Banks Test ID Device for Online Security
Anne & Lynn Wheeler
lynn at garlic.com
Wed Jan 5 22:46:32 PST 2005
Bill Stewart wrote:
> Yup. It's the little keychain frob that gives you a string of numbers,
> updated every 30 seconds or so, which stays roughly in sync with a server,
> so you can use them as one-time passwords
> instead of storing a password that's good for a long term.
> So if the phisher cons you into handing over your information,
> they've got to rip you off in nearly-real-time with a MITM game
> instead of getting a password they can reuse, sell, etc.
> That's still a serious risk for a bank,
> since the scammer can use it to log in to the web site
> and then do a bunch of transactions quickly;
> it's less vulnerable if the bank insists on a new SecurID hit for
> every dangerous transaction, but that's too annoying for most customers.
in general, it is "something you have" authentication as opposed to the
common shared-secret "something you know" authentication.
while a window of vulnerability does exist (supposedly something that
prooves you are in possession of "something you have"), it is orders of
magnitude smaller than the shared-secret "something you know"
there are two scenarios for shared-secret "something you know"
1) a single shared-secret used across all security domains ... a
compromise of the shared-secret has a very wide window of vulnerability
plus a potentially very large scope of vulnerability
2) a unique shaerd-secret for each security domain ... which helps limit
the scope of a shared-secret compromise. this potentially worked with
one or two security domains ... but with the proliferation of the
electronic world ... it is possible to have scores of security domains,
resulting in scores of unique shared-secrets. scores of unique
shared-secrets typically results exceeded human memory capacity with the
result that all shared-secrets are recorded someplace; which in turn
becomes a new exploit/vulnerability point.
various financial shared-secret exploits are attactive because with
modest effort it may be possible to harvest tens of thousands of
In one-at-a-time, real-time social engineering, may take compareable
effort ... but only yields a single piece of authentication material
with a very narrow time-window and the fraud ROI might be several orders
of magnitude less. It may appear to still be large risk to individuals
... but for a financial institution, it may be relatively small risk to
cover the situation ... compared to criminal being able to compromise
50,000 accounts with compareable effort.
In some presentation there was the comment made that the only thing that
they really needed to do is make it more attactive for the criminals to
attack somebody else.
It would be preferabale to have a "something you have" authentication
resulting in a unique value ... every time the device was used. Then no
amount of social engineering could result in getting the victim to give
up information that results in compromise. However, even with relatively
narrow window of vulnerability ... it still could reduce risk/fraud to
financial institutions by several orders of magnitude (compared to
existing prevalent shared-secret "something you know" authentication
old standby posting about security proportional to risk
More information about the cypherpunks-legacy