has been trying to achieve with their ztic, but even that I fear is vulnerable. The solution I think that will ultimately put something of a stop to the mitb/trojan is this: http://passwindow.com/ It seems at first glance too good to be true, but I read parts of the whitepaper and it seems legit. I heard it mentioned that a few banks might be rolling it out some time this year....
-
Re:Chaum-like
According to the demo, the only other factor is the username (which is generally so available or derivable that it might as well not count as a factor). Furthermore, the website says you don't have to memorize anything. If they're going to be using this to secure a bank card, then security boils down to two things you have, the bank card and the PassWindow card.
-
Re:One major problem: monitor resolution
Fixed link (the trailing slash after
.html breaks the page): -
Re:One major problem: monitor resolution
In the demo on their site there's a blue arrow you can drag to resize the graphic. It's awkward but it does solve the problem. http://www.passwindow.com/demo/index.html/
-
Re:Easily Rectified
I swear to god every poster on this thread so far has not gone to the website: http://www.passwindow.com/
This is actually a very novel idea that has been thought out thoroughly.
If it is thought out so thoroughly, why is there no mention on cryptoanalytic reasons why this will not fall apart if an attacker tries to play chosen ciphertext with you? (My guess: Because there is no such reason and it WILL fall apart)
-
Easily Rectified
This is easily rectified in any software by compensating for the DPI by scaling up or down the image.
Heck you can do this in CSS:
IMG.passwordWindow { width: 2in, height: 1in }
This image is going to be scaled to be the exact same size on the screen in any web browser.
Also, this has nothing to do with color filters.
I swear to god every poster on this thread so far has not gone to the website: http://www.passwindow.com/
This is actually a very novel idea that has been thought out thoroughly.