Phishers Defeat Citibank's 2-Factor Authentication

An anonymous reader writes "Crypto experts and U.S. Government regulations (FFIEC) have been pushing the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" — the second factor being something the user has in their physical possession like a token — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data. According to a Washington Post Blog, 'SecurityFix,' phishers have now started phishing for the two-factor token ID from the user as well. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a man-in-the-middle attack against the victim and Citibank to log in via php and conduct money transfers immediately when logged in." (An update to the blog entry notes that the phishing site mentioned has since been shut down.)

not new

it's a phishing site that submits your username/password to the real site to validate it. I know for a fact that was being done as early as 2003.

(Posting anonymously because *I* did that in 2003).

Re:not new

hehe
u just incriminated yourself
there is no such thing as anonymous on slashdot. look in your message box and you will find all your anonymous posts

-posting anonymous coz i want to

Re:not new

Posting anonymously to test this assertion.

Re:not new

fuck! A couple days ago, I interviewed for a gov't job.... they asked if I enjoyed stretching my ass out, natalie portman, and hot grits!!!!

I was surprised, but they explained afterwards that they used the Patriot Act to subpoena my anonymous slashdot posts. Holy Fuck!!!!

Re:not new

testing anonymous post

Good.

[bytesex]

My bank has had this for ages. How's about protecting you from the man in the middle attack by a little extra procedure, though ? Immediately after you've done the transactions through the web and you log out, the bank sends you an encrypted email with all your transactions in it. Those emails can be parseable for your own financial package as well. And it should give you some time to cancel all the transactions that are bogus. There can be no forgery involved, since the bank _always_ sends those mails. Just an idea, I know there's no cure for utter stupidity.

Re:Good.

[InsaneLampshade]

Wouldn't the phishers then just change the email address once they've logged on?

Re:Good.

[porlw]

My bank sends me an SMS with a one-time password every time I do a transaction online. You have to type in the password on the web page to confirm the transaction.

Re:Good.

[bytesex]

What makes you think that you can change any personal data online ? This is an online transaction enabling system - no bank would allow you to change your address, physical or otherwise without seeing authentication presented in vivo, right ?

Re:Good.

[stunt_penguin]

You're right aboout there being no cure for stupidity- however a transaction recipt after every transaction might lead to people being phished using 'ZOMG SOMEONE JUST WITHDREW $1000 FROM YOUR ACCOUNT, CLICK HERE TO ENTER LOGIN AND CANCEL!!1one1!eleventy' tactics.

There is, it seems, no winning.

Re:Good.

[stunt_penguin]

^ sorry, your method of sending all (or all recent) transaction info as a mark of authenticity in the email would probably help to eleminate that type of attack since the phishers would have no way of providing this info.

Having said that, with current methods, maybe a 'someone just transferred $1000 [such an arbitrary number, don't you think?], please login in the next 24 hours to cancel this transaction' might be an effective phishing technique, rather than the old 'we los your details, oops!' tactic; has anyone seen the like of this yet?

Re:Good.

[zlogic]

How about this: buy some stuff, then (after receiving it or knowing it can't be returned) cancel the payments. Should work great on paid downloads & online stores, as well as services (e.g. taxi, car wash etc.).

Re:Good.

[Captain+Zep]

But surely if you tried to change email address, the bank would send an email to your existing one with a magic link to confirm that 1. you have access to the original account, and 2. you actually want to make this change.

Z.

Re:Good.

[Lumpy]

giving you a customer high security to your accounts is not in the interest of the bank. They do not make money off that therefore it will not be even addressed. Most banks still use a really cheezy login system, (some like 5th 3rd used to send your password in the open when you went to the account settings page. It displayed openly your password on the screen.)

Re:Good.

Sort of sucks if you don't use a mobile phone, though.

Re:Good.

[everett]

My bank allows me to change my email address online, but not my street address, perhaps the solution then is mailing the user a letter saying "Here's the confirmation of the transactions you completed online last week"

Re:Good.

[supersnail]

So you just pass the password through to the "Man In The Middle"!

The MiM is the hardest security problem by far there are no easy answers.

It would make more sense for your bank to do it the other way around --
display a password on the screen which you send them via SMS, this provides
two checks -- the password and your mobile number.

Tough if you lose your mobile though -- you lose access to your account as well!

Re:Good.

[AlecLyons]

I think if you really want to make forgieries difficult you have to drop some of the convenience of online banking. At the moment, once I'm logged in I can make most any transaction I like. How about if, before I'm allowed to transfer money to anyone who I never have before I'm required to add them in as an authorised payee. If the process for doing this involved me receiving an SMS message where I'm required to actively make an effort and reply direct to the Bank to authorise the new payee from my own phone, it would be a significant blow to the phishers I'd of thought.

Re:Good.

[bytesex]

Obviously your bank allows you to change you email address online, because they only think of email as a vehicle for their marketing efforts. If it were to be drawn in with the whole security setup, which is what we were talking about here, then I'm sure you'd not be able to change it online. Obviously.

Re:Good.

[porlw]

Note quite.

1. The SMS only happens if you actually try to do a transaction.
2. The SMS also supplies destination account and amount.

So MIM would only work iff they intercepted an attempt by me to make a payment, and I didn't check the details in the SMS. If I get a transfer SMS out of the blue then I know something's up.

If I lose my mobile then I do what our stone-age ancestors did, and actually go to the physical bank building and fill out a transfer request.

If I make regular payments to a particular account I can also preset the details and avoid the SMS procedure. Requires some paperwork at the bank, though, so they can verify my identity then.

Re:Good.

[Nevynxxx]

[i]Tough if you lose your mobile though -- you lose access to your account as well![/i][br][br]Your mobile companies must be horrid. I have had the same mobile number since I got my first phone in '98. I have been through two companies, and 5 or 6 phones, I have lost the SIM once, and had the replacemnt out in an old phone in around 3 days.

Re:Good.

Good idea. Another (or additional) possibility could be to require a phonecall for transfers above a certain size/percentage. If the default phone number is ticked (to your landline), you get an automated message and press 1 to confirm. If you choose a different phone number (e.g. you're out on holidays) you could get a human operator to ask security questions. Would provide an additional way to catch scammers, and a different channel of security.

Of course, there must be some way through your internet bank of changing both your phone number and email address....

How about by post only, and the next time you log in you get the option of changing?

It seems to me that the best way of preventing/catching phishers early would be to use several channels of communication.

Re:Good.

[Rob+Kaper]

My bank uses a two-way security system as well. The second code is required when entering a transaction and is sent as a text message to a mobile phone each time a transaction (or set of) is required (the SMS notes transaction ID and amount). The phone number can be changed on-line, but in order to activate a new number one needs to enter a security code which is only sent by registered snail mail.

What I like about this system is that sending out SMS messages actually has a cost attached, so it's much less likely to be used by phishers. Furthermore, the usability of the system is way better than any code which has to be generated from a special device issued by the bank. I would most likely not carry around such a device whereever I go, while I do with my phone and therefore can do Internet banking anywhere I'd like to.

Re:Good.

[jdbartlett]

I've seen another tactic at a UK bank to protect login: online customers are given a security password generated by the bank in addition to a regular password and "secret information" entry. The generated security password is never requested in full. Instead, several random characters from the password are requested at login; i.e., "What is the 3rd character of your security password? What is the 1st character of your security password? What is the 5th character of your security password?"

If the user falls prey to a fishing attack only once, the odds are against that phisher being able to collect a combination of password characters he can expect to see repeated on the real bank login page.

The bank as used this login system for several years now.

Re:Good.

[thePowerOfGrayskull]

Immediately after you've done the transactions through the web and you log out, the bank sends you an encrypted email with all your transactions in it. Because though it's unfortunate, the majority of the world wouldn't know what to do with an encrypted email.

Re:Good.

[SilverJets]

How's about protecting you from the man in the middle attack by a little extra procedure, though ?

How about not clicking on every bloody URL in every e-mail you receive?

No matter how good the security, it will always be defeated by the stupid users it is there to protect.

Re:Good.

[avirrey]

If I had to wait a week for a listing of my transactions.... I'd blow a fuse. I want to see it online, I want instant convenience, that's the world we live in. You can't 'make' a transaction, and then cancel it 1 week later!! After the fraud you are just plain and simply screwed, seeing a fraud transaction in the first place did nothing to prevent the fraud to begin with! Get a clue guys, we want prevention not a 'catch' 1 week later.

Re:Good.

Great idea, except you forgot one huge flaw. These phishing jerks also would then login to your account, change your registered email, and then proceed to do the money transactions.

Re:Good.

[The+Spoonman]

Just an idea, I know there's no cure for utter stupidity.

Are you apologizing because your idea was stupid or because you think the people who use online banking are stupid?

Re:Good.

[ajs]

Winning is easy. Don't deal with your bank online unless you type in the name directly or use a bookmark, and always double-check the spelling.

The other way to go would be to have some very short domain name that everyone comes to recognize as a gateway (sort of a tinyurl for financial institutions), and have every bank interaction start with something like this:

To containue, please visit, http://bankurl.com/citibank

or the like. That way, the user knows that any site NOT asking them to do this is phishing, and any site that gives them a URL to any other domain name is bogus.

It would have to be universal though. Citibank asking you to type in their own domain, Bank of America doing the same, etc. would not lead to enough consumer awareness to the protocol. Everyone needs to go through the same redirecting site, so that they all recognize the URL. Of course, this leads to very high availability concerns and the need to protect the hell out of that domain, but we already rely on DNS to be secure for finance on the Web, and if a consortium of banks can't keep a server farm up 24/7, they have bigger problems.

Re:Good.

[Talchas]

The problem with this is what if you lose access to your old account before you get access to the new one? Yeah, you shouldn't let this happen, but they have to keep this in mind. You could of course then switch to snail mail to confirm somehow.

Re:Good.

[wik]

If the phishers can login and access your bank account to withdraw money, why can't they also read the last few transactions from the webpage as well?

Re:Good.

[jrockway]

> The MiM is the hardest security problem by far there are no easy answers.

Umm, SSL was designed to solve this problem. When you visit your online bank, make sure the cert is valid and that the URL matches the one on your printed bankbook or credit card.

Pretty simple.

(People being too dumb/lazy to check, though, is the hard problem. Fortunately this is evolution at work.)

Re:Good.

[Captain+Zep]

In such cases requiring some other form of verification seems entirely reasonable.

If people complain about that, then essentially they are saying they don't want their bank to take security seriously.

Personally, I'd much rather my bank erred on the side of caution if there seems to be anything in the least suspicious going on.

Z.

Re:Good.

[stunt_penguin]

Humm..... I wasn't so much on about winning a personal battle against these scams as keeping people in general from getting caught; getting people to do anything to protect themselves en-masse is difficult to say the least :(

Re:Good.

[stunt_penguin]

Sorry, I was on about the initial phishing email, where they usually ask you to confirm some details that they've supposedly lost.

If a bank included your recent transaction details in all electronic correspondance as standard then that would be a very good sign of authenticity for banking emails. The absence of those details and the difficulty in obtaining them would make a user suspicious and make a phisher's task in creating a convincing email that included recent transacion informaton impossible.

Re:Good.

[gutnor]

I guess that in the parent idea, the bank will send the confirmation of payment or move the money only when you have approved, cancel the operation.

Anyway, if you want to trick shops like this, this is already possible with a good old Credit Card. Call the credit card company say that you do not recognise some operation or that the vendor didn't do his part of the contract and you will be refunded immediatly.

Disclaimer, don't try this at home, you could have some trouble with Justice after that.

Re:Good.

[Viceice]

My bank does the same thing as the GP's, and in the even that i don't own a mobile, I can still get the Transaction Authorisation Code from the bank's phone banking facility or by getting a one time use code from the 24 hr ATM. After all, the reason this works when stopping phishing is because there is a hurdle not related to the internet that needs to be over come, so phone or walking to an ATM works just as well.

Anyway, what are the odds that you are of the demographic that uses phone banking, but doesn't own a mobile? Even if you are anti-mobile for whatever reason and internet banking is important to you, you can still subscribe for SMS over landlines.

Re:Good.

[Viceice]

Very out of form to reply to myself, but the "phone banking" in the 2nd last line ought to read "internet banking" ...

Re:Good.

[mattpalmer1086]

Yes, I've seen that too, but it doesn't protect you against a man-in-the-middle attack, which is what the original post is on about. It does help to prevent using the login information collected in one phishing session later though.

Re:Good.

[jdbartlett]

Yes, it simply provdes a good additional protection for user login information.

Re:Good.

"This is a special alert from yourbank. We are sending this to the primary email address we have for you because of suspicious activity on your account. Because of the possibility this email address may have been compromised, we are foregoing the usual listing of recent transactions, in order to avoid possibly giving the hacker additional information about you. ALso, we are requesting more then the normal amount of information from you to verify you are the registered account holder. Please click the link below, and fill in ALL of the requested info...."

Re:Good.

[bytesex]

You can't 'make' a transaction, and then cancel it 1 week later!!

I'm not talking about a week. I'm talking about getting an email right away, but anyway:

Yes you can. This is a phenomenon with a tradition within banking. It simply means that someone or something will have to stand for the risk involved, which is quite low, actually. A kind of insurance. Credit cards do it, online divisions of banks do it. But the risk involved is so low, that it's practically without a price - especially if the transaction is booked back within a short period of time.

Re:Good.

[avirrey]

I think I caused confusion with my comment. I was merely stating an absurdity about an actual transaction being 'confirmed' after a week. The transaction has long been processed, and was in reference to someone's comment about a week long summary. Yes, your money can be returned, but the crime has already been commited. As I stated, we are looking for prevention not catching an incident. We can catch all the issues we want, but in the end no prevention is my point.

Re:Good.

[LunaticTippy]

The very first phishing email I saw was "from" ebay, about a $600 laptop I had bought. I though "oh shit, someone hacked my account!" and clicked on the link. Fortunately I saw that it was www.ebay.bfdsahu9.com and didn't enter my password.

Re:Good.

[nasch]

(People being too dumb/lazy to check, though, is the hard problem. Fortunately this is evolution at work.)

If by evolution you mean survival of the fittest, that works only if being susceptible to this attack makes it harder to reproduce. I can't see how that would be the case.

Re:Good.

[jrockway]

> If by evolution you mean survival of the fittest, that works only if being susceptible to this attack makes
it harder to reproduce. I can't see how that would be the case.

I don't notice homeless people having a lot of kids.

Re:Good.

[bit01]

This could be extended. The bank could release an entire page of random letters, different for every customer. Then the bank could verify the customer ("What are the 4th, 5th and 9th letters on the 12th line?") and the cutomer could verify the bank as well (entry form where the customer selects row and column to get verification for). Stll doesn't help with man-in-the-middle though.

---

Keep your options open!

Re:Good.

[jdbartlett]

Your idea reminds me of old adventure game manuals!

Re:Good.

[nasch]

You're suggesting that people who fall prey to a phishing scam generally end up homeless? Firstly, do you have anything other than wild speculation to back that up? Secondly, do you have any logical or empirical reason to think that phishing scams tend to affect people before they've had children rather than after? Once you have kids, if you're later deselected then it doesn't matter - you've already been fit enough to pass on your genes.

Rabobank security

[mwvdlee]

My bank (Rabobank, netherlands) uses a key-generating hardware device, based on account, PIN number, optional numbers generated by the site (which are to be entered into the keygen) and an internal clock. With sending any transfer, the site requires a new key to be generated. If the amount to be transferred is sufficiently large, one of the numbers used to generated the key is the exact amount, thus requiring the user to validate the amount as well.

Phishers may be able to coordinate up to the point of this validation, but if one suddenly had to enter an additional verification number of, e.g. "2000.00" (minus the decimal point), it'd be very hard to use phishing for large amounts of money.

Then again, I also have other accounts at two other banks, both of which require only a one-time, 5/6-digit, non-changing, numeric password.

Re:Rabobank security

[jawtheshark]

both of which require only a one-time, 5/6-digit, non-changing, numeric password.

I'm surprised. I live in Luxembourg and all banks I know of don't do simple password systems. For the ING, it's the same system as you describe: electronic device that spits out numbers.

The other banks that I know of, have the following system: Username, Password (usually, easy passwords are not allowed) and finally they give you a 16-digit (actually, often alphanumeric) separated in 4 blocks of 4 chars. At login 2, 3 or 4 chars of this digit are asked (usually only one in each block). They do not ask different digits at each trial. After three failed logins, your account is blocked. You know this. So, even if a phisher would perform a man-in-the-middle attack, he would in worst case obtains 4 digits of the 16-digit code. The probability that the phisher gets exactly those 4 digits to login are 0.25^4. Not exactly high.

Sure, there is still a risk and it's still not foolproof. Especially, if the phisher decides to ask all codes, but most clients would become wary of that, I hope.

Of course, the system with an electronic device seems the best to me. No ebanking system should use a simple username/password authentication.

Re:Rabobank security

[jawtheshark]

Next time I'll first RTFA, because it seems that's the system that Citibank uses.

Damn...

Re:Rabobank security

[strider44]

I'd think the numbers would be pretty much hack-proof if one of the factors that you needed to put in the token or hardware device was the target bank account. This would obviously make banking slightly less convenient as you'd have to enter a new number in every time you transfer but it would save a lot of touble and be impervious to this type of attack mentioned in TFA.

Re:Rabobank security

[sirf]

My swedish bank uses a credit card sized device which does some (unique for each user) magic crunching on numbers entered. When you log in you are presented with random numbers which must be entered into the device, and the result is used to login within three minutes. When you transfer money you must enter both the account number, and the amount, into the device and submit the results. To me this seems secure enough to use public terminals for banking. I do. Even if you forget to log out from the bank, very little harm can be done. You need to enter numbers to do just about anything except log out.

Re:Rabobank security

[dr_d_19]

Phishers may be able to coordinate up to the point of this validation, but if one suddenly had to enter an additional verification number of, e.g. "2000.00" (minus the decimal point), it'd be very hard to use phishing for large amounts of money.

No it will not.

This is an example of how the man in the middle attack would occur on any Swedish bank

Hello, welcome to CitiBank, please insert your account number and the response to the following challenge: 8022 8429
- "Uhm, ok" (login via man in the middle)

There was a problem, please try again with the following challenge: 2842 2020
- "Oh, my bad" (add phising account to users account allow list)

You will need one more challenge/response pair however, which you can get using:

  - A third login problem
  - Any action performed by the user that would require the response/challenge usually
  - Information about "heightened security" and the need to re-verify the identity.
  - Information about an e-visa/new savings account/free stocks or anything that would potentially require a challenge

So this is very possible.

This can be solved using client side certificates tho'.

Re:Rabobank security

I'm surprised. I live in Luxembourg and all banks I know of don't do simple password systems.

Yes, but Luxembourg has strict bank secrecy laws. Most of us don't live in a country like that.

Re:Rabobank security

[Hast]

This is an example of how the man in the middle attack would occur on any Swedish bank ...

This can be solved using client side certificates tho'.

Not quite all. Eg Handelsbanken uses certificates instead and is thus safe from MITM attacks.

Re:Rabobank security

[maris382]

Another solution could be to add an extra digit representing the type of information you are signing.

Say,
    1 for login,
    2 for an account number, and
    3 for an amount.

Then, making sure that the personal token tells the user what kind of information he is signing (flashing 'login', for instance), you could avoid most phishing attacks like you described (unless, of course, if the phisher has access to an account that you've already signed, which seems rather difficult to get)

Re:Rabobank security

[Homology]

> Not quite all. Eg Handelsbanken uses certificates instead and is thus safe from MITM attacks.

But your the certificate can be stolen, though. One bank used to use a certificate
and a 4 digit PIN code for access, and only Windows was supported. Sure certificates
are better than nothing, but they need to be augmented with something else to
make them safer.

Re:Rabobank security

[takev]

For the ABN AMRO, also in the Netherlands they have a generic calculator like device where you can slide in your bank pas (which has a chip). You will have to logon to your bank-pas using your 4 digit code, then your bankpas is unlocked to handle the challenge/response of the website.

With large transactions they ask you to sign the destination bank account number, by doing the same challenge/response, but the challenge is part of the destination bank account number.

Re:Rabobank security

[mwvdlee]

That problem would be easily solved by simply linking the site-generated validation codes to the action they are supposed to validate; you couldn't log in using the "allow" challenge. At best, a phisher could piggy-back on the actions of the user. If the target account numbers are used as validation codes (along with action validation codes ofcourse). The best a phisher could possibly do is change the amount... unless ofcourse, that amount is also used as a validation code.

Now *surprise*, this is exactly what's happening at a lot of banks.

Obviously, no amount of security measures will stop a phisher from scamming an utter idiot. But then again, the type of person who'd still fall for it should arguably not be allowed to manage their own finances anyway.

Re:Rabobank security

[Zemran]

That all sounds too complicated for me, I think I will just stay poor instead...

Re:Rabobank security

It makes me feel all warm inside to read this comment... I used to maintain that system until November last year when we outsourced it.

Re:Rabobank security

[SillyNickName4me]

The 'calculator' used by my bank already accomplishes this by generating login and approval keys in different ways and requires different steps from the user for each.

Re:Rabobank security

[accessdeniednsp]

My bank (Rabobank, netherlands) ...

You actually use a bank with a name like that? They're just asking to be robbed :)

Re:Rabobank security

[Hast]

Yes they can be stolen. But given a reasonable secure passkey they won't be deciphered. (Not before the Earth goes Woosh anyways.) If you use a 4 digit key you may as well store them in clear text.

Computers which are comprimised are a much bigger problem for certificates. (Ie computers with keyloggers or www trojans.) Those are not really "Man in the middle" attacks though.

Are you surprised?

[Manip]

This isn't at all a shocker. The authentication problem is only one piece of a very complex puzzle. But in this case simple and common SSL certificate verification would work to stop such a man-in-the-middle attack.

Further down the road though, this is why technology leaders need to standardise authentication tokens to include some kind of two way verification ... So when you enter your token into the browser, first the browser checks the web-site is the "owner" of that token and if it is not then it warns the user, after verification the browser then sends the token and the user is verified to the site.

Something like this:
  mybankcom - 9 -

The browser implements a "token box," when a post is attempted with said box the domain gets stripped of all special characters (up to the path) and then compared to the first part of the token. If they are case insensitively identical then the browser will submit the rest of the token (the pseudo random number) to the web-site.

The token box would have to look unique and be very difficult to clone... Which might require it to jump out from the main content window, but that is a problem for browser UI developers and beyond the scope of the problem.

Re:Are you surprised?

[FireFury03]

But in this case simple and common SSL certificate verification would work to stop such a man-in-the-middle attack.

SSL (and other such certification systems) present a trust problem:

When I connect to Alice, she presents a certificate which is signed by Bob. This tells me that Bob has verified that Alice is who she says she is. All very good you might think... except why the hell should I trust Bob? Maybe "Alice" is really Charlie pretending to be Alice and Bob signed the certificate because Charlie paid him a whole heap of cash. Or maybe Bob just didn't actually bother to check before signing the certificate. Either way, I don't know Bob and so he hasn't earnt my trust.

In this case, Bob is someone like Verisign - a large corporation who has been paid a reasonably large amount of money by Alice. If there's one thing I've learnt it's that most large corporations are fundamentally untrustworthy, especially when they're receiving bundles of cash from someone.

This kind of trust problem is not easilly solvable (if it's actually solvable at all). One potential way to do things is have a social network - each person signs the certificates of each of their friends and assigns a "trust score" showing how strong their trust relationship is. When I want to see how trustworthy Alice is, I traverse the network if signatures between me and Alice and can calculate the end "trustworthyness" from the scores of all the interconnections in the network. The problem here is that there usually aren't that many hops between any 2 people in the network - I might trust Bob and Bob might trust Alice, even though *I* don't trust Alice.

Re:Are you surprised?

[nneonneo]

What you are suggesting sounds a lot like a standard cookie, beefed up a bit by extra security. In usual practice, a cookie cannot be read by a member of another domain (unless Cross-Site-Scripting is used, which is a real possibility with [some] phishing emails) I would suppose that a browser could have its cookie function even more secure, but that probably won't stop the phishers (who will inevitably find ways around this). There's really nothing that people can do to completely kill phishing aside from either personally going to the bank, giving them ID and performing a transaction or being so incredibly paranoid of any e-mail sent to you. That said, I'm sure there's a lot of things we can do to protect ourselves.

Re:Are you surprised?

[jrumney]

The trust problem you describe goes away if bank issues its own client certificates to customers. The bank does trust itself doesn't it?

Re:Are you surprised?

[bhaberman]

A (physical) bank could give the users a CD-ROM with the public key on it. This solves the trust problem to the point where you have to trust the people at the bank. If you can't trust the people at the bank then there is no point of worrying about security.

Re:Are you surprised?

With trust networks, you introduce a whole new category of privacy problems. I'm sure the NSA would love to traverse those networks and see who you trust.

Re:Are you surprised?

[roscivs]

The trust problem you describe goes away if bank issues its own client certificates to customers.

Via what secure channel?

Re:Are you surprised?

[WaffleMonster]

You know what gets me more than anything about online banking is the number of insitutions that provide input boxes for login/password directly from their insecure (http) home pages. Whats even scarier than that is I told my bank about the dangers of such nonsense and their staff couldn't understand why it wasn't a good idea or what my problem was with it. They told me that the data is being submitted to a 'secure' site. Tell that to your customers when someone decided to operate a rouge hotspot downtown redirecting your 'secure' login from a spoofed home page to their own bank account without any way for you to know what has happened until its too late or does the same using DNS or BGP attacks. IMHO It's much more a cultural issue than a technological one and it pisses me off that institutions who should know better don't get it or don't care. I think token cards have a history of being more noise (MITM and duplication vectors) than useful and zero knowledge authentication systems such as SRP rock and IMHO would provide more meaningful and useful security. A SRP http authentication mechanizim that was also cryographically bound the SSL session itself would do so much more for security than silly little cards. which means very little when someone operates a free hotspot downtown

Re:Are you surprised?

