Websites, Passwords, and Consumers (Re: CRYPTO-GRAM, August 15, 2004)

Sun Aug 15 04:29:14 PDT 2004

At 11:26 PM -0500 8/14/04, Bruce Schneier wrote:
>       Websites, Passwords, and Consumers
>
>
>
>Criminals follow the money.  Today, more and more money is on the
>Internet.  Millions of people manage their bank accounts, PayPal
>accounts, stock portfolios, or other payment accounts online.  It's a
>tempting target: if a criminal can gain access to one of these
>accounts, he can steal money.
>
>And almost all these accounts are protected only by passwords.
>
>If you're reading this essay, you probably already know that passwords
>are insecure.  In my book "Secrets and Lies" (way back in 2000), I
>wrote:  "Over the past several decades, Moore's Law has made it
>possible to brute-force larger and larger entropy keys.  At the same
>time, there is a maximum to the entropy that the average computer user
>(or even the above-average computer user) is willing to
>remember....  These two numbers have crossed; password crackers can now
>break anything that you can reasonably expect a user to memorize."
>
>On the Internet, password security is actually much better than that,
>because dictionary attacks work best offline.  It's one thing to test
>every possible key on your own computer when you have the actual
>ciphertext, but it's a much slower process when you have to do it
>remotely across the Internet.  And if the website is halfway clever,
>it'll shut down an account if there are too many -- 5?, 10? --
>incorrect password attempts in a row.  If you shut accounts down soon
>enough, you can even make four-digit PINs work on websites.
>
>This is why the criminals have taken to stealing passwords instead.
>
>Phishing is now a very popular attack, and it's amazingly
>effective.  Think about how the attack works.  You get an e-mail from
>your bank.  It has a plausible message body, and contains a URL that
>looks like it's from your bank.  You click on it and up pops your bank
>website.  When asked for your username and password, you type it
>in.  Okay, maybe you or I are aware enough not to type it in.  But the
>average home banking customer doesn't stand a chance against this kind
>of social engineering attack.
>
>And in June 2004, a Trojan horse appeared that captured passwords.  It
>looked like an image file, but it was actually an executable that
>installed an add-on to Internet Explorer.  That add-on monitored and
>recorded outbound connections to the websites of several dozen major
>financial institutions and then sent usernames and passwords to a
>computer in Russia.  Using SSL didn't help; the Trojan monitored
>keystrokes before they were encrypted.
>
>The computer security industry has several solutions that are better
>than passwords: secure tokens that provide one-time passwords,
>biometric readers, etc.  But issuing hardware to millions of electronic
>banking customers is prohibitively expensive, both in initial cost and
>in customer support.  And customers hate these systems.  If you're a
>bank, the last thing you want to do is to annoy your customers.
>
>But having money stolen out of your account is even more annoying, and
>banks are increasingly fielding calls from customer victims.  Even
>though the security problem has nothing to do with the bank, even
>though the customer is the one who made the security mistake, banks are
>having to make good on the customers' losses.  It's one of the most
>important lessons of Internet security: sometimes your biggest security
>problems are ones that you have no control over.
>
>The problem is serious.  In a May survey report, Gartner estimated that
>about 3 million Americans have fallen victim to phishing
>attacks.  "Direct losses from identity theft fraud against phishing
>attack victims -- including new-account, checking account and credit
>card account fraud -- cost U.S. banks and credit card issuers about
>$1.2 billion last year" (in 2003).  Keyboard sniffers and Trojans will
>help make this number even greater in 2004.
>
>Even if financial institutions reimburse customers, the inevitable
>result is that people will begin to distrust the Internet.  The average
>Internet user doesn't understand security; he thinks that a gold lock
>icon in the lower-right-hand corner of his browser means that he's
>secure.  If it doesn't -- and we all know that it doesn't -- he'll stop
>using Internet financial websites and applications.
>
>The solutions are not easy. The never-ending stream of Windows
>vulnerabilities limits the effectiveness of any customer-based software
>solution -- digital certificates, plug-ins, and so on -- and the ease
>with which malicious software can run on Windows limits the
>effectiveness of other solutions.  Point solutions might force
>attackers to change tactics, but won't solve the underlying
>insecurities.  Computer security is an arms race, and money creates
>very motivated attackers.  Unsolved, this type of security problem can
>change the way people interact with the Internet.  It'll prove that the
>naysayers were right all along, that the Internet isn't safe for
>electronic commerce.
>
>Phishing:
><http://www.msnbc.msn.com/id/5184077/>
><http://www.internetweek.com/e-business/showArticle.jhtml?articleID=2210
>0149> or <http://tinyurl.com/54b4g>
>
>The Trojan:
><http://news.com.com/Pop-up+program+reads+keystrokes%2C+steals+passwords
>/2100-7349_3-5251981.html> or <http://tinyurl.com/yqeoe>
><http://www.pcworld.com/news/article/0%2Caid%2C116761%2C00.asp>
>
>A shorter version of this essay originally appeared in IEEE Security
>and Privacy:
><http://csdl.computer.org/comp/mags/sp/2004/04/j4088abs.htm>

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'