Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password. http://www.iol.co.za/index.php?click_id=13&art_id=qw1059039360281B215&set_id=1 "The fact that hackers got access to bank customer's accounts was not due to inadequate security at the bank, but due to "user negligence", an e-commerce company said on Thursday. [...] "Consumers should be vigilant when opening emails. If they receive strange emails, or emails from people or companies they do not know, it is better not to open the mail - especially attachments. These intrusions were clearly not a result of any vulnerability in Absa's Internet security."
Sean, I humbly disagree. It is not user negligence, but rather neglgence on behalf of the entity's systems team, or perhaps the entity's failure to support their own systems team by hiring competent staff instead of relying on people who play office politik or look nice in a suit and tie. User's are not expected to be secure their machines, or even barely know more than how to use a handful of applications. In the bank's case hopefully they are supposed to be financial experts. One can also blame the entity for basing their operations on a joke operating system of course (tired argument). Not calling it a breach of security is simply.. ridiculous. It is a most flagrant breach of security if they can't even secure their own internal networks and systems. Host level security should be the easiest thing to accomplish given competent systems staff. The entity should have had a team in place that protected systems, disabled vulnerable services running on the joke operating system, and that stayed on top of any threat no matter what day of the week it happened to be. Nothing like berating the obvious. This is off topic and I'm not going to pursue this further on this list. Len Sean Donelan said:
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password. http://www.iol.co.za/index.php?click_id=13&art_id=qw1059039360281B215&set_id=1 "The fact that hackers got access to bank customer's accounts was not due to inadequate security at the bank, but due to "user negligence", an e-commerce company said on Thursday. [...] "Consumers should be vigilant when opening emails. If they receive strange emails, or emails from people or companies they do not know, it is better not to open the mail - especially attachments. These intrusions were clearly not a result of any vulnerability in Absa's Internet security."
On Sun, 27 Jul 2003 00:56:28 EDT, Len Rose <len@netsys.com> said:
I humbly disagree. It is not user negligence, but rather neglgence on behalf of the entity's systems team, or perhaps the entity's failure to support their own systems team by hiring competent staff instead of relying on people who play office politik or look nice in a suit and tie. User's are not expected to be secure their machines, or even barely know more than how to use a handful of applications. In the bank's case hopefully they are supposed to be financial experts.
Right. The problem was that it was exactly that clueless *USER* machine that got trojaned. So for instance, if you are one of the people who got burned by the recent Kinko key-sniffer hacks, and the hacker used the info to logon to your bank account, in what way is the bank liable? What *realistic* steps is the bank supposed to take? (Hint - what percentage of *security professionals* use an S/Key or similar for remote logins?)
On Sun, 27 Jul 2003, Len Rose wrote:
Not calling it a breach of security is simply.. ridiculous. It is a most flagrant breach of security if they can't even secure their own internal networks and systems. Host level security should be the easiest thing to accomplish given competent systems staff.
It a breach of security of the *USER'S* computer, not the *BANK'S* computers. How many people do you know have a full-time systems staff mainaining their home PCs? If they are lucky, they might have a clever teenager in the house which helps their parents set the clock on the VCR and unpack the PC they bought at Best Buy. If they aren't lucky, it was probably the same clever teenager that downloaded the trojaned software on the parent's PC. Is the Bank or ISP supposed to send suppport staff to each customer's house to maintain host level security on customer's home PCs? The bank didn't sell the customer the computer or the Microsoft software, didn't install software on the home PC, and doesn't maintain the home PC. Outlook, the exploding Pinto on the information superhighway.
Hi Sean, I seem to have misunderstood you.. I assumed you were speaking about an internal system (in the bank itself) I didn't read the article you posted and without that I suppose I was in the wrong context. Maybe. Sean Donelan wrote: {zap]
It a breach of security of the *USER'S* computer, not the *BANK'S* computers.
See above.
How many people do you know have a full-time systems staff mainaining their home PCs?
See above.
If they are lucky, they might have a clever teenager in the house which helps their parents set the clock on the VCR and unpack the PC they bought at Best Buy. If they aren't lucky, it was probably the same clever teenager that downloaded the trojaned software on the parent's PC. Is the Bank or ISP supposed to send suppport staff to each customer's house to maintain host level security on customer's home PCs? The bank didn't sell the customer the computer or the Microsoft software, didn't install software on the home PC, and doesn't maintain the home PC.
See above.
Outlook, the exploding Pinto on the information superhighway.
Microsoft, Who wants to get owned today? Len PS Susan, I swear I won't do this again, please don't yell at me.
