The security community needs to stop pushing mobile based token authentication. There is no reason why mobile OS's should get some kind of protected status vs their notebook counterparts. In my neck of the woods bad guys just forward all a victims calls for a few hrs anyway regardless of OS but clearly the trojan writers can make the usb jump to the users phone (EU charging mandate now) and carry on the same old tricks.
Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?
I see they made some tools to analyze the traffic but no information about actually cracking any encryption.
Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.
Ive been to several conferences where companies are rolling out this phone as a payment platforms.. Its a scam designed to get gulible journalists interested and either boost company exposure, dupe investors into buying shares or prove that X manager is being "innovative". Some are literally RFID credit card sim cards sticky taped onto the back of a mobile I kid you not.
The reality is that everyone has a physical wallet/purse and that isnt going away any time soon. Also there are many things in that wallet which cannot be replaced by a mobile phone.
Also are these the same journalists who write the "New Android Malware" articles which come out every week?
If they were really serious they would have fled to Singapore
http://en.wikipedia.org/wiki/Income_tax_in_Singapore
0%-max 20%
GST 7%
corp taxes almost non existent. I laugh when I see the online "raise US taxes" brigade.
And a commited well educated workforce.
Whats more Singapore is booming like most of East Asia so the real market is just next door.
The only thing is they dont have an open immigration door policy like America so getting in the front door could be hard but life is good and if you are in there is zero chance you will become a victim of crime.
Re:Time for 2FA authentication to be rolled out ov
on
Bitcoin Price Crashes
·
· Score: 1
Im not sure you have looked into https://www.shieldpass.com/ which is using the passwindow mutual authentication method not just OTP's used by the SecureID, I agree the RSA one time passwords are "over" being completely vulnerable to various MITM attacks including phishing etc as the codes contain no information to the user about what exactly it is being authenticated. This is the same problem with many tokens etc where a attacker can inject themselves at various point on the network, mobile or terminal itself with a trojan. *It should be noted however in RSA's defense that in this particular case you refer to it wasnt any of these usual methods they used to defeat the tokens but the fact they didnt airgap the machine holding the secret keys.
If you watch the demo video you can see that the transaction specific information ie could be something bitcoin specific is encoded into the challenge alongside the OTP so the user is informed as to what they are authenticating and the MITM fails. They cant switch challenges and they cant remove the transaction information from the challenge. Being a non humanly communicable key (the visual segmented pattern) they cant easily interrogate the user for key information either.
Its not perfect, for that we would need the server to be able to scan your soul however its cheap, convenient and more secure than the alternatives unless you have a better suggestion.
Time for 2FA authentication to be rolled out over
on
Bitcoin Price Crashes
·
· Score: 1
Time for 2FA authentication to be rolled out over bitcoin operators. The anonymity element makes it a huge juicy target for hackers, they need to start connecting it to something physically offline. I am working on a bitcoin wallet for shieldpass.com access tokens and then mutually authenticating each transaction.
The topic is online banking authentication so your points are mostly off topic.
-It could easily be configured for use with email, ssh, imap, ldap, radius, etc
-The amount of digits required from the user is configurable to any amount, it is a rolling password so while the demo requires 4 it could be 20 same goes for the amount of transaction information encoded into challenges.
Even though its off topic il bite
-I dont buy the argument that your phone screen is more personal than any other screen. If ninjas are in your house / office taking secret snapshots then the same kind of photographic attack or other cloning / switching of devices etc could be done against almost any device / terminal display / set of keys and you have bigger problems, that proximity attack argument could go on forever ending in a rubber hose. For what its worth the visual key patterns can be obfuscated with transflective laminates etc very cheaply or for a few bucks extra could be electrochromatic like any device but the cost justification just isnt there when a piece of plastic only costs a few cents and it is designed for online authentication. Personal attacks are beyond the scope and frankly with the developments in remote electronic scanning I feel more secure about these non electronic cards than my RFID cards.
For online authentication it solves the MITM attack problem and does it extremely cheaply.
Banks resist the idea because all the major trojans wreaking havoc have MITM/MITB capabilities to bypass the tokens and mobile sms in one way or another as well as cost issues.