[jrumney]

Via going into a branch of the bank and presenting the same level of ID that they required when you opened your account.

phishing preys on ignorance

[grrowl]

The target authorities and security developers should be aiming for, in my opinion, is not the people who do the wrong-doing, but the users themselves. The major difference that phishing has from hacking or physical robbery is that the attack is forceful against either the bank's online front or the customer whereas phishing preys on not physical or technological weakness but on intellectual weakness: ignorant users are conned into giving up personal details, going to a particular site or running a program because they are unaware of the risks. In phishing cases there really should be a bigger push for educating customers through more than just 20-pixel-high signatures on electronic correspondance. There should be in-bank brochures, tv spots/advertisements (or at least addendums to current tv spots) and users should clearly know never to click a link in an email from anyone, especially if it's pertaining to a bank or paypal-like site or in a personal mail from someone unfamiliar. There's a reason many geeks have clean-as-whistle computers (I virus and spyware scan every now-and-then -- about every 6 months -- and they both always come up clean) whereas the "common user" has problems with viruses and scumware seemingly constantly, and that reason is education and not-so-common sense. The answer then is obviously to educate, and make that sense common.

Re:phishing preys on ignorance

[Sawopox]

The solution to 99.99% of the problems we face today is education. But, as they say, "Ignorance is bliss." Some people today simply DO NOT CARE to put forth the effor to make any kind of change in their life. So long as the welfare check comes every month, and American Gladiators is on 24/7 re-runs, they're happy. What is worse, is this "So, what?" attitude we see in adults is being passed onto their kids. I teach middle-school, and sometimes I just want to scream, "WAKE THE FUCK UP AND OPEN YOUR GODDAMN EYES!" at the top of my lungs.

Re:phishing preys on ignorance

[OP_Boot]

I wish I had mod points.
I don't so I'll restrict myself to saying:
AOL

Re:phishing preys on ignorance

[cerberusss]

Some people today simply DO NOT CARE to put forth the effort

Lots of broad, generalizing statements. Those same people might care a lot about their family and visit their brothers and sisters regularly. They may also have a big savings account for an early retirement. Things you may not care about. I'd like to scream to you: "WAKE THE FUCK UP AND STOP MAKING STUPID GENERALIZING STATEMENTS!" at the top of my lungs.

Re:phishing preys on ignorance

[Professor_UNIX]

American Gladiators is on 24/7 re-runs

American Gladiators is back on the air!?!? SWEEEEET. What channel?

Re:phishing preys on ignorance

[Sawopox]

Uhm, except those people that CARE about their family and HAVE big savings accounts for an early retirement are NOT the ones to which I was referring. I was referring to the people that sit on their fat lazy ass all day and expect government hand-outs and the welfare of others to get them through the day.

Re:phishing preys on ignorance

[cerberusss]

OK so you've narrowed down the group. If you repeat this a few times, you'll probably lose some of that frustration and either a) correctly identify the group you're referring to -- or more likely b) realize you're spouting nonsense.

Re:phishing preys on ignorance

[grrowl]

Ignorance is bliss, and I'd agree with your statement, and even extend that all people (yes, everyone) won't learn (or put effort into anything for that matter) unless they see to profit in some way themselves from it, monitarily or otherwise. That said, who's going to ignore "If you click on links in e-mail, you could have large amounts of money stolen from you"? Accompany it with horror stories and the general person will ease into a mindset of what those familiar with internet and e-mail would call 'common sense', which helps everybody. I'm also looking forward to see if OpenDNS (http://www.opendns.com/) will take off, and if it could actually have an effect on phishing schemes like this.

Re:phishing preys on ignorance

[budgenator]

Look people do stupid shit, allway have, allways will; any "security measure", any "consumer education" that fails 0.001% of the time is failing enough to entice phishers with "get-rich-quick" dreams. There are ways to stop them, and that is to give them what they want, they want data sent to phishing pages we can do that

First we can send masses of pseudo-random data to their site, we can bury them in data that they can try to process at 30 cents a transaction, or

A name and address and a CC number that triggers a tracker that locks an account, that slows the bank branch's credit card deposits to a crawl due to fraud investigation, that slows the banks transactions again due to fraud and possible terrorist links. After that you have to look at the ISP that's hosting the site, maybe they involved so you start working your way up from there to.

Eventually the phishers aren't going to be able to find hosting; end of problem.

Re:phishing preys on ignorance

[Beryllium+Sphere(tm)]

>intellectual weakness:

In other words, "pilot error".

Part of the answer (I didn't say "solution") is browser UI changes to show people more of what's actually going on. Why can I connect to https://www.c1tibank.com/ get a padlock icon telling me I've connected to the correct site, and NOT get the warning ssh would supply that I'd never talked to that site before?

Man in the middle will always work

[WebHostingGuy]

A man in the middle attack will breach just about any security you have. Unless you can recognize it, or teach others to, this sort of attack will always work. The trick is that it is sophisticated and you have to educate people to know when they are connecting to the correct site or not; that is, check the URL and the SSL certificate when connected. And, never use self-signed SSL certificates.

Re:Man in the middle will always work

[Tatarize]

Remind me again... why can't they catch the money? Why is there no way to tag cash and find where it ends up and lock that account up? My banking knowledge is limited, but it seems like if you can follow the cash you can get pretty good results.

Re:Man in the middle will always work

[maxwell+demon]

Well, probably they open bank accounts under false identities, and close them again immediatly after they got the money. For the next phishing attack they just can open another account under another false identity at another bank. All they need to be good in is in faking (or maybe stealing) identities (and of course in actual phishing). If that bank account is emptied and closed quick enough (i.e. before you note that someone took money from yor account), there's no way to lock it, and probably hardly a chance to find the person who had opened it.

Re:Man in the middle will always work

[Tatarize]

Nah, I'm talking fish the phishers. Have preset bank accounts which are set to have any outward transers lock the account that gets the outward transfer. Find a fisher, give them the fake account. They fall for it and flags the offending account.

Re:Man in the middle will always work

[Bozdune]

I like this idea a lot. Pursuant to someone who posted earlier about how dumb people seem to be, and how phishers pray on that dumbness, hey, there's a lot of smart people as well. I get phishing attempts multiple times per day. If I had a way to screw the phishers by sending them to a honeypot bank account, I would do it as a community service, and so would about a zillion other people who play here.

Re:Man in the middle will always work

[v1]

SSH is specifically designed to prevent MITMA. If I try to ssh to a system that I have recently swapped hardware on and still have the same hard drive, ssh flips out and warns me of a possible MITMA due to the MAC address of the destination having changed. (it displays a short warning saying "someone may be doing something nasty!") In fact, it won't even let me ignore the error, I have go go into the known_hosts file and remove the previous fingerprint before it will let me ssh into that system again. This problem never occurs unless I have changed the machine I am ssh'ing into, so there are no false positives to get accustomed to.

Although this prevents MITMA, it does not necessarily prevent phishing by default because the phisher could somehow trick me into ssh'ing to the wrong address, by hacking a DNS for example. However there is one further security feature of SSH. When you are ssh'ing into a system that you have never connected to before, it displays a warning and asks if you want to add the new host to your list of known hosts. Since you should never get this except the very first time you connect, if you see this warning when connecting to someplace you visit regularly, you know something is wrong.

I suppose the best defense to phishing instead of 2 part authentication, would be to send the users the program to access their content. Imagine the bank writing an ssh-enabled client with the fingerprint of their server hard coded into it, where it remembers your account information as well so you don't get used to typing in your bank password whenever asked for it. No link to click, just "run the bank program" to access your account. Even a dns compromise would not impact this. The only issue I can see with this method is storing the acccount information in a way that cannot be extracted by spyware AND not in a way that can be used in its encrypted form. (such as hashed)

The big problem with phishing here is simply that the user is too used to being asked for their account information, and as long as the phisher doesn't deviate too much from the norm the user will just go zombie and type it in. This information needs to be something you enter once, and if it ever asks you again there is a problem.

But in the end, profound user stupidity trumps all. That will never change.

Re:Man in the middle will always work

[hughk]

If you are in the US or UK, the identification procedures for new clients (KYC) are supposed to be quite painful. To establish a strawman identity for opening an account is possible but it definitely isn't easy. Most of the western world has similar information collection obligations, even traditional banking secrecy countries. So, for example, if I fished some details from your account and wired yor money to Switzerland, a complaint of wire fraud via the FBI to the Swiss Cantonale authorities will allow the bank to release account beneficiary data.

As far as the rest of the world, well if they aren't tracking who the account beneficiaries are, well your US bank is not supposed to wire money to them.

Re:Man in the middle will always work

SSH is specifically designed to prevent MITMA. If I try to ssh to a system that I have recently swapped hardware on and still have the same hard drive, ssh flips out and warns me of a possible MITMA due to the MAC address of the destination having changed.

WRONG.

SSH does NOT care about the MAC address. The MAC address is only valid on a LAN. Every time a packet passes a router, the MAC address gets replaced, so it would be completely useless for any kind of authentication. Plus, changing the MAC address can be done in software easily. As I tend to tell people who do wireless networks: Forget about MAC filtering, cracking it takes less time (seconds) than activating it.

What SSH is complaining about is the host key. It has nothing to do with the hardware, but is located in a file in /etc. And moving the hard drive to a different machine does NOT change the host key. Re-installing does, however.

Re:Man in the middle will always work

[Leebert]

ssh flips out and warns me of a possible MITMA due to the MAC address of the destination having changed.

No, it doesn't. You can change hardware (and even platforms) all day to your heart's content. What you CAN'T do is change the public key. If you, for example, uninstall ssh, and the uninstall removes the keys, and then you re-install ssh and regenerate the keys, you will get this message.

Although this prevents MITMA, it does not necessarily prevent phishing by default because the phisher could somehow trick me into ssh'ing to the wrong address, by hacking a DNS for example.

No, that wouldn't work. ssh stores a fingerprint for the server's public key. The fingerprint is associated with both the host's DNS name and its IP. If you were to poison DNS and cause me to connect to a different hostile machine with the "same" forged hostname, the public key of that hostile machine would differ. ssh would completely wig out and say that a man in the middle attack may be occurring.

There's plenty of ways around 2-factor authentication within ssh, but this isn't it.

Re:Man in the middle will always work

[patches]

How about this idea. You have your security token or what ever. You log into the bank website. Before any action on your account can take place, you have to call from a telephone into the banks 800 number, enter your account number there, and the bank computer tells you what action is trying to be performed, and you acknowledge it.

Making sure of course that users know the 800 number prior to using the online banking, and don't put the 800 number on the website where the MITM will be able to change it to his own 800 number.

I see this as a pretty large pain in the ass, however most good security is a pain in the ass.

Just a thought...

Re:Man in the middle will always work

[locofungus]

And, never use self-signed SSL certificates.

Depends on what you are trying to protect against.

My home server uses a self signed certificate. This means that it always presents a popup if I access it via an internet cafe - no popup means that probably someone has installed a root certificate and is now staging a man in the middle attack.

Eventually we will see phishing attacks that involve installing a new root certificate so that the phishers can generate "good" certificates on the fly and stage man in the middle attacks.
(I'm surprised this hasn't already happened - once you've got the root certificate installed you can stage a MitM attack against any site)

Tim.

Re:Man in the middle will always work

[budgenator]

You know if you watch television for a while, you can collect quite a few Visa, Mastercard and Amexco credit card numbers and names that are not associated with a real person there are also numbers that always check good, some that always are bad some that are always over limit for testing. I'm sure if we all dug into it, there are also bank routing numbers and account numbers that are defined for testing only; it's not that hard to get the address to the local FBI Office so the possibilies for hilarious hijynx abound! There are people who are disappointed if they don't get at least one 419'er a month to screw with!

Re:Man in the middle will always work

[maxwell+demon]

As it turns out, I've just now heared on TV how it really works (OK, in this case it was about trojans, not phishing, but there the only thing different is how to get the passwords/PIN/TAN of the victing, not how to get at the money afterwards):

Have you ever got a spam mail with a "business opportunity" where you get involved in financial transactions, and get a share of the money transferred? You get money to your account, which you then send as cash somewhere else, while you keep your share. Well, it turns out that you can really make money this way, at least until the police comes to get you: In that case it's not a trick to get at your money, but a trick to get you unsuspectingly involved in money laundering. The way that cash went cannot easily be followed. Yes, usually the account owner will be punished. But that doesn't really hurt the phishers. Just send out new spam to find new "laundry personnel".

carding

[joe+155]

could the banks not create a usb card reader which you could put your debit/credit card into as part of the authentication, or even better an "authentication" card, it could have say 5 billion numbers on it and the system could ask for 5 digits randomly out of all of them, if the box was set to never send more than 5 digits then even if you fell for a phishing attack or got hacked those numbers would almost never be asked for again. This seems like such a good idea... I feel I must be missing something.