I think there is confusion here. The banks are making the claim, that, if you the user, has an infected PC, that is compromised by an 3lit3 h4x0r, and your password to your bank account is compromised, then the bank is not responsible. That is what you are saying, Sean? On Sun, 27 Jul 2003, Len Rose wrote:
Sean,
I humbly disagree. It is not user negligence, but rather neglgence on behalf of the entity's systems team, or perhaps the entity's failure to support their own systems team by hiring competent staff instead of relying on people who play office politik or look nice in a suit and tie. User's are not expected to be secure their machines, or even barely know more than how to use a handful of applications. In the bank's case hopefully they are supposed to be financial experts.
One can also blame the entity for basing their operations on a joke operating system of course (tired argument).
Not calling it a breach of security is simply.. ridiculous. It is a most flagrant breach of security if they can't even secure their own internal networks and systems. Host level security should be the easiest thing to accomplish given competent systems staff.
The entity should have had a team in place that protected systems, disabled vulnerable services running on the joke operating system, and that stayed on top of any threat no matter what day of the week it happened to be.
Nothing like berating the obvious.
This is off topic and I'm not going to pursue this further on this list.
Len
Sean Donelan said:
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password. http://www.iol.co.za/index.php?click_id=13&art_id=qw1059039360281B215&set_id=1 "The fact that hackers got access to bank customer's accounts was not due to inadequate security at the bank, but due to "user negligence", an e-commerce company said on Thursday. [...] "Consumers should be vigilant when opening emails. If they receive strange emails, or emails from people or companies they do not know, it is better not to open the mail - especially attachments. These intrusions were clearly not a result of any vulnerability in Absa's Internet security."
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On Sun, 27 Jul 2003, Alex Rubenstein wrote:
I think there is confusion here. Yep. No problem, I think we've cleared it up.
The banks are making the claim, that, if you the user, has an infected PC, that is compromised by an 3lit3 h4x0r, and your password to your bank account is compromised, then the bank is not responsible.
That is what you are saying, Sean?
I posted the dots, but failed to explicitly connect them. People have been talking about DDOS, spammers and the underground economy. Folks, its not underground any more. The criminals are using trojans to steal real money from real people now. Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue. For most home users the choices are get Microsoft to fix its software, or buy a Macintosh (hide Unix under the hood). For an extra $20 Dell will pre-configure the system security settings for business purchasers; but home users are still on their own.
Hi, NANOGers. ] Folks, its not underground any more. The criminals are using trojans ] to steal real money from real people now. Indeed, and for a while (circa five months by my observation) now. It is no longer, and hasn't been for a while, about technology. The technology - the Internet and the connected devices - has become a conduit for profitable criminal activity on an ubiquitous scale, pure and simple. Miscreants don't break into databases and steal 8M credit cards at a pop so they can card shells and shoes. ] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue. I'll slightly modify that statement; it is a *PEOPLE* issue. People who write code. People who use systems and networks. People who abuse all of the above for monetary gain. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
At 11:25 AM 7/27/2003, Rob Thomas wrote:
Hi, NANOGers.
] Folks, its not underground any more. The criminals are using trojans ] to steal real money from real people now.
Indeed, and for a while (circa five months by my observation) now. It is no longer, and hasn't been for a while, about technology. The technology - the Internet and the connected devices - has become a conduit for profitable criminal activity on an ubiquitous scale, pure and simple. Miscreants don't break into databases and steal 8M credit cards at a pop so they can card shells and shoes.
] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue.
I'll slightly modify that statement; it is a *PEOPLE* issue. People who write code. People who use systems and networks. People who abuse all of the above for monetary gain.
<babble> I think people forget that we don't live in a utopian society. Some people expect computers to solve all the problems and expect that they can prevent crime in their own domain. We haven't eliminated physical crime at all so I don't see why people are surprised to find that a computer was used to commit a crime. Bank robberies take place all the time and you don't here much about them. Probably more similar is fraud which has taken place for a countless amount of time without the use of computers. Using computers is just another way to perpetuate it. I do agree with a lot of people in the fact that users of the tool must be informed of how to use it safely, just like anything the person is not 100% familiar with. It's somewhat common knowledge to not leave bank account numbers lying around for anyone to see. It's not as common for people who are unfamiliar with computers to know not to open unknown attachments, run anti-virus software, use a firewall, etc... Would the average driver know how to handle an 18 wheeler? They could probably get it going, but not safely. People must be educated about using computers, ESPECIALLY if it is in a situation where security is elevated because the company has something valuable to protect. A bank teller wouldn't likely let a client behind the counter, yet many would probably open an attachment sent via email without knowing what it is. I know the average end user probably isn't likely as aware about security using their PC in their home, but if banks and other institutions plan on making their services available online in some manner, perhaps they should at least send out occasional best security practices to protect people's information. I can also see that it's not REALLY their problem either so I could also go the other way on this. Just like a bank is not responsible for someone breaking into your house and stealing your checkbook. </babble> Just my 2¢. Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Forgive my typo... here = hear. My brain isn't functioning yet this morning and I am just typing what I "hear" in my head. ;) It's a Sunday morning. :P At 11:45 AM 7/27/2003, Vinny Abello wrote:
At 11:25 AM 7/27/2003, Rob Thomas wrote:
Hi, NANOGers.