The 2 European banks in the following article were using transaction signing tokens
http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians
and mobile sms trojans have been around for awhile now
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
You might want to investigate https://www.shieldpass.com/ online authentication cards which are cheap and can do mutual authentication passively. For example specific transaction information can be included in the challenges to stop MITM and the process is passive or visual so the trojans or phishers cant walk a target through a transaction as they did with the first link.
Many of the 2FA ideas put forward on here are broken
Most major trojans have MITM or MITB capabilities to bypass many of the pure OTP type methods put forward here, including the manual transaction signing tokens. http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians
Mobile authentication should be considered broken since there are many more ways past it and many newer trojans come with mobile plugins now too.
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
I use https://www.shieldpass.com/ authentication cards which have the ability to do mutual authentication passively and not be vulnerable to MITM. The plastic cards themselves cost less than a few cents to make so theres no argument why America shouldnt be using them.
While I agree two factor is the way to go especially for the poster whos primary goal which seems to have been missed is securing a website I couldnt see anything great/innovative on the Arcot website. Primarily everything they have put forward seems to be vulnerable to localized infection (ie a trojan on the local device performing MITM) and I am particularly concerned with their pushing mobile based authentication which I can tell you most Asian countries are bailing out of there are so many different attack methods. The key to the authentication problem is mutual authentication otherwise you are only protecting against keylogging which is a very 80's attack unfortunately there are very few 2FAs which can do it securely.
I realise people like to talk about crypto but user authentication is much more pressing security problem and the weak link in all the recent attacks. Im not reading about X breaking X crypto instead I hear static passwords being gotten one way or another and all the crypto being bypassed. A friendly suggestion for your secure site would be to use 2FA dynamic passwords in as many places as you can preferably with mutual authentication capabilities to prevent MITM, further suggestions would be using Yubikeys or ShieldPass cards and I believe Verisign has a service but the former are much easier to implement and relatively cheap.
You should consider adding 2FA authentication token such as a Yubikey which has lots of great extensions or for more security a ShieldPass access card which has the mutual authentication capability.
You are correct about the security uselessness of the OTP devices however I would suggest you checkout my passwindow 2FA method which isnt vulnerable to phishing / MITM / MITB etc because it can do passive mutual authentication and include transaction information in the window. There are details on the security page. Its also just a cheap piece of plastic which fits in your wallet and is easy to distribute by letter.
Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in.
The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser.
The OTP security token method is pretty much useless actually not really protecting against much at all which isnt already covered by ssl. The problem with the OTP devices is they are only one way authentication.
The MITB attacks defeat just about everything else available even recently the active mutual authentication electronic tokens.
About the only online authentication method which isnt vulnerable is the passwindow cards as they are the only online authentication I know of capable of passive mutual authentication. (active means a human has to do something and then gets tricked by the torjan in the browser, passwive is where you just view and dont do anything except enter the password)
http://en.wikipedia.org/wiki/Mutual_authentication
Id be interested to know what if any crypto they are using in the cards. Id also like to see them run through these side channel "analysis" kits I saw a very good demonstration of recently http://www.riscure.com/inspector/product-description/inspector-sca.html which includes modules for 3-DES, AES, RSA and ECC and are able to determine the secret keys or ID right off smartcards without damaging them.
To my mind the writing is on the wall for smart card technology and in 5-10 years these "analysis" kits will be as small,fast,convenient and cheap as the magnetic stripe reader/writers are today.
I cant believe these sites didnt get immediately mentioned, everyone I know goes to them to get program written and have done for years now. Theres loads of great programmers sitting around with nothing to do in xyz country who will do code at a fraction of the price it would cost me to do it.
While he didnt come to them squeaky clean he did become from their point of view "one of the good guys" working alongside NSA agents, giving talks at their conferences etc all the while in his spare time ripping off millions of credit card numbers even using some of the government servers in the attacks. The Gonzalez trial is such a public spectacle I cant help but think that might have influenced their attitude.
Good study, would have preferred a more diverse
on
Analyzing CAPTCHAs
·
· Score: 1
Interesting study however needed a more diverse range of sample testers all of which were early twenties volunteer university graduates. I only bring this up because I see a very different responses to CAPTCHAS. The response and attitude towards CAPTCHAS from young university people hanging around the IT labs where this was most likely advertised will be far far different to the average online citizen.
.
Im not sure how accurate this is but out in the non IT section of society CAPTCHAS are loathed and hated beyond belief, also the failure rates sound spectacular.
