Websites, Passwords, and Consumers (Re: CRYPTO-GRAM, August 15, 2004)
R. A. Hettinga
rah at shipwright.com
Sun Aug 15 04:29:14 PDT 2004
At 11:26 PM -0500 8/14/04, Bruce Schneier wrote:
> Websites, Passwords, and Consumers
>Criminals follow the money. Today, more and more money is on the
>Internet. Millions of people manage their bank accounts, PayPal
>accounts, stock portfolios, or other payment accounts online. It's a
>tempting target: if a criminal can gain access to one of these
>accounts, he can steal money.
>And almost all these accounts are protected only by passwords.
>If you're reading this essay, you probably already know that passwords
>are insecure. In my book "Secrets and Lies" (way back in 2000), I
>wrote: "Over the past several decades, Moore's Law has made it
>possible to brute-force larger and larger entropy keys. At the same
>time, there is a maximum to the entropy that the average computer user
>(or even the above-average computer user) is willing to
>remember.... These two numbers have crossed; password crackers can now
>break anything that you can reasonably expect a user to memorize."
>On the Internet, password security is actually much better than that,
>because dictionary attacks work best offline. It's one thing to test
>every possible key on your own computer when you have the actual
>ciphertext, but it's a much slower process when you have to do it
>remotely across the Internet. And if the website is halfway clever,
>it'll shut down an account if there are too many -- 5?, 10? --
>incorrect password attempts in a row. If you shut accounts down soon
>enough, you can even make four-digit PINs work on websites.
>This is why the criminals have taken to stealing passwords instead.
>Phishing is now a very popular attack, and it's amazingly
>effective. Think about how the attack works. You get an e-mail from
>your bank. It has a plausible message body, and contains a URL that
>looks like it's from your bank. You click on it and up pops your bank
>website. When asked for your username and password, you type it
>in. Okay, maybe you or I are aware enough not to type it in. But the
>average home banking customer doesn't stand a chance against this kind
>of social engineering attack.
>And in June 2004, a Trojan horse appeared that captured passwords. It
>looked like an image file, but it was actually an executable that
>installed an add-on to Internet Explorer. That add-on monitored and
>recorded outbound connections to the websites of several dozen major
>financial institutions and then sent usernames and passwords to a
>computer in Russia. Using SSL didn't help; the Trojan monitored
>keystrokes before they were encrypted.
>The computer security industry has several solutions that are better
>than passwords: secure tokens that provide one-time passwords,
>biometric readers, etc. But issuing hardware to millions of electronic
>banking customers is prohibitively expensive, both in initial cost and
>in customer support. And customers hate these systems. If you're a
>bank, the last thing you want to do is to annoy your customers.
>But having money stolen out of your account is even more annoying, and
>banks are increasingly fielding calls from customer victims. Even
>though the security problem has nothing to do with the bank, even
>though the customer is the one who made the security mistake, banks are
>having to make good on the customers' losses. It's one of the most
>important lessons of Internet security: sometimes your biggest security
>problems are ones that you have no control over.
>The problem is serious. In a May survey report, Gartner estimated that
>about 3 million Americans have fallen victim to phishing
>attacks. "Direct losses from identity theft fraud against phishing
>attack victims -- including new-account, checking account and credit
>card account fraud -- cost U.S. banks and credit card issuers about
>$1.2 billion last year" (in 2003). Keyboard sniffers and Trojans will
>help make this number even greater in 2004.
>Even if financial institutions reimburse customers, the inevitable
>result is that people will begin to distrust the Internet. The average
>Internet user doesn't understand security; he thinks that a gold lock
>icon in the lower-right-hand corner of his browser means that he's
>secure. If it doesn't -- and we all know that it doesn't -- he'll stop
>using Internet financial websites and applications.
>The solutions are not easy. The never-ending stream of Windows
>vulnerabilities limits the effectiveness of any customer-based software
>solution -- digital certificates, plug-ins, and so on -- and the ease
>with which malicious software can run on Windows limits the
>effectiveness of other solutions. Point solutions might force
>attackers to change tactics, but won't solve the underlying
>insecurities. Computer security is an arms race, and money creates
>very motivated attackers. Unsolved, this type of security problem can
>change the way people interact with the Internet. It'll prove that the
>naysayers were right all along, that the Internet isn't safe for
>0149> or <http://tinyurl.com/54b4g>
>/2100-7349_3-5251981.html> or <http://tinyurl.com/yqeoe>
>A shorter version of this essay originally appeared in IEEE Security
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy