USB and indeed all plugin tokens are susceptable to keystroke monitoring IF
the device doesn't have a keypad and display on the device.
If the password/PIN is ever sniffed, then any malware of the host PC can
simulate the human to whom the device is registered, and enact transactions
to the benefit of the attacker without the genuine user ever being able to
repudiate the false transactions under this security/authentication model
(to the bank, device = genuine transaction, period).
Putting keypads and displays can makes the the devices more or less
customised to the issuing bank. If there is downloadable updates or content
of any form, there is the real risk of breaking the device's security model.
Certainly, PSCS isn't any good where keypads or displays are used, while
STIP may help a bit.
Even with displays/keypads on devices, the user still can't be sure that the
transaciton their device 'signs' is actually the transaciton they want to
do.
If you think about it, 'secure devices' only work when they can do the
entire transaction, from conneciton to the Bank, selection and input of
transaction, and commitment for completion.
The devices used today are called PCs and workstations - they just aren't
secure. Secure PCs would answer all these problems - but we are never
likely to get them
Even so, the user education cycle is long (how long did it take for ATMs to
be widely accepted?) and there are still no guarantees.
In short, so called security devices merely delay the inevitable
sophistication of attacks, by a few days in the worst case, weeks or maybe
months if we are real lucky.
In the meantime, live with risk.
Lyal
-----Original Message-----
From: Jimi Thompson [mailto:jimi.thompson@gmail.com]
Sent: Friday, 21 January 2005 5:24 PM
To: webappsec@securityfocus.com
Cc: Florian Weimer; Rafael San Miguel; Enrique.Diez@dvc.es
Subject: Re: Proposal to anti-phishing
<SNIP>
Zero-setup online banking will be possible again (with SSL
client certs,
hear me beat the drum once more) once enough clients have smart card
readers as standard equipment, properly integrated with the
operating
system and the browsers.
For an example, I look to the Dell Latitude D600, which
comes with an
integrated smart card reader. Maybe a good feature addition
for the new
LCD monitors would be a smart card reader slot, connected
via USB. The
more people use them, the more ubiquitous they will be, and the less
"setup" will be required by new users/clients.
</SNIP>
Why not use something like the Rainbow Ikey that uses a USB connection
which virtually every computer has nowdays? It too is an EPROM with a
PKI public/private key pair. That way there's not extra hw to install
and you don't have to wait for the item to percolate through the
market place. Remember betamax? Consumer are used to carrying around
bar code tabs for their shopping/store club/discount/credit cards and
such on their key chains, why not that too?
The caveat is this - all authentication is based on one of 2 things -
something you have (token, thumb print, etc.) or something you know
(PIN, password, etc.). The "something you have" can be stolen. Right
now, we have people going after the "something you know" by placing
devices on ATM machines to record information, identity theft on line,
phishing for id10ts, etc. Now instead of realatively non-violent
(although highly annoying) crimes like phishing, we'll see an
escalation in muggings, purse snatchings, and the general category of
beating people up and taking their stuff.
As an aside, my big fear with biometrics is that some criminal groups
will start cutting off pertinent pieces of people in order to gain
access to accounts. Before someone pipes up and says that it'll never
happen, I can tell you from personal eye-witness experience that there
are more than a few people on this planet who are perfectly willing to
cut off another person's hand or fingers to get their rings, watch,
bracelet, etc. If they'll do it for some jewelry, which will hock at
the pawn shop for about $20, they'll definitely do it get into your
checking account.
One thing that I've not seen discussed here is non-repudiation.
Non-repudiation was a major portion of the last PKI wg. It's very
important in dealing with legal and money matters. What do you when
my on line identity gets used and I say it wasn't me? Just how good
is your system? Will it stop me from buying a Lexus or transferring
all my money to the Cayman Islands and saying that I didn't?
While I agree with the "zero setup" stuff, it's probably not legal in
the USA. We have laws that require you physically show identification
and few other things when opening a checking account. There are more
laws that require the reporting of large sums of money. This is to
prevent the laundering of drug money (for example) as well as other
illegal activites. The federal laws are pretty minimal, but some
states have stricter laws about this. Any bank that isn't doing
something to physically look at ID's is probably in voilation of
something. I admit that these aren't well inforced but they should
be.
2 cents (as usual)
--
Thanks,
Jimi