Full credit for the new variations on the old warped text captchas but I hazard a guess that those bizarre mental challenges are not going to fly with your average joe. In fact its amazing that captchas have entered mainstream at all.
Im sure the study was limited with money and time but I look forward to a more mainstream diverse study.
Many ZeuS packages have an option to remove the outgoing transactions from the user's browser as part of the MITB package, this includes changing the balance total to before the outgoing transactions were made so the user wont know until a paper statement turns up if one ever does as many banks are ditching paper statements in favor of browser based ones.
And since they are now using the same trojan tactics on users mobiles to defeat mobile sms authentication I am sure you will see a Zeus mobile trojan upgrade to divert any calls made to the banks hotline number to an even more "helpful" team who will probably need even more user information "to get to the bottom of this please give us your..."/s
I am curious, some people above have mentioned that their online bank account allows them to instantly generate virtual credit card numbers. I am wondering with the trojans like Zeus etc which actively go after online accounts instead of the trojan trying to authenticate an outgoing transfer to a local mule account they could or are switching tactics and going after banks these virtual number generating accounts and then sucking the money out of the accounts from anywhere through the virtual card number charges. I know with the existing schemes they have to bounce the outgoing cash off a local mule and pay him 10% before sending it out overseas but a credit card transaction would rarely be flagged as fraudulent and if the trojan owns the browser like zeus does the account holder wouldnt even know their account was being drained.
Can anyone explain why this isnt feasible?
Id like some of the above mentioned account holders to explain what authentication is required by the bank websites to generate the card numbers?
Interesting, no doubt there will be more of that type of fraud in the future. So what exactly were in the boxes? fake credit cards? Sorry Im a little confused about the CDRW drives.
I work in fraud prevention and after my last post here sure enough I had had a report of exactly what I described. Some African guy in Italy sending out paper letters around the world simply asking for cash.
"To the responsible,
Honest, humble, handicapped italian man. Financially needy. Open to any proposal, Western union or credit card.
Blah Blah.. Thanks.."
So yeah they went ahead and did it, cut out all the complexity and just went straight for the money, I guess they did drop in the handicapped angle for sympathy. If I thought I would get a straight answer id almost pay just to know what his ROI is.
Slashdot Mirror
The security community needs to stop pushing mobile based token authentication. There is no reason why mobile OS's should get some kind of protected status vs their notebook counterparts. In my neck of the woods bad guys just forward all a victims calls for a few hrs anyway regardless of OS but clearly the trojan writers can make the usb jump to the users phone (EU charging mandate now) and carry on the same old tricks.
Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?
I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.
Ive been to several conferences where companies are rolling out this phone as a payment platforms.. Its a scam designed to get gulible journalists interested and either boost company exposure, dupe investors into buying shares or prove that X manager is being "innovative". Some are literally RFID credit card sim cards sticky taped onto the back of a mobile I kid you not. The reality is that everyone has a physical wallet/purse and that isnt going away any time soon. Also there are many things in that wallet which cannot be replaced by a mobile phone. Also are these the same journalists who write the "New Android Malware" articles which come out every week?
If they were really serious they would have fled to Singapore http://en.wikipedia.org/wiki/Income_tax_in_Singapore 0%-max 20% GST 7% corp taxes almost non existent. I laugh when I see the online "raise US taxes" brigade. And a commited well educated workforce. Whats more Singapore is booming like most of East Asia so the real market is just next door. The only thing is they dont have an open immigration door policy like America so getting in the front door could be hard but life is good and if you are in there is zero chance you will become a victim of crime.
Im not sure you have looked into https://www.shieldpass.com/ which is using the passwindow mutual authentication method not just OTP's used by the SecureID, I agree the RSA one time passwords are "over" being completely vulnerable to various MITM attacks including phishing etc as the codes contain no information to the user about what exactly it is being authenticated. This is the same problem with many tokens etc where a attacker can inject themselves at various point on the network, mobile or terminal itself with a trojan. *It should be noted however in RSA's defense that in this particular case you refer to it wasnt any of these usual methods they used to defeat the tokens but the fact they didnt airgap the machine holding the secret keys.