Re:carding

[BrynM]

could the banks not create a usb card reader which you could put your debit/credit card into as part of the authentication

They could not create it, but darn it they already have. It's not wihtout it's problems as well.

Re:carding

What you are referring to is called a One time pad" which this token effectivly provides, this is still vulnerable to man in the middle attacks, though

Re:carding

[WedgeTalon]

A lot of people, like you, are suggesting sophisticated technological solutions (which won't really work IRL). The REAL problem isn't the bank's security - it's the user's gullibility. My bank simply uses a username/password style login. It works fine. The only one with problems are those who believe evrything they get in their inbox.

Re:carding

[Alfred,+Lord+Tennyso]

For the technology you're describing a "smart card", and there are various implementations of that, but none have caught on.

For the crypto you're describing a one-time pad, and it has serious limitations, but there are better ways. The problem with a one-time pad is that they have to be generated and distributed securely. And you and your bank have to have identical copies of large files, which presents new security risks: anything that's duplicated doubles the possibility of compromise.

Public-key cryptography is a better solution. Rather than having identical copies of a very large number, you generated two smaller numbers (say, 200 digits long) which are mathematically related by a hard-to-apply formula. When you encrypt with one, you can decrypt with the other, and vice versa, but you can't decrypt with the same number you used to encrypt it. (Well, it is theoretically possible, but incredibly difficult.)

The math is rather too complicated to describe in a Slashdot article (it involves prime numbers, exponentiation, and modulo aritmethic) but the upshot is: yes on smart cards which encrypt every transaction security, and they need to get that accepted. "No" on the encryption you describe, but there are workable alternatives in place.

So if it's such a good idea, why haven't they done it? I'm not 100% sure. Part of it is that the credit card banks shove a lot of the costs of identity theft off onto the merchants and the card-holders, and the rest is cost-of-doing-business.

And that cost is presumably lower than implementing a complex new card system, especially if they're not convinced that it's the perfect card system such that they might have to do it again in a few years. This article shows that even really good techniques are vulnerable when a con man takes advantage of the card-holder.

Still, existing variants on the techniques you describe would cut identity theft massively, and I'm very disappointed in the banks for not using them. It would benefit them, their customers, and the merchants.

Re:carding

[gpaliot]

In Germany we have a system to digitally sign transactions on your PC before sending them to your bank. It's called HBCI http://en.wikipedia.org/wiki/HBCI.

No Good

[giafly]

Immediately after you've done the transactions through the web and you log out, the bank sends you an encrypted email with all your transactions in it.

I regularly receive "encrypted emails", all apparantly malware. Unfortunately your idea will lead to more people clicking on "encrypted emails" and getting infected, rather then immediately binning them, thus replacing one problem by another.

Re:No Good

[maxwell+demon]

I don't think he meant "encrypted" to be "cryptic looking". Instead I think he was thinking of actal encryption, where the email appears to you in plaintext if your email program supports encryption (and you have the proper key, of course). Especially if you have to get a physical token anyway, it should be no problem to store a personal key on it as well.

Re:No Good

[Tony+Hoyle]

Users know nothing about encryption... it's too easy to spoof.

eg. There's a virus going around that reads "This is an encryted email from AOL.. click on the attachment to read it".

Telling users that encryption is somehow better is just going to leave them open to that kind of attack.

Re:No Good

Oh my fscking head...

Yeah, let's just throw out any idea of strong crypto because there are ignorant people in the world.

Good idea.

They will Phish for every required parameter

[tezza]

Given that a wget command to retreive any session authentication key only takes a couple of seconds, a full minute window is easily enough.

The phishers can also mimic the error path if the token is disallowed or mis-typed.

This is not an easy problem to solve!

Re:They will Phish for every required parameter

[Lumpy]

This is not an easy problem to solve!

yes it is, after submitting transactions you must verify from your email account by responding to the email the bank sent you if you dont do this in 2 minutes the transactions are cancelled.

so unless the phishers also hijacked your email account you effectively defeated them as you will see the mystery transfers you did not do before they are submitted.

Re:They will Phish for every required parameter

You're usually allowed to enter the code before and after as well so you've got more than a 1 minute window. This is to allow for slight clock skew between the token and the system.

Re:They will Phish for every required parameter

[topham]

Do you realize how often valid transactions would get cancelled?

Email can take seconds, or it can take days; and it is supposed to work this way.

Perhaps if banks signed their emails

[Colin+Smith]

People might just be able to determine if they were valid or phishing attempts.

Almost all email clients support s/mime these days, all you and the banks have to do is sign up to a certificate authority and install a certificate. They can be acquired for free.

Re:Perhaps if banks signed their emails

[MonsoonDawn]

1. Certs are entirely too easy to obtain.
2. Because of #1 the only thing a cert proves is that the hostname matches what's in the cert.
3. Phishers have been using faked yet secure websites for years now they'll just switch to emails.

Certs are worse than useless, they're misleading.

Re:Perhaps if banks signed their emails

[karot]

Sadly, some mail clients support signed and encrypted emails really badly (or not at-all). I have seen more than one installation of Outlook Express where, if a signed message is sent to them, you have to click extra buttons before it can be read, and you cannot reply-to or forward a message for some strange reason - I never did work out why.

Sadly Outlook Express still has a huge end-user following as it is familiar, and comes-with "that" operating system. Using POP3 mailboxes means that migrating between mailers is often painful, so we are stuck with incapable clients and Phishers are free to play. :-(

Re:Perhaps if banks signed their emails

[Colin+Smith]

right... of course... so nothing should be done...

Get a certificate, install it and use it.

Re:Perhaps if banks signed their emails

[Henry+Stern]

You're underestimating the problem here. Banks can sign their e-mails using S/MIME until the cows come home and it won't do a thing to combat phishing. Phishing victims are naive and would not relate to the importance of checking for a valid S/MIME signature. They already have similar funcitonality in their web browsers with SSL and the "lock" icon and it's not working.

As an aside, many banks are now using DKIM to sign their messages at SMTP time. It's up to the recipient to verify the signatures.

Anonymity - the other side of authentication

[UR30]

How about the other side of authetication - anonymity. There are cases when the service provider doesn't need to know personal or professional details about the customers, but nevertheless this kind of data is collected widely. The Shibboleth technology developed in the Internet 2 project in principle makes it possible for a customer to limit the access to personal data by service providers. This kind of solutions should be made widely available. Now there are all too many authentication systems collecting data which may be used (at some point) for nefarious purposes.

Bank Security

[nighty5]

As a security consultant I use lots of ways to defeat all types of security controls. and in true Slashdot way I didn't read the article. There is no silver bullet to security, it requires successive layers of controls (defence in depth) to adequately protect against attacks. It is no suprise to see two factor auth is defeated in this situation, but there is other controls a web application can use to safe guard against these attack types:

Website Controls

Additional "next PIN" for each transaction

Challenge response

Enter a PIN challenge based on dollar amounts to transfer

The usual web security stuff - see OWASP for more

Signing transactions with certificates and tokens

Security Awareness

Workstation security is paramount, firewalls, anti-spam, anti-malware, running as non-admin all assist in this process

Some trojans imbedded into IE and pop-up boxes that sift the credentials upon the user typing in their banking website

As you can there is so much you can do.
Have fun!

Re:Bank Security

[OP_Boot]

Out of all of your suggestions, only one - Signing transactions - will defeat a man-in-the-middle attack such as is described by the article.

Re:Bank Security

[TA]

A very good way to block man-in-the-middle attacks is one that has been
described by another poster already, and which is in actual use by some
banks: Introduce a second channel to verify the actual transactions. In
the case described the bank simply sends a one-time pwd as an SMS to your
cellphone, you have to enter the pwd to confirm the transaction. The
attack used on Citibank customers (and my bank is using something similar)
wouldn't work. With this method you won't need those very tedious
systems where you have to enter all the accounts and amounts into
your OTP device, which is simply painful.

A slightly different SMS-based system (used by some, but it needs a
special SIM card) will have you to reply through SMS as well, with
a separate personal phone code.

Re:Bank Security

[nighty5]

This method was briefing covered on point #2 - challenge response..

Unfortunately slashdot is not the avenue to discuss such matters as security, as it tends to be complex and depending on lots of factors.

But yes SMS messaging is something that covers the "something you have" (token/mobile), along with "something you know" (password/pin).

Re:Bank Security

[rwhiffen]

Right... I can see people lining up in droves to use a website that makes them click, enter, type, fumble for token, clickity click... The users are already stupid enough to fall for a phishing scheme. Now you're going to have them deal with all of that stuff too? You open that bank, and I'll keep the current phishable system and make up for the losses in shear volume of fees I charge to customers who defect from your hard to use system to my easy to use bank. There's a reason grandma and grandpa use windows instead of linux... (yeah yeah, 'but that's changing' and reply with the story of how your 120 year old great grandmother is using debian and customizes her kernel using emacs macros) There's no silver bullet here. It's going to be a combination of small things in both email apps, browser apps, security apps and user education that solves this problem. In the mean time diligence, diligence, diligence.

Re:Bank Security

[JourneymanMereel]

Perhaps I'm nieve, but it seems to me that if you're willing to go to the point of having something the user must posess that connects to the computer, it seems like this would be a fairly easy problem to solve... except for the API part.

Instead of giving some kind of time-based-number generator to the customer, give them a USB key that contains an unexportable private key. The public key can then be given to the bank. When the user want to complete a transaction, it is sent to the users computer for verification (much like current "Are you sure" pages, but slightly different -- here's the API part). When the click on "Yes", the non-exportably private key device digitally signs the transaction and sends it back to the bank.

This could also be used for authentication. The server sends some largish random string and requests that the device signs it. A proper signature for a large string can only be generated by the proper private key, so it wouldn't matter if phishers sent a string to be signed unless they could predict exactly what string the bank was going to send.

Re:Bank Security

[nighty5]

On high-value systems ($1+ million transfers) this is exactly what they do.

While its beneficial for large banking customers such as traders, bankers etc it would be cost-invasive for the general public systems.

Nothing surprising

[arivanov]

Nearly all US and UK Internet banking systems are susceptible to this.

There is an easy fix for this as well - client side certificates. I have an account with a bank in an ex-eastern European country and they use it. Many scandinavian banks use that as well (with the certificate on a token or a smartcard).

In order to authenticate the SSL handshake has to use both client side and server side certificates. After that the actual user id has to match the certificate one. A man in the middle cannot break through that because it will not have the private key from the user machine. From there on even if it can fake the bank interface to the user it cannot fake the user towards the bank. Game, set and match.

The only reason for US and UK banks not to use it is outright incompetence. I remember trying to explain the concept of client side SSL certificates to one of the cretins who have implemented a well known UK bank Internet banking security subsystem. He could not grasp the concept. By the way - he now works in the "risk" (that is the way they like calling this now) department of another well known UK bank.

Re:Nothing surprising

[nihaopaul]

china has been doing two way certificates, problem is not the actual certificate but the `windows` only policy, mac and nix users are being alienated, just yesterday i had a meeting with a payment gateway (i know its not a bank per se) in china and i went through a model user.

I set them up with a computer running freesbie and gave them banking information and asked them to use their system to buy through our site, as you can imagine, they became pissed off that it wasn't `IE` then even more furstrated when trying to use their own banks.

i asked them straight out, should i have to use an operating system i dont trust to be able to buy online? ofcourse they were trying to keep business and replied `no` then i pointed out that a quarter of the visitors on the site are mac users.

so what i am getting at is, this would have to be an open standard not a closed propriatory way and intergreated into the khtml/ff/opera/ie browsers.

Paul

Re:Nothing surprising

[arivanov]

Strange.

No particular reason for client certificates to fail to work once loaded in a non-MS client. I got the east-EU bank mentioned in my original post working correctly with konq and mozilla.

Now, smart cards are a different matter. Some of them are not supported under *nix and MacOS. If the card is supported you should still be in the game.

Similarly, requesting certificates may be a problem. Mozilla has some troubles with handling the certificate-request/certificate import sequence. So does konqueror. It also cannot load a certificate with the same Subject as an existing certificates into the cert store. This makes requesting certificates via an interface which in turn requires a certificate to authenticate a real pain.

In either case it can be made to work. May be a bit painfull and I understand banks which refuse to provide support for anything but IE for this purpose (f.e. because of the aforementioned mozilla cert request sillies). As long as they do not outright deny you the possibility to use something else by using IE only features in the UI I am OK with that. I can sit down once a year on a windows machine to renew the certificate while swearing at Mozilla people for indexing their store based on Subject, not subject+serialNo.

Overall it can be made to work and it solves 99% of all phishing outright. IMO it is criminal for the banks not to use that. No rocket science involved.

Re:Nothing surprising

The only reason for US and UK banks not to use it is outright incompetence.

