At 11:26 PM -0500 8/14/04, Bruce Schneier wrote:

Websites, Passwords, and Consumers

Criminals follow the money. Today, more and more money is on the Internet. Millions of people manage their bank accounts, PayPal accounts, stock portfolios, or other payment accounts online. It's a tempting target: if a criminal can gain access to one of these accounts, he can steal money.

And almost all these accounts are protected only by passwords.

If you're reading this essay, you probably already know that passwords are insecure. In my book "Secrets and Lies" (way back in 2000), I wrote: "Over the past several decades, Moore's Law has made it possible to brute-force larger and larger entropy keys. At the same time, there is a maximum to the entropy that the average computer user (or even the above-average computer user) is willing to remember.... These two numbers have crossed; password crackers can now break anything that you can reasonably expect a user to memorize."

On the Internet, password security is actually much better than that, because dictionary attacks work best offline. It's one thing to test every possible key on your own computer when you have the actual ciphertext, but it's a much slower process when you have to do it remotely across the Internet. And if the website is halfway clever, it'll shut down an account if there are too many -- 5?, 10? -- incorrect password attempts in a row. If you shut accounts down soon enough, you can even make four-digit PINs work on websites.

This is why the criminals have taken to stealing passwords instead.

Phishing is now a very popular attack, and it's amazingly effective. Think about how the attack works. You get an e-mail from your bank. It has a plausible message body, and contains a URL that looks like it's from your bank. You click on it and up pops your bank website. When asked for your username and password, you type it in. Okay, maybe you or I are aware enough not to type it in. But the average home banking customer doesn't stand a chance against this kind of social engineering attack.

And in June 2004, a Trojan horse appeared that captured passwords. It looked like an image file, but it was actually an executable that installed an add-on to Internet Explorer. That add-on monitored and recorded outbound connections to the websites of several dozen major financial institutions and then sent usernames and passwords to a computer in Russia. Using SSL didn't help; the Trojan monitored keystrokes before they were encrypted.

The computer security industry has several solutions that are better than passwords: secure tokens that provide one-time passwords, biometric readers, etc. But issuing hardware to millions of electronic banking customers is prohibitively expensive, both in initial cost and in customer support. And customers hate these systems. If you're a bank, the last thing you want to do is to annoy your customers.

But having money stolen out of your account is even more annoying, and banks are increasingly fielding calls from customer victims. Even though the security problem has nothing to do with the bank, even though the customer is the one who made the security mistake, banks are having to make good on the customers' losses. It's one of the most important lessons of Internet security: sometimes your biggest security problems are ones that you have no control over.

The problem is serious. In a May survey report, Gartner estimated that about 3 million Americans have fallen victim to phishing attacks. "Direct losses from identity theft fraud against phishing attack victims -- including new-account, checking account and credit card account fraud -- cost U.S. banks and credit card issuers about $1.2 billion last year" (in 2003). Keyboard sniffers and Trojans will help make this number even greater in 2004.

Even if financial institutions reimburse customers, the inevitable result is that people will begin to distrust the Internet. The average Internet user doesn't understand security; he thinks that a gold lock icon in the lower-right-hand corner of his browser means that he's secure. If it doesn't -- and we all know that it doesn't -- he'll stop using Internet financial websites and applications.

The solutions are not easy. The never-ending stream of Windows vulnerabilities limits the effectiveness of any customer-based software solution -- digital certificates, plug-ins, and so on -- and the ease with which malicious software can run on Windows limits the effectiveness of other solutions. Point solutions might force attackers to change tactics, but won't solve the underlying insecurities. Computer security is an arms race, and money creates very motivated attackers. Unsolved, this type of security problem can change the way people interact with the Internet. It'll prove that the naysayers were right all along, that the Internet isn't safe for electronic commerce.

Phishing: <http://www.msnbc.msn.com/id/5184077/> <http://www.internetweek.com/e-business/showArticle.jhtml?articleID=2210 0149> or <http://tinyurl.com/54b4g>

The Trojan: <http://news.com.com/Pop-up+program+reads+keystrokes%2C+steals+passwords /2100-7349_3-5251981.html> or <http://tinyurl.com/yqeoe> <http://www.pcworld.com/news/article/0%2Caid%2C116761%2C00.asp>

A shorter version of this essay originally appeared in IEEE Security and Privacy: <http://csdl.computer.org/comp/mags/sp/2004/04/j4088abs.htm>

-- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'