If you watch the demo video you can see that the transaction specific information ie could be something bitcoin specific is encoded into the challenge alongside the OTP so the user is informed as to what they are authenticating and the MITM fails. They cant switch challenges and they cant remove the transaction information from the challenge. Being a non humanly communicable key (the visual segmented pattern) they cant easily interrogate the user for key information either.
Its not perfect, for that we would need the server to be able to scan your soul however its cheap, convenient and more secure than the alternatives unless you have a better suggestion.
Time for 2FA authentication to be rolled out over bitcoin operators. The anonymity element makes it a huge juicy target for hackers, they need to start connecting it to something physically offline. I am working on a bitcoin wallet for shieldpass.com access tokens and then mutually authenticating each transaction.
What about putting a second offline non electronic factor like a www.shieldpass.com card over the top of the container?
The topic is online banking authentication so your points are mostly off topic. -It could easily be configured for use with email, ssh, imap, ldap, radius, etc -The amount of digits required from the user is configurable to any amount, it is a rolling password so while the demo requires 4 it could be 20 same goes for the amount of transaction information encoded into challenges. Even though its off topic il bite -I dont buy the argument that your phone screen is more personal than any other screen. If ninjas are in your house / office taking secret snapshots then the same kind of photographic attack or other cloning / switching of devices etc could be done against almost any device / terminal display / set of keys and you have bigger problems, that proximity attack argument could go on forever ending in a rubber hose. For what its worth the visual key patterns can be obfuscated with transflective laminates etc very cheaply or for a few bucks extra could be electrochromatic like any device but the cost justification just isnt there when a piece of plastic only costs a few cents and it is designed for online authentication. Personal attacks are beyond the scope and frankly with the developments in remote electronic scanning I feel more secure about these non electronic cards than my RFID cards. For online authentication it solves the MITM attack problem and does it extremely cheaply.
Banks resist the idea because all the major trojans wreaking havoc have MITM /MITB capabilities to bypass the tokens and mobile sms in one way or another as well as cost issues.
The 2 European banks in the following article were using transaction signing tokens
http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians
and mobile sms trojans have been around for awhile now
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
You might want to investigate https://www.shieldpass.com/ online authentication cards which are cheap and can do mutual authentication passively. For example specific transaction information can be included in the challenges to stop MITM and the process is passive or visual so the trojans or phishers cant walk a target through a transaction as they did with the first link.
Many of the 2FA ideas put forward on here are broken Most major trojans have MITM or MITB capabilities to bypass many of the pure OTP type methods put forward here, including the manual transaction signing tokens. http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians Mobile authentication should be considered broken since there are many more ways past it and many newer trojans come with mobile plugins now too. http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html I use https://www.shieldpass.com/ authentication cards which have the ability to do mutual authentication passively and not be vulnerable to MITM. The plastic cards themselves cost less than a few cents to make so theres no argument why America shouldnt be using them.
While I agree two factor is the way to go especially for the poster whos primary goal which seems to have been missed is securing a website I couldnt see anything great/innovative on the Arcot website. Primarily everything they have put forward seems to be vulnerable to localized infection (ie a trojan on the local device performing MITM) and I am particularly concerned with their pushing mobile based authentication which I can tell you most Asian countries are bailing out of there are so many different attack methods. The key to the authentication problem is mutual authentication otherwise you are only protecting against keylogging which is a very 80's attack unfortunately there are very few 2FAs which can do it securely.
I realise people like to talk about crypto but user authentication is much more pressing security problem and the weak link in all the recent attacks. Im not reading about X breaking X crypto instead I hear static passwords being gotten one way or another and all the crypto being bypassed. A friendly suggestion for your secure site would be to use 2FA dynamic passwords in as many places as you can preferably with mutual authentication capabilities to prevent MITM, further suggestions would be using Yubikeys or ShieldPass cards and I believe Verisign has a service but the former are much easier to implement and relatively cheap.
You should consider adding 2FA authentication token such as a Yubikey which has lots of great extensions or for more security a ShieldPass access card which has the mutual authentication capability.
You are correct about the security uselessness of the OTP devices however I would suggest you checkout my passwindow 2FA method which isnt vulnerable to phishing / MITM / MITB etc because it can do passive mutual authentication and include transaction information in the window. There are details on the security page. Its also just a cheap piece of plastic which fits in your wallet and is easy to distribute by letter.
Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in. The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser. The OTP security token method is pretty much useless actually not really protecting against much at all which isnt already covered by ssl. The problem with the OTP devices is they are only one way authentication. The MITB attacks defeat just about everything else available even recently the active mutual authentication electronic tokens. About the only online authentication method which isnt vulnerable is the passwindow cards as they are the only online authentication I know of capable of passive mutual authentication. (active means a human has to do something and then gets tricked by the torjan in the browser, passwive is where you just view and dont do anything except enter the password) http://en.wikipedia.org/wiki/Mutual_authentication
Id be interested to know what if any crypto they are using in the cards. Id also like to see them run through these side channel "analysis" kits I saw a very good demonstration of recently http://www.riscure.com/inspector/product-description/inspector-sca.html which includes modules for 3-DES, AES, RSA and ECC and are able to determine the secret keys or ID right off smartcards without damaging them. To my mind the writing is on the wall for smart card technology and in 5-10 years these "analysis" kits will be as small,fast,convenient and cheap as the magnetic stripe reader/writers are today.
I cant believe these sites didnt get immediately mentioned, everyone I know goes to them to get program written and have done for years now. Theres loads of great programmers sitting around with nothing to do in xyz country who will do code at a fraction of the price it would cost me to do it.
While he didnt come to them squeaky clean he did become from their point of view "one of the good guys" working alongside NSA agents, giving talks at their conferences etc all the while in his spare time ripping off millions of credit card numbers even using some of the government servers in the attacks. The Gonzalez trial is such a public spectacle I cant help but think that might have influenced their attitude.
Interesting study however needed a more diverse range of sample testers all of which were early twenties volunteer university graduates. I only bring this up because I see a very different responses to CAPTCHAS. The response and attitude towards CAPTCHAS from young university people hanging around the IT labs where this was most likely advertised will be far far different to the average online citizen. . Im not sure how accurate this is but out in the non IT section of society CAPTCHAS are loathed and hated beyond belief, also the failure rates sound spectacular. Full credit for the new variations on the old warped text captchas but I hazard a guess that those bizarre mental challenges are not going to fly with your average joe. In fact its amazing that captchas have entered mainstream at all. Im sure the study was limited with money and time but I look forward to a more mainstream diverse study.
Many ZeuS packages have an option to remove the outgoing transactions from the user's browser as part of the MITB package, this includes changing the balance total to before the outgoing transactions were made so the user wont know until a paper statement turns up if one ever does as many banks are ditching paper statements in favor of browser based ones. And since they are now using the same trojan tactics on users mobiles to defeat mobile sms authentication I am sure you will see a Zeus mobile trojan upgrade to divert any calls made to the banks hotline number to an even more "helpful" team who will probably need even more user information "to get to the bottom of this please give us your..." /s
More interesting news this week is the gang behind ZeuS, as predicted, have successfully integrated man in the middle attacks against mobile phone two-factor authentication schemes. http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
I am curious, what sort of authentication is required on their websites to generate the numbers?
I am curious, some people above have mentioned that their online bank account allows them to instantly generate virtual credit card numbers. I am wondering with the trojans like Zeus etc which actively go after online accounts instead of the trojan trying to authenticate an outgoing transfer to a local mule account they could or are switching tactics and going after banks these virtual number generating accounts and then sucking the money out of the accounts from anywhere through the virtual card number charges. I know with the existing schemes they have to bounce the outgoing cash off a local mule and pay him 10% before sending it out overseas but a credit card transaction would rarely be flagged as fraudulent and if the trojan owns the browser like zeus does the account holder wouldnt even know their account was being drained. Can anyone explain why this isnt feasible? Id like some of the above mentioned account holders to explain what authentication is required by the bank websites to generate the card numbers?
Interesting, no doubt there will be more of that type of fraud in the future. So what exactly were in the boxes? fake credit cards? Sorry Im a little confused about the CDRW drives. I work in fraud prevention and after my last post here sure enough I had had a report of exactly what I described. Some African guy in Italy sending out paper letters around the world simply asking for cash. "To the responsible, Honest, humble, handicapped italian man. Financially needy. Open to any proposal, Western union or credit card. Blah Blah.. Thanks.." So yeah they went ahead and did it, cut out all the complexity and just went straight for the money, I guess they did drop in the handicapped angle for sympathy. If I thought I would get a straight answer id almost pay just to know what his ROI is.