No, it's not an easy fix, it's a huge hassle. If the client-certificate is going to be on the user's computer, then the user can only bank from one computer. Many people have multiple computers (desktop, laptop, spouse's PC, work PC, etc), will you issue client-certificates for all of these? If you do, you now have a certificate issuing problem. And if the client-certificate is in the browser, then it can be read by rootkits & spyware.

If you're going to use a token (smartcard or key fob), then you have interoperability problems with different browsers/operating systems for a full ssl client certificate.

The handheld tokens where you have to type a challenge & get a response don't implement a full ssl client certificate, and are subject to MITM attacks, as was described in the article.

Re:Nothing surprising

[Octorian]

Client-side certificates work just fine in non-MS browsers and E-Mail clients. The problem, as mentioned in other posts, is in certificate distribution. All these other browsers do support installing client certificates off of websites, but often you'll find a site that insists on some weird ActiveX crap to handle certificate installation. Where I work, this is especially frustrating, as we have a lot of Mac users (including myself). So, we find a Windows machine, go through the process, export the certificates/keys, sneakernet them to our systems, and install them.

Re:Nothing surprising

[arivanov]

No, it's not an easy fix, it's a huge hassle. If the client-certificate is going to be on the user's computer, then the user can only bank from one computer. Export the certificate from the computer. Put the procedure in the help file of the web interface. If you have imported it without export rights first time, rerequest the certificate. Voila. If Bulgarian or Russian banks can do it dunno why a UK or US bank cannot.

Many people have multiple computers (desktop, laptop, spouse's PC, work PC, etc), will you issue client-certificates for all of these?. Why not? Provided that you require a match of user ID versus a set of allowed certificates in the server in the second stage that is not a problem. This will also allow you to get around Mozilla sillies which keeps certificate store indexed by subject.

And if the client-certificate is in the browser, then it can be read by rootkits & spyware. That is better then not protecting the handshake at all as it is now. In addition to that the security of the luser is now in the hands of the luser. I as a luser can buy an Alladin eToken off the web for 40 quid and load the certificate on it. From there on the spyware can go suck rotten eggz because the private key is on the fob and it does not have access to it.

you're going to use a token (smartcard or key fob), then you have interoperability problems with different browsers/operating systems for a full ssl client certificate. When I see a bank that gives a flying fuck about this I would believe in this as a reason. Further to this, nearly all fobs on the market cleanly interface either into Windows crypto API or in the Linux smartcard interface (dunno about Mac, but I bet that works as well). This is a non-reason.

The handheld tokens where you have to type a challenge & get a response don't implement a full ssl client certificate, and are subject to MITM attacks, as was described in the article. Correct. They are shite, but that is the shite most selfproclaimed security engineers in the banking industry insist on. Seen that many times. In fact all the time I was trying to explain the idea of client certificates to the cretin mentioned in my original post he kept blablablahing about RSAID tokens.

Re:Nothing surprising

one of the cretins who have implemented a well known UK bank Internet banking security subsystem

Barclays. It was Barclays wasn't it.

Re:Nothing surprising

"I have an account with a bank in an ex-eastern European country"

I am not as much surprised this ex-eastern European country apparently solved the phishing problem, as for the fact this is the first country in living memory which succeeded to leave Eastern Europe for, hopefully, much sunnier parts of the world.

Re:Nothing surprising

[weisen]

> The only reason for US and UK banks not to use it is outright incompetence.

I'm guessing that you're not American. Banks in the United States are entirely driven by market forces. Until they have a *financial or legal incentive* to implement something, they will not do so. It has nothing to do with incompetence, it has to do with what will and will not make them money. Either a major bank has to be sued and lose a LOT of money (millions, such as implementing a proper security system will cost) or laws have to be passed requiring it. Look for the latter once a Senator is scammed, heavily, and not before.

Re:Nothing surprising

[Cerebus]

I work for one of the largest PKIs in existence, and let me tell you--users don't "get" certificates. You give them these instructions and they're just gonna fsck it up. Royally. And repeatedly. And then hand over the keypair to anyone who asks. Simply put, software keypairs are weakly protected at best. If it's on the HD, it's eventually going to get exfiltrated. Guaranteed. Especially once it's clear to intruders that these keys are useful for getting their hands on real money.

The only answer is hardware tokens. That's where the real fun begins. If by "cleanly interface" you mean "create a mass of stinking shit" then I'd agree, but if not then you're clearly smoking crack. My PKI also happens to include one of the largest smartcard deployments on the planet. The standards are confusing, the implementations mutually incompatible, Windows does one thing and Mac does something else and Linux something that looks like what the Mac does but not really... Believe me, I've just come off three days of debugging a smartcard library on Linux for use with the cards issued by my PKI and it's not fun; one simple unimplemented call caused a cascade of errors that took forever to track down. And even if you get a card working on all three platforms, the card maker will go and change the stock on you or there's a new OS release and you get to start all over again...

And that's without even getting into terminal attacks. Don't get me started. Oh, too late. Since the token and the token terminal typically have no user interface of their own, you really have no idea when your token is being used or not. And it's easy to keylog a PIN. So I only have to wait for you to insert the thing and then I get to go to town. Where would you like your signed and non-repudiatable death threat mailed today? And terminals with displays and keypads cost too much to deploy in any quantities, so there's no practical help there...

Let me put it succinctly: Human-computer interfaces in the security realm in general and PKI in particular suck large bricks through glass pipettes, sideways. That's a phenomenal amount of suckage, in case you can't figure it out. Which is not to say that you can't make it work--you can, but it takes a lot of people a lot of time spending a lot of money, forever, to make it usable.

Re:Nothing surprising

[arivanov]

• I work for one of the largest PKIs in existence, and let me tell you--users don't "get" certificates.. Cool. While I do not work on your scale I actually write web systems which use PKI/two factor authentication and some of the CA behind them. Amidst many other things. And as far as users "getting" certificates I agree with you. Every time I do a system that is based on PKI idiotic luser behaviour is the first and foremost problem to take in consideration.
• You give them these instructions and they're just gonna fsck it up. Users will always do that. They are users after all. Users will repeatedly write their PINs in notepad and put it on the machine in a well titled note for everyone to find, users will chose easily guessable passphrases. Users will... There is nothing you can do about that and if we compare the relatively weak protection offered by certificates with the effectively no protection offered by password schemes I would rather take the certificate protection (even in software) and run.
• The only answer is hardware tokens. Agree. And you know what, here the fun will really begin when MSFT rolls out Vista if they do not fuck it up. If they use the TPM which they require for it any machine will effectively be a hardware token in itself. Linux already has some support, it will be interesting to watch as it filters down to the userland and distributions.
• The standards are confusing, the implementations mutually incompatible, Windows does one thing and Mac does something else and Linux something that looks like what the Mac does but not really... I am with you :-) You forgot Java which does a different thing in every release and any crypto code needs to be rewritten when moving to the new latest and greatest and end of the day you end up calling external OS-specific proxies or using JNI if you want it to work.
• Human-computer interfaces in the security realm in general and PKI in particular suck large bricks through glass pipettes, sideways.. I am taking this in my descriptive dictionary. I LIKE IT. Are you a fellow ex-chemist by any chance?

While I agree with you as far as "bulletproof" gov grade and corp grade PKI is concerned I would like to come back to the original subject of the article. It is Phishing and MIM for Web based banking interfaces. That can be defeated by simple client side certificates stored in software stores with weak protection. Even if John Doe keeps fucking the up royally it is still better than any of the virtual keyboard, selective pin entry or two factor auth scheme on the market. It definitely solves the attack described in the article as well as most phishing attacks out there at the moment.

While I agree with you that PKI implementations have plenty of rough edges all over the place, they are mature enough and supported enough in all OSes in question for this relatively simple use.

Ways to beat this..

[wfberg]

Let's see

1) the website is simply at another address, well-educated users will spot the lack of https and the different URL
2) I have an account at postbank(.nl) which uses a password for logging in, and then additional codes for transactions. The password will only give you read only access.
3) At this same bank, the transactions are verified by sending you a text-message; not the most secured channel, but the message doesn't just include a "transaction acceptance code", but also the amount of money being transferred. If something is amiss it's spotted easily through this second channel, beyong the phishers' control.
4) Another bank, abnamro.nl, lists the IP number you were last logged in from on the welcome page.

I feel that 1) could be attacked by phishers using malware, so that's no guarantee.
Using the amount of money to be transferred as part of the challenge is trivial and should simply be implemented at first opportunity. One of citibank's problems is that they're using a token that simply displays a code, rather than a challenge response system; no way to enhance the challenge..
Number 3) is also pretty neat. Reall, I don't care so much about my bankstatements per se that they need to be protected with two-factor authentication (though of course in the US, identity theft might make this more prudent). The ability to check my account without too much rigmarole is very user friendly.
Number 4) would be neat, but also confusing to many users, especially those behind DHCP.

Sum conclusion;
use challenge response, with the amount to be transferred firmly embedded in the challenge, or communicated to the user out-of-bounds.

Re:Ways to beat this..

[houghi]

1) well-educated users won't fall for phishing
2) Citibank uses the system from vasco.com. So now I need to enter 3 passwords. 1 for the site, 1 for the machine and the nymber that the achines gives me. None can be the same like my pin number.
3) In Belgium sending text messages is not cheap. I will be the one paying for it. No thanks.
4) At Citibank you also get a popup from you last login. Like I ever looked at it or rememeberd when I did log in the last time and if this is correct.

The problem is the man in the middle attack. Look at it this way. You need to urgently transfere money, yet your PC is down. You phone somebody (e.g. your spuce) and tell them what they need to enter.

You give the pincodes, the numbers the machine gives you and every other detail that is asked on the site. You can "inderectly" transfere the money.

Now all I need to do is that you give me that information. That is what the man in the middle attack is doing. It makes you give out the information.

Re:Ways to beat this..

3): no the bank sends the messages so they'll pay for it.
Yes I know in the end you will pay for it but:
  a. the bank pays a lot less for the huge amounts they would send
  b. everything costs money, tokens do, (digital) certificates doe, etc.

Re:Ways to beat this..

[eltonito]

1) the website is simply at another address, well-educated users will spot the lack of https and the different URL

My mother forwarded me a very good phishing attempt that actually used a script that overwrote the data in the address bar. So, when you clicked on the link to the website you usually visit you saw the website you expected and your browser told you you were secure and at the right address, but you were being phished at a third party site. The email was even formatted to look like the typical "your bill is ready to view" email that she receives every month.

The script only worked with IE on Windows and not with Firefox or Safari and ironically her bank only supported IE at the time. Surely by now IE has fixed the bug that allowed this occur, but I can easily see how folks might've been taken by this.

what is your major malfunction?

Customer number + pin, then new code for every transaction. Been using it for years. Can't even login to the Sampo web-bank without these 3 things. They may grab my account number and pincode as much as they want cause, they're doing shit with those codes without my every-time-changing code. Welcome to Finland.

-m10

Re:what is your major malfunction?

[azknom]

Add to this that you must authenticate every new destination and the phishers will have a really difficult time to get any money. They need to have my authentication device to add their own account and then add a transfer to the ones I do myself without me knowing. I cant see this happening. Sure thay can see what I have on my account by sitting in the middle and tehy can see all I do but they can not change what I do without my authentication device. I have used this since 1997 here in Sweden and would never trust a simple password to do my banking.

Re:what is your major malfunction?

[theelectron]

I'm not sure what the mobile phone coverage is in Finland, but here in America, it is FAR less than perfect. Too many people wouln't be able to use this system from their home for many banks to use. It would work well in cities where coverage is good (and where most people live) but too many people live in spotty areas of mobile coverage for the banks to completely switch to this.

Online Banking

[ajs318]

Just what is the whole big deal with online banking anyway? I've never seen the attraction.

There are exactly two reasons, and two reasons alone, why I ever visit a bank. One, the rare one, is to pay in some money or a cheque through the hole-in-the-wall machine. The other one, the common one, is to draw out money through the hole-in-the-wall machine. The HITW can also tell my balance; but I generally know how much is in there, give or take a ton. Between transactions, I hardly care how much is in the bank as long as it's more than nothing. I know how much my wages are, I know how much my regular outgoings are and I know how much extra I've been putting in or taking out.

Unless and until they come out with some software that allows me to scan pound notes with my own scanner and have my bank account credited, and print out pound notes from my own printer and have my account debited, I will have reason to visit the bank. And if said software is not Open Source, then I will still continue to visit the bank.

Re:Online Banking

I used to hold this view but then I only had a current account. Now I have a range of current, joint & savings accounts, various tax free things, various investments, brokerage accounts, multiple credit cards, mortgage etc etc with an assortment of financial institutions.

Being able to view them or move money between them on a couple of webpages is much more convenient and flexible than using a hole in the wall for each one.

Especially when its raining.

Re:Online Banking

[HexDoll]

just what is the whole big deal with online banking anyway?

There are exactly two reasons, and two reasons alone, why I ever visit a bank. One, the rare one, is to pay in some money or a cheque through the hole-in-the-wall machine. The other one, the common one, is to draw out money through the hole-in-the-wall machine.

1) Not everyone uses cash, a lot of people pay by card
2) Some people have multiple bank accounts, they like to have just enough in their day-to-day account and the rest in a higher interest savings account.
3) People are lazy, why go to the bank when you can do everything you need from home?

Re:Online Banking

[TA]

Well, in addition to the arguments already presented (multiple
accounts, moving funds between them etc.) it's the simple fact
that in my country paying bills over the actual counter in the
bank involves charges so high that it's like robbery. The only
practical way is to use online banking.

Re:Online Banking

[ajs318]

I have a mortgage. No savings account on Earth is ever going to pay me more interest than I'm paying out on my mortgage, because that's how all banks make their money in the first place: by charging borrowers more interest than they pay out to investors. I see no point in having "savings" while I have an outstanding loan hanging over my head: it will only work out more expensive in the long run. If I have spare money, I just make a repayment against my mortgage. If I needed extra money, beyond my overdraft facility, I could just add it on to my mortgage; so far, touch wood, I haven't had to.

Re:Online Banking

[aslate]

Just what is the whole big deal with online banking anyway? I've never seen the attraction.

Well, i have 3 accounts at the moment with one bank, and one with another. With online banking at Nationwide i'm able to transfer money instantly between the three accounts (One savings, current and an online saver account i'm trying out). I can see how much money i've got and what's gone through the account without waiting for a statement or bothering to go to an ATM or wait in line at the bank.

With the Natwest account i have a debit card (Can't obtain one on the others till i'm 18), so i use online banking to transfer money to that account, to check whether purchases have gone through and what's left in the account.

The biggest advantage i've found with online banking? I can open, upgrade and modify my accounts online. Since i've signed in with my details (Which i've remembered, don't have saved as cookies etc. and i check i'm at the right page), they know it's me and i can do what i want. I recently upgraded an account to a student account and will adjust that to a student account with credit card when i'm 18, all online. The last time i tried opening an account instore was a bastard. They didn't accept provisional licences, i didn't have post in my name acceptable as proof of address (I don't get utility bills) and there's long queues. Now i can do it all online since i've already verified who i am.

Re:Online Banking

Isn't charging individuals for banking transactions illegal, under the same laws that forbid protection rackets?

Re:Online Banking

Just what is the whole big deal with online banking anyway? I've never seen the attraction.

Do you ever pay bills (cable/satellite/phone/credit card/mortgage etc)? Do you take an actual cheque, fill it in, put it in an envelope, put on a stamp, and go put it in a mailbox? Or you would you rather log on to a website and take care of it immediately whenever you like for no transaction cost? Even at 3am sitting in your underwear (pants as you call them)?

Most banks let you download your transactions into personal finance software, which lets you track and quantify all of your purchases. You could keep all your paper statements, but can you tell me how much you spent on restaurants last year? It's very handy for budgeting.

Do you have multiple accounts (chequing/savings/investing)? Want to instantly move money between them to cover the large cheque you wrote? Want to transfer money to your child away at university?

Or would you rather get out of your comfy chair, go to the bank, and wait in in line?

Re:Online Banking

[TA]

>Isn't charging individuals for banking transactions illegal, under the >same laws that forbid protection rackets?

That depends on the country, I guess. Certainly the transaction fees
are so high in my country that you feel like you're paying the bank
in order to get access to your own money,when certainly it should be
the other way around.

Re:Online Banking

Well there are "offset mortgages" for that, which merge your current account and your mortgage into one account, but they are fairly new and unproven. On the other hand I have seen mortgages offered for less than 5 percent and savings accounts offered for moer than 5 percent at the same time (conditions apply. The mortgage is only for two years at the cheap rate after which you would have the hassle of switching it. The savings account has some exposure to bonds etc.)
Also, if you wanted to gamble on exchange rates I am sure it would be easy to find a savings account "on earth "that was a better rate than your mortgage.

Re:Online Banking

[seebs]

If you mess up your timing, or a check to you bounces, it can suddenly become very interesting to be able to immediately check the exact balance in your account, go pick up images of cleared checks, and so on.

Yes, I have reasons to visit the bank; many of them have gone away now.

A good time

[Konster]

This would be a good time...and application for live Linux CD's or (insert OS here). The OS itself would run live from a CD-ROM, and include a set of auth controls between itself and the bank all on its own, well before the browser or web certs are needed.

2006 compliance

Citibank just recently starting offering Digipass tokens to its business customers and I believe may have extended the program to all of its online banking customers to meet 2006 compliance. 2 factor authentication seems to be more prevalent in Europe as US banks have been slow to add this measure of security, which is why the FFIEC issued a mandatory compliance. Now with a deadline looming, US banks, especially those using tokens as their 2 factor method like E*Trade and Citibank, may be sent back to the drawing board. Although no method is foolproof, bad publicity alone may make these banks add further measures to ensure online security.

Bank sites should use CAPTCHA

[woodengod]

Of course psichers can use real men in the middle to read the captcha's, but that would make their job lot's more difficult.

Re:Bank sites should use CAPTCHA

[pontifier]

In a realtime attack, the phisher could make you read it for them.

The problem is in the approach itself.

[Parandor]

Why is online banking allowing you to create new billing accounts online? Why can you make a transfer to a new, unlisted, account online? Answer: Banks want to save money.

Most people almost never create new billing and transfer "destinations". We could afford to go in person once or twice a year to do this. The very few who need these options are usually kwolegeable about security issues. Even if they are not, the fact that there is so few of them is a protection in itself. Remove these options from online banking and even a "phished" account will be of limited use to the phisher since the only thing he can do with it is pay your bills.

This solution was actually implemented in the beginning of online baking. The idea of pushing "new" features with no regards to their actual impact is almost like a disease in the current corporate world.

Re:The problem is in the approach itself.

[patches]

I agree. Like at my bank, I can set it up so that I can transfer money from my account to yours online, however before I can actually do that, I have to fill out a form saying so much that I want to link my account to yours, and then sign it and take it into the bank.

So it will take a few days before a new account can get any money from my account. Seems like an ok deal to me...

And it seems to work, like when I was going through my divorce, the ex wanted to be able to transfer money from my account to her new personal one, and even though whe was on the account as well, I had to sign the form....

Re:The problem is in the approach itself.

I create new "destinations" all the time. I often buy things online (from trusted sources) and send a check as payment. Sending a check online and having citibank pay the postage is a whole lot easier than going to the bank after work, or filling out checks and mailing them myself.

... and bad reporting to boot

[Potor]

fta:

I forgot to mention that while this phishing site was active late last week and during the weekend, it has since been shut down.

Unbelievable!

Re:... and bad reporting to boot

So it's been shut down. What's relevant is that its possible, and where there's one they'll be more.

Depends on the user...

[ndg123]

Actually quite a few people use this for personal transfers in the UK. For example if I go for a weekend trip with some old college friends who now live in different parts of the country, I may book all the flights or hotel rooms. Setting up a transfer direct to their personal accounts is quite useful and quick, compared to cash or cheques. My online banking used to take a couple of days to set up these arrangements, and now its immediate. I think this is rather dangerous.

Liability and fixing the problem

[Ritz_Just_Ritz]

I suspect that we're only going to see some serious efforts to fix/curb this problem once the banks become 100% liable for monetary losses due to fraud. For the moment, their attempts to "fix" things are more of a PR exercise (for consumer's benefit and regulator's benefit) than an actual solution to the problem.

At some point, the naughty people have to pick up the money. There needs to be more international coordination for prevention of bank fraud so that these criminals can't hang out in countries with corrupt banking/regulatory/political systems and siphon accounts of citizens from around the world.

Re:Liability and fixing the problem

[sharp-bang]

The regulatory action in the USA to encourage banks to improve authentication is an attempt to short-circuit the possibility of a major shift in liability, which could have a lot of unintended consequences for both banks and consumers.

Easy fixes to make it a bit harder

Companies can easily increase the diffculty of a successful man-in-the-middle attack with a single One Time Password, by simply asking for 2. Some places already do this. Basically, you are requried to use a single generated one time password to login into the site, and then when you are ready to complete a transaction, it requires you to enter a second complete different one time password generated from the same device. This is the total fix, but it is an easy way to make this type of attack much harder, asking for a single password, ok human error, asking for 2...that should raise some flags.

The dutch "postbank" bank does this

[SmallFurryCreature]

Loggin is the usual user/password combo, nothing special but if you want to transfer money the final step is that they send a code to your mobile phone via a sms message. The code then has to be entered for the transaction to be processed.

You can change your mobile phone easily enough, just change it in the settings but that also requires a sms message with a code. So as long as you got your phone you are safe.

If you lose your phone you will have to disable your account and you will be send by mail a new set of login details.

It seems fairly secure, it would be hard to imagine how to phis it. The only thing that could possibly be done is that they try to get you to change your mobile phone number to one they control.

But this attack and that suphisticated. It still requires people not to check the bloody url. First rule of online banking. ALWAYS handtype the url. Second rule of online banking, see the first rule.

For the postbank that is mijn.postbank.nl not that hard to type and unless someone hacked the mainsite likely to be secure (provided your browser/os/isp ain't been hacked.

Fuck this, I am going to keep my fortune in an old sock.

Get a certificate - free

[Colin+Smith]

Bollocks.

The problem with email at the moment is that forging From: fields is trivial, anyone who knows the first thing about SMTP can do it in 5 seconds and this means that an email can appear to come from any source the actual sender wants. I can send an email to anyone and make it appear as if it's from any bank in the world.

With a signed email, if the sender(bank) email address in the From: field doesn't match the certificate then you know it's not from the real sender(bank). It's perfectly possible and indeed simple for the client to automatically check that a signed email is from who it says it's from. That's the whole point of digital signatures. It could then display a nice happy face for valid emails and an unhappy one for invalid or neutral for unsigned ones.

And certificates should be easy to obtain. Everyone should have one. Go get one now, they're free! It isn't whether you have a certificate or not that matters it's that you are who you say you are that matters and that's what certificate authorities do for you. It's then up to users check that the From address shows user@barclays.co.uk rather than user@barlcays.co.uk but at least they'll now be able to check.

You can get free certificates which can be installed in your s/mime compliant email client.

http://www.thawte.com/secure-email/personal-email- certificates/
http://www.cacert.org/
http://www.instantssl.com/ssl-certificate-products /free-email-certificate.html

More info here.
http://en.wikipedia.org/wiki/S/MIME

Matrix card

[Tarrio]

My bank uses a two-factor authentication system, the second factor being a card with a 10x10 matrix of double-digit numbers. When you login, the website asks you for your username, PIN and the number which appears in certain coordinates in the matrix card.

It used to ask you for it in the login page itself. Nowadays you need to have a mobile phone number associated with your account; when you try to login, the coordinates are sent to you by SMS. In that way, even if a phisher gets your username, PIN and full matrix, they cannot login because they don't know what coordinate is asked to you (and you receive the unsolicited SMS, so you can alert the bank). They would have to steal your cellphone too.

Ah, and you have to enter those numbers using an on-screen keypad which moves around randomly anter you click on each number, so keyloggers are now useless too.

Re:Matrix card

[pontifier]

Anything you tell a phisher, they can tell the bank.
They don't need your card, your phone, or the coordinates. All they need is for you to tell them, what you would tell the bank. These are real time attacks.

Both tokens were passive

[accident]

This is whats possible when both tokens are "passive" - that is they play no part in the negotiation and are one way (even if valid for a short time).

What is needed is for one of the tokens to be "active" in the negotiation. Anything that can perform a unique challenge-response will fix the MITM attack.

As others have stated, client side ssl certificates, hardware tokens with key-pads, smart cards, trusted-computing would suffice.

One Fix - Note for Firefox Developers

[fdiskne1]

I know this won't fix all problems with phishing emails, but it should fix one factor of it. Could those who contribute their programming skills to Firefox make it so the actual domain of the site you are at is highlighted? This means that if you are at a site

http://citibusinessonline.da.us.citibank.com.tufel -club.ru/sahdlhasal

Firefox would display it as:

http://citibusinessonline.da.us.citibank.com. tufel-club.ru /sahdlhasal

I know some victims refuse to think about it at all and refuse to even look at the URL but this would give them one more tool to use to possibly see it is a scam.

Re:One Fix - Note for Firefox Developers

[alphamerik]

This sounds like a nifty feature, but one of those things that would never be implemented. One of the wonderful things about Firefox extensions is that you only need to know a little Javascript. If you don't have any programming skills it might be best to approach an online community like Cambrian House or Experts Exchange.

Re:One Fix - Note for Firefox Developers

[fabu10u$]

The other thing they should do is change the algorithm for truncating a URL that is too long to fit in the address bar. Instead of

[http://citibusinessonline.da.us.citibank.com.t]

it should read

[http://...itibank.com.tufel-club.ru/sahdlhasal]

Re:One Fix - Note for Firefox Developers

[IdolizingStewie]

Kinda like Spoofstick? Admittedly Spoofstick does it in big colored text beside the address bar, but that's not as scary, right? Although it is highly irritating that this updated version for Firefox 1.5 is not available from the Firefox extensions page.

Re:One Fix - Note for Firefox Developers

[achurch]

That only works if the location bar is visible. Believe it or not, some people hide the location bar. I wouldn't have believed it myself until I went over to my boss' Linux box and tried to call up Google on Firefox--only to discover that the location bar was missing (well, shrunk using that weird thing on the left that turns sideways when you click it). I don't know if he did that deliberately or if it's just the RedHat default, but there you go.

What about users on vacation

[Jeff1946]

I think many users would want a system that would work from most any computer. For example, home, work, parents' house, etc. Couldn't the bank check the path of the packets it receives for suspect routing paths or maybe even unusual delays? It also could require you to confirm by email any unusual request.

Phishing Idea

I have a fantastic idea for a phising attack. Use an IE hole to overwrite a target computers hosts file. Then when they visit their bank, IE will go to your phishing site instead and the user wont even know they are not at their bank. Your computer is of course performing a man in the middle attack. To top it off the original IE hole that was used to overwrite the hosts file could also be used to install the fake security certificates on the victims computer. No phony emails ... just sit back and wait for them to log into their internet banking!

Any truly secure US banks?

[cmason]

I see folks from scandianvia posting here about their banks offering security measures that far exceed what a typical US bank would provide. Are there any US banks that have more extensive security procedures than just a four to six digit pin? Like two factor, or email signing or what have you?

-c

Re:Any truly secure US banks?

[curtvdh]

Well, Bank of America uses a Sitekey. Basically, if it recognizes the ip address of the requestor, it displays a previously chosen image, along with instructions to enter your password only if you recognize the image. If the ip address is not in BoA's database, you will be asked a set of challenge/response questions to establish your identity.

Obviously, a clever coder could still initiate a MITM attack on this authentication system, but it will be a lot of work. BoA also has a security team spread over the country - as soon as one member of the team reports a suspicious e-mail, the ip address of the suspect website is immediately blocked and investigated.

I think they could still do more - right now the Sitekey image is displayed at a fixed position on the screen. It should be displayed at a random position along with a randomly generated IMG tag, making it harder to scrape. As far as the challenge response goes, if the BoA servers notice a number of requests (say, more than 3) from the same ip within a short period of time, that ip should also be blocked and investigated.

Re:Any truly secure US banks?

[flyingfsck]

All you need is a bank that doesn't allow random destinations for money transfers. TD Bank (Canada) only allows transfers to corporations that registered with them. So all an imposter can do on my account, is pay my bills for me.

Re:Any truly secure US banks?

[mla_anderson]

My bank has gone to a "registered" computer (seems to be a cookie), a login name, a user specific greeting, a user chosen image and a reasonable strength password (>=8 chars, must include both alpha and numeric). My insurance company moved to a login name and a decent password (>= 6 chars).

In contrast my 401K plan, arguably the most important for the future, uses my SS and a four character password.

I dunno about you guys

[bberens]

but I already have a physical token from my bank. We call it a debit card. Mine was recently compromised and had a $600 charge on it. As long as there is money, there will be thieves. People are stupid/lazy/complacent and thieves will always overcome those minor hurdles.

I've said it once....

[Temujin_12]

...and I'll keep on saying it.

If email encryption and certificates were a *STANDARD* feature by the major email clients (desktop and web based), then institutions could set a blanket policy that any email communication from them to their clients/customers must be encrypted and/or contain a digital certificate. Even better, these certificates could contain usage policies so that email clients could automatically filter/delete messages w/o the proper certificate or that don't follow stated policies.

The trick is that the user needs to be abstracted away from the encryption/signing process so that they understand the basics of what encryption/certificates are but can use them with with just a click or two.

A good example of taking security technologies and providing them to the user in a well abstracted form is TLS under HTTPS. IMHO, phishing would be drastically reduced if email encryption/certificates, along with usage policies, were as common and supported as TLS under HTTPS is today.

[Pre-rebuttle]I am not saying that this will solve ALL phishing scams. I'm just saying that there are technologies out there that, if commonly supported and intergreted into email clients/services, would greatly increase the difficulty of pulling off a phising scam.[/Pre-rebuttle]

Re:I've said it once....

...and I'll keep on saying it.

If email encryption and certificates were a *STANDARD* feature by the major email clients (desktop and web based),

Well, they seem to have listened to you. I don't use webmail, but email encryption and certificates have been a standard part of the major email clients (outlook, outlook express, etc) for years.

Almost nobody uses certificates - inertia I presume.

The trick is that the user needs to be abstracted away from the encryption/signing process so that they understand the basics

And there's the real problem. If you make something idiot-proof, evolution will make a better idiot.

Re:I've said it once....

Ow, c'mon!! Do you really think...

"[Pre-rebuttle]I am not saying that this will solve ALL phishing scams. I'm just saying that there are technologies out there that, if commonly supported and intergreted into email clients/services, would greatly increase the difficulty of pulling off a phising scam.[/Pre-rebuttle]"

Oh. Damn you Temujin {shaking fist}! I'll get you next time!!!

The bank needs to change money transfers maybe?

[Xanius]

The thing about Phishing scams and such is that, for me atleast, you can't transfer money out of my bank account via the internet. You can go from one account to another that's in my name and attached to the others, but you have to actually go to the bank or write a check,both of which they can't do, to take large amounts out.

Easy way to defeat this ...

[infradead]

... The bank's customers should pass a spelling and grammar test before their account is opened. Then they wouldn't get spoofed by people using words like "unsuccessfull" and "att empt" and "Ip address". :-P

Re:Easy way to defeat this ...

[AntEater]

"The bank's customers should pass a spelling and grammar test before their account is opened. Then they wouldn't get spoofed by people using words like "unsuccessfull" and "att empt" and "Ip address". :-P"

Why would the banks want to exclude Slashdot editors as their customers?

My bank

[J0nne]

My bank requires you to install some java software + some keys in your C:\ or /home/ before you can use online banking (and it's protected by a password).

It's a bit complicated to set up (especially in Linux, although the instructions were good enough to figure it out), but I don't see how phishing would work with this system. An attacker would have to trick the user into sending the 3 files with keys + entering his password.

You could get what you need easily with a trojan and keylogger, ofcourse (well, good luck tricking me into installing a trojan on Ubuntu), but sending e-mails with 'please enter your password' won't do a lot for a phisher. Besides, I don't even think my bank has my e-mail address, and I would find it very suspicious if I ever received an e-mail from them.

Phishing works because some banks apparently set up their online banking systems in the same way as slashdot, with just an username and password. That's fine for unimportant stuff, but when handling money, a login/password just won't cut it.

Don't Click the Links!

[bigtimepie]

How about if you get an email from your bank asking you to log in and supply personal information (or whatever the case may be) you just open up Firefox yourself and actually go to your banks official website?

I'd rather put the extra 5 seconds to securing my funds than just trust that my emails are from safe sources and lose it all.

But that seems too simple, doesn't it?

Do you assume you can trust the terminal?

[Distan]

A primary reason for the difference between US security standards and European security standards is the compute environment, and hence, the assumption of trust given to the terminal.

In the US, most users are accessing their accounts from their work or home computers. Although keyloggers may be present on these machines, it isn't very common yet. In northern europe, the use of internet terminals in cafes or kiosks is much more common. On these machines, it is likely that keyloggers will be present, so it is conservative to assume that everything the user does will be logged someone.

This assumption (everything the user does is logged) drives the need to require access to some thing (PIN grid, token generator, etc) that is needed in addition to the normal username and password. The higher level of justified paranoia drives a higher perception of security requirements.

One tremendous downside to this: loss of one of the best features of online banking - ease of use and portability. I personally have about ten online accounts with different banks, and I use all those accounts frequently. Everything I need to know to manage my personaly finances is carried in my head, and I can access my accounts from any computer anywhere in the world with nothing more than the knowledge I possess. Having to carry any sort of physical object to access my accounts would be a tremendous loss, one that would probably drive me to seek another bank, or a bank in another country, to avoid.

One thing Bank of America does.....

is use pictures. You login to the site using a username which takes you to another page. They then present you with a picture you chose when you opened up the account, you can even upload a picture I believe. If you recgonize the picture you chose then you know you are on the correct site and can put in your password safely. If you go to a malicious site they are not going to be able to present the correct picture. There is no way a man in the middle attack can succeed unless the user just forgets to check for the picture and puts in their username/password anyway. It is the first thing I look for though, yep there is the picture I know I am on a Bank of America server.

- Jeremy

Re:One thing Bank of America does.....

I thought that was good at first too. Then I realized how easy man in the middle still is. E-mail link takes you to fake site where you put in your username. Phisher sends username to BoA, and gets correct picture back, then displays and asks for your password.

The only thing that will work is users not being stupid. Don't click the links, open up a new window.

Re:One thing Bank of America does.....

[ecampbel]

This won't work. The picture is only displayed if your browser contains the correct cookies. The first time you visit BofA, the site asks for your user name, password, and some other personal details. Subsequent visits first ask for your user id and then your password. If you visited a phisher, the site couldn't send the correct cookies to BofA, so it would have to ask you for the personal details before retrieving your picture. At that point, a user should know something is up and discontinue logging in.

I create new billing destinations all the time

[swb]

I resist writing paper checks as much as possible and I seem to create a new billing destination for online bill pay, probably one per month, sometimes more, sometimes less, but easily 12 per year. Some are changes -- our pediatrician changed billing systems and changed the billing account and address -- but some are new, almost single use payments for magazine subscriptions and other stuff.

Banks should detect this

Seems to me that the bank should detect multiple logins + bank transfers from the same ip address. They need some of that pattern detection software! Opps that might uncover illegal activities and we don't want that now !)

MK

Re:Banks should detect this

Most of them already do this.

But that's somewhat unfortuante

[grahamsz]

I'm in the same boat, I have to specifically call the bank and request that other accounts be added, and even then I can only transfer money within their organization.

However, I'd love to have the ability to do transfers and intl wires from my account like some of my friends in europe can. The fact that many internet banking systems in the US are crippled isn't exactly security.

Re:But that's somewhat unfortuante

[kurzweilfreak]

What about online bill paying? If you were a phisher you could brake into someone's account and set yourself up as a vendor to be paid, get the check, cash it, and then delete yourself and your info out of the online bill payment section. Yeah, it leaves a pretty bad paper trail, but it's still doable.

Something similiar happened to the company I work for a few years back, except it was done by an inside employee from the bank who found a flaw in their online system. All current accounts (without informing any of the account holders) the bank had were given a username and the same default password when their online access system was set up. By getting a list of all the usernames, it was no problem for them to log in, set themselves up as vendors to be paid, and then have a check mailed to them from the bank automatically. They were caught when trying to cash the check and a suspicious bank clerk called for confirmation before cashing the check.

Re:But that's somewhat unfortuante

[grahamsz]

The way to do it would be for a phisher to gain access to some people's ATM accounts.

They could then hack your account, and use your online billpay to transfer $300 a time to dozens of different ATM accounts. They could then use cloned cards/stolen pins to pull the cash out.

The ATM account holders wouldn't immediately notice since they wouldn't be missing any money and the billpay paper trail wouldn't point to the real culprit.

that defeats some of the point...

[YesIAmAScript]

If you require client-side certificates, you can't bank from any machine you want, only from a particular machine. Because in order to prevent man-in-the-middle attacks, your client certificate has to have the IP address of your machine in it.

Actually, if your provider doesn't even assign static IPs, you can't really use client certificates at all.

For me, the major takeaway from this is that a fool and his money are soon parted, no matter how much technology you try to use to prevent it. Or, another way, nothing is fool-proof because fools are so ingenious.

Re:that defeats some of the point...

[arivanov]

Actually, if your provider doesn't even assign static IPs, you can't really use client certificates at all.

Bollocks.

I am speaking this as not just someone who uses one such system, but someone who has implemented 3 such systems and is in the process of writing a fourth one in my day job at the moment. I actually do this for a living (besides other things).

You are mistaking the specific convention introduced by Netscape with SSLv2 for web server certificates as an absolute and valid rule for all certificates. Only in web server certificates the CN has to be the Fully Qualified Domain Name.

Certificates used for authentication do not need to obey that rule. In fact, your Subject and CN can be any set of random data that makes sense only to your application and nothing else.

Catching domain name spoofers...

[nodrogluap]

Why don't the banks use their own DNS servers to automatically check for new domains registered with "citibank" etc. in their name? That way you can detect many possible phishing schemes that try to look "authentic" even before they are necessarily active? It'd at the very least narrow the window of time for phishers to populate a DNS record, let it propagate, then release their attack...

Re:Catching domain name spoofers...

There are many services available for banks to do this (e.g. Netcraft) and many do.

Postbank

[Captain_Chaos]

I like how the Postbank does it here in the Netherlands. For every transaction (which may include multiple transfers) they SMS you a random number which you have to enter in the site to validate the transaction. They send the SMS to a phone which they previously determined belongs to you (you don't enter the number on the spot or something like that). A phisher might hack your Postbank account, but they won't be able to impersonate you since the security number (and the total amount of money involved in the transaction) is sent to your cell phone which they can't get at (and which alerts you to the fact that your account has been hacked).

In the past (actually it's still possible for people who don't have a cell phone or don't want to use this system) the number wasn't sent as an SMS, but was on a long list of numbers they would mail you (the list was printed and sealed by a machine, no humans would see it before you). This was a nuisance because I kept losing the list and it was a hassle to use, but this new system is quite convenient in my opinion. I always have my cell phone with me, so I can do my banking from any location.

Re:Postbank

[pontifier]

If you log into a phishing website, what is to stop the phishing website from replaying your actions to the bank, to have the bank send you the SMS, that the phisher then steals from you, to break into your account?

Re:Postbank

[Captain_Chaos]

If you log into a phishing website, what is to stop the phishing website from replaying your actions to the bank, to have the bank send you the SMS, that the phisher then steals from you, to break into your account?

I guess that's possible, in theory. It would have to be an extremely elaborate and convincing phishing site though. You can't "break into an account" using the SMS, since all the SMS does is validate one transaction. I guess a phishing site could try to steal my money by replaying my actions to the bank, but altering the target bank account numbers of the transfers I enter (but not the amount, since the SMS includes the total amount and the number of transfers so that still has to be what I expect it to be). That would involve recreating (convincingly) the entire Postbank online banking site though, not just a login page.

I don't think it would be worth the effort for a phisher, since it would be a huge amount of work to recreate the entire Postbank site (they can't just show me the actual pages from the bank, since those would list the actual recipients of the transfers), for relatively small gains (since they could only steal as much as I happen to be transferring).

And of course, before any of this would be possible they would first have to steal my account, and the Postbank has pretty good (but convential) security, and they're good about educating their clients about phishing (by never having links to the bank in their emails, for instance).

Simple...

[DNSSEC]

You can change your email address, only IF you confirm the change sending an authentification code to the old email address, if this one is disabled nor longer valid, then you may need to visit your bank executive.

BofA

[insanechemist]

BofA has a version of this thats MUCH less savy. Their site respods with a picture and you confirm the picture is your "key" by entering your password. Just as hackable or perhaps even more so. Its not really a pain but it was really annoying when it was first rolled out.

Re:BofA

[ecampbel]

Not true - it's not subject to the same man-in-the-middle-attacks. The first time you log in from a computer, it asks for your user name, password and personal details. At that point, a cookie is stored in your browser. For subsequent logins, the site will only ask for your password and display your picture.

If you visit a phishing site, there's no way for the site to know what your picture is. To retrieve your picture, the phisher will have to ask you for your username, password and personal details. At this point the login sequence is different enough that it should alert the user that something is up.

BofA login:
    1) Site displays the first 4 letters of my user id
    2) Click login
    3) Site displays picture and asks for password
    4) Access granted

Phisher:
    1) Site does not display first 4 chars of login
    2) Has to ask for:
            a) username
            b) password
            c) two dropdowns with all the possible questions that BofA asks and a text fields for your answers
    3) User enters all details in
    4) Access is granted (to phisher)

Those two flows are different enough, that phishing should be reduced.

Who is being verified?

[jc42]

I can't help but notice that all the authentication schemes being discussed are basically way that the bank verifies the customer is who they say they are. But the issue isn't that; it's that the customer is being tricked into thinking that they're talking to the bank when they are actually talking to someone else (who may be talking to the bank). There is nothing that I see that helps the customer verify that it's actually their bank on the other end.

The whole "phishing" thing is based on the fact that the bank's end can be spoofed, and customers have no reliable way to verify that they are really talking to their bank. A Man-in-the-Middle is simply a variant of this, in which the customer thinks they're talking to the bank, when they're actually talking to the MitM, who is talking to the bank.

Adding extra stuff to better authenticate the customer is not going to help here. Confusing the issue by just talking about "authentication" doesn't help either, since it conflates the two directions of authentication into one, and people don't notice that the customer may not have authenticated the bank.

Re:Who is being verified?

[pulse2600]

That is the single most intelligent, worthwile post in this whole topic...banks are so worried about "are we really talking to the customer?" No one is concerned about "is the customer really talking to the bank?" The perception is the bank needs more security than the customer, the bank has more to lose, the bank is where the customer's money is, therefore protect the bank, right?

The best solution out there right now to protect the customer seems to be customer education - if you subscribe to the philosophy that the problem is social, like social engineering. Education is only a solution to those who are open to being educated. To everyone else who sees the problem as technical - as a computer problem - education will do nothing. So what can the bank do to tell us they are really them and there is nobody else between us? What can be done technically that can not be forged, snooped, copied, replayed, passed along, etc, so non-technical people will understand without any doubt that they are really talking to the bank?

When I go to a brick and mortar bank I know it is the bank because the building can not be reproduced in the same physical spot where the bank normally stands, and I recognize the people who work there as something that can not otherwise be possible. When I approach the teller no one stands between us handing over the information during the transaction. There may be mechanisms in place watching the transaction such as a security camera, but I also know they are legitimate because of where I am physically standing and everything else around me. In this way, the bank has proven to me that they really are who I think they are. How can a customer instinctivly "just know" that something electronic is what is really appears to be?

Good point....

I thought I looked at the source code though and could not find a way to pull that picture but maybe I am wrong. Good point though, always open a new window and go to the sight yourself.

- Jeremy

SMS not cost effective

But this won't work for the "masses" until prices come way down for SMS.
Microsoft still wants like US$1,219 for SMS 2003 with 10 Client Management Licenses!

Log in at the last second

[popo]

Users of 1 minute token ID's can always just wait until there are 2 or 3 seconds left on their
current # before logging in.

TFA states that phishers have 1 minute. That's not really true, unless the user logs in as soon
as a new # appears. Giving phishers less time is just a matter of when you choose to log in.

Wait until your # is about to change.

Re:Log in at the last second

[pigwin32]

Not so actually. For time-based tokens the server typically allows a window of 3 minutes, so if your tokencode is correct within the server window you're good to go. This is to allow for drift between the token's internal clock and the server clock which are used to compute the tokencode. Effectively this means that even if you enter the tokencode just before it changes, that tokencode if intercepted is good for up to 3 minutes regardless.

inevitable

[treak007]

No security system in impregnable, its just a matter of staying one step ahead. Instead of looking at their software and saying "oo..this is really secure, I would love to see someone break this!" they should start working on the next security sytem once that system is cracked, the new one can be implemented. Otherwise you have a Titanic situation. "Look, are security, no one will ever be able to break it"

Other methods

[austad]

I've long been a proponent of forcing banks to do some sort of two factor auth, and it's good that some of them are finally doing it. I wrote an internal memo about this *exact* attack a few months ago, but I also mentioned that even if this attack were performed, the percentage of actual account compromises will still drop. This attack is more difficult to perform, and requires real-time interaction with the client, which isn't currently need for just simple password phishing.

Regardless, there are some methods that can be employed now to thwart this particular attack. I just need some moola to get it off the ground. :)

Challenge-Response?

[h4ck7h3p14n37]

How about just using challenge-response authentication? The user gets a fob with a keypad and small display screen. When they attempt to login to the bank's website, it displays some numbers that the user keys into their device. The user then reads the display on the device and enters the response into the bank's login form.

This just goes to show...

[sydbarrett74]

...that we need not only technical solutions, but solutions that target social engineering. Most 'hackers' are not technical wizards -- they simply know how to play a good game of poker and read people. The general population needs to be inculcated and trained on this concept: * Legitimate businesses will not email you asking for your username and password - they have trivial means to get your account information since they HOST it! This to me is common sense, but I guess most people find it rather an epiphany.

Inadequate browser UI and https infra

[TheLink]

Current popular browsers don't allow users to easily know that they are not connecting to the correct "citibank" site.

They just show that stupid padlock icon. And when I last checked, by default there are tons of CA certs installed by default in most browsers. And the users get the same padlock for all certs issued by those CAs.

Whereas if you had say an orange padlock = encrypted but untrusted/unknown site, and blue padlock = user's favourite encrypted financial transaction site then that helps a lot, and the browser also could easily do what ssh has been doing for years.

The browsers should also render the fingerprint of the site's keys in a coloured pattern next to the "padlock" or something. Could be each nybble of the fingerprint = a different colour out of 16 colours. After a while people would hopefully associate the colour pattern with the site. Requiring users to click on the stupid padlock in order to check the CA chains etc is ridiculous. Even savvy users will find that annoying.

It would be hard to save users who are oblivious to all that, but I claim that currently not enough has been done.

But from my experience web browser makers (like most people) aren't really interested in security at all. Because they could mitigate many browser security problems by allowing a special install mode where much of the browser code runs under a different UID/user, one that has very little permissions, while at the same time allow downloads to be saved to the user's directory etc. example: javascript/java/activex/plugin crap and renderers all run as _www_<username>, and the parts in charge of bookmarks and downloads run as <username>, and the parts in charge of "execute the url" are disabled by default. If anyone says that is too difficult, I'd like to point out that many browsers already have a "download manager".

if the cert doesn't have an IP address in it...

[YesIAmAScript]

Then it doesn't authenticate who you are. It's just another secret piece of info that you have.

And as such, there's no reason someone can't socially engineer it out of you. It's actually less secure than the secure IDs you speak of being a problem because the expiration period is much longer. If you weasel it out of them, not only is it good for more than a minute, but it is good until they figure out they have been duped. Whereas a secure ID sequence number is only good for 1 minute or until it is used, whichever comes first.

Only if the certificate has your IP address in it, and is useless to anyone who weasels it out of you does it provide any additional protection for users (in this case, from themselves).

Re:if the cert doesn't have an IP address in it...

[arivanov]

You are not quite correct.

Under Windows the certificate is imported into your user profile and only you can have access to the private key if you supply correct windows credentials followed (optionally) by correct credentials to the certificate store. So presenting the certificate and successfully handshaking using the private key for it requires the machine and the certificate store to authenticate you correctly. So as a matter of fact you are identificated, authenticated and must have correct credentials. Just the point of authentication has moved to your machine. It is also reasonably tamper resistant. Even for the default software certificate store is encrypted and you cannot do a lot by lifting it off the machine via a trojan. In addition to that newer hardware may have hardware certificate stores. Modern DRM is certificate based so DRM capable machines can also securely store certificates (though Windows does not use it this way yet). Similarly, you can also plug external tokens which store in a tamperproof manner the private key in this mechanism. In all cases just having the passphrase is usually not enough to use the certificate, you have to have full control of the machine operating under correct credentials and may even need a crypto module plugged into it at that moment

Under Linux and other OSes the process is similar. You have to have correct credentials at OS level to access the certificate store (the global certificate stores are never used for web authentication). From there on the user has to unlock the certificate store in use (konq or mozilla) with correct credentials. Same process as Windows just not so entrenched into the OS guts and more at an application level.

From there on, once you have supplied correct credentials, the certificate private key is unlocked what the server authenticates is a machine. It knows that on machine X the user has supplied the correct passphrase to the private key for certificate Y. At this moment it needs to ask for username and do a two factor authentication matching the certificate to the username.

Overall - it is not just the public part of the certificate which plays in the process. Private key is essential as well and handshake will not complete if the luser does not have the right private key. The server authenticates you by being the person in access to the private key which by default is protected by passphrase (f.e. Windows will not even allow you to export it or import it without one).

If you have taken the certificate out of the store, attached a passphrase on a sticker to it and disseminated this across the net there is little one can do. Though first of all this is a tall order technically for John Doe, second this is not much different from sending you PIN to the entire AOL.

all just details...

[YesIAmAScript]

"Run this program, please."

You can write a program to get these keys out. Yes, it will have to prompt the user for the password, but it can be done. That's what social engineering is about.

Three factor authentication (the tokens you complain about) actually moves beyond just having some secret, but also to having a token. Client certificates doesn't do this. And your saying you must have a crypto module is a dodge, not an answer. You said client certs are the solution. Crypto modules are a three-factor system, you can't run to them as validation of your argument for client certs over three-factor.

Also, I'm not going to argue that modern DRM isn't certificate-based. It usually is. But the DRM makers know the certificates are a point of attack and so they don't just store the certs in the regular keybag on the system. They are hidden, under Windows, they actually scatter the access method into system calls all across the system, not just those that relate to security.

So saying that since DRM isn't cracked, system keybags must be safe too doesn't really follow.

In short, the system you speak of is subsceptible to the same social engineering as a simple password system. It's even largely subsceptible to keylogging, unlike three factor systems.

I'd love to protect people from their own mistakes. But it's very difficult to do so when users can be convinced to fork over what should be their most protected information.

Re:"ex-eastern European country"

[sasdrtx]

"ex-eastern European country". Hmmm...

Did the country move out of eastern Europe? to where, one wonders.
Or is it no longer a country? Haven't heard of any new communist regimes absorbing anyone lately.

Citi Phised

[pack72]

Anyone know who Citi uses for 2 factor as described in this article?