] Folks, its not underground any more. The criminals are using trojans ] to steal real money from real people now.
Indeed, and for a while (circa five months by my observation) now. It is no longer, and hasn't been for a while, about technology. The technology - the Internet and the connected devices - has become a conduit for profitable criminal activity on an ubiquitous scale, pure and simple. Miscreants don't break into databases and steal 8M credit cards at a pop so they can card shells and shoes.
] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue.
I'll slightly modify that statement; it is a *PEOPLE* issue. People who write code. People who use systems and networks. People who abuse all of the above for monetary gain.
<babble>
I think people forget that we don't live in a utopian society. Some people expect computers to solve all the problems and expect that they can prevent crime in their own domain. We haven't eliminated physical crime at all so I don't see why people are surprised to find that a computer was used to commit a crime. Bank robberies take place all the time and you don't here much about them. Probably more similar is fraud which has taken place for a countless amount of time without the use of computers. Using computers is just another way to perpetuate it.
I do agree with a lot of people in the fact that users of the tool must be informed of how to use it safely, just like anything the person is not 100% familiar with. It's somewhat common knowledge to not leave bank account numbers lying around for anyone to see. It's not as common for people who are unfamiliar with computers to know not to open unknown attachments, run anti-virus software, use a firewall, etc... Would the average driver know how to handle an 18 wheeler? They could probably get it going, but not safely. People must be educated about using computers, ESPECIALLY if it is in a situation where security is elevated because the company has something valuable to protect. A bank teller wouldn't likely let a client behind the counter, yet many would probably open an attachment sent via email without knowing what it is. I know the average end user probably isn't likely as aware about security using their PC in their home, but if banks and other institutions plan on making their services available online in some manner, perhaps they should at least send out occasional best security practices to protect people's information. I can also see that it's not REALLY their problem either so I could also go the other way on this. Just like a bank is not responsible for someone breaking into your house and stealing your checkbook.
</babble>
Just my 2¢.
Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and those that don't.
Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue.
I'll slightly modify that statement; it is a *PEOPLE* issue. People who write code. People who use systems and networks. People who abuse all of the above for monetary gain.
I think I agree. Hosts will be weak, especially when there's a dominant and homogeneous platform (so, vulnerabilities are more compatible/portable than they would be if we lived in a more heterogeneous world). But people, ahhh, yes, people, will be even weaker. I've been trying hard to stay out of the privacy/authenticity field, because there's so much inertia to be overcome (patents, false starts, etc) but it seems to me that computers and networks, with all their cryptogoo and mega- computrons, should be able to make the average human's privacy better -- but so far they've only succeeded in making it worse. -- Paul Vixie
On Sun, 27 Jul 2003, Paul Vixie wrote:
I think I agree. Hosts will be weak, especially when there's a dominant and homogeneous platform (so, vulnerabilities are more compatible/portable than they would be if we lived in a more heterogeneous world). But people, ahhh, yes, people, will be even weaker.
I've been trying hard to stay out of the privacy/authenticity field, because there's so much inertia to be overcome (patents, false starts, etc) but it seems to me that computers and networks, with all their cryptogoo and mega- computrons, should be able to make the average human's privacy better -- but so far they've only succeeded in making it worse.
Computers are absolutely capable of this, but as with security in general the problem lies with the people that are controlling what they do... /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
I think there is confusion here.
The banks are making the claim, that, if you the user, has an infected PC, that is compromised by an 3lit3 h4x0r, and your password to your bank account is compromised, then the bank is not responsible.
That is what you are saying, Sean?
While the bank holds your money, it is responsible for its safety. This includes making sure the money is only released to you or to those you authorize. If an act of theft or fraud causes the bank to release that money without your authorization, the bank can certainly be held responsible. This is why they hold checks and even, from time to time, call people up to confirm suspicious transactions. Generally banks have a blanket bond to cover theft/fraud losses and this protection extends to their customers. I don't think it would be that difficult to show that there are significant security flaws in the online banking system that the user is neither responsible for nor capable of correcting. You could get a dozen security experts to testify that a static password is not sufficient to protect a system that can perform unretrievable funds transfers. If that's all the bank's online scheme provides, this may negate the argument that the user's negligence was the sole/primary cause of the loss. In most states, you have additional protections under state law. DS
On Sun Jul 27, 2003 at 01:25:24AM -0700, David Schwartz wrote:
I don't think it would be that difficult to show that there are significant security flaws in the online banking system that the user is neither responsible for nor capable of correcting. You could get a dozen security experts to testify that a static password is not sufficient to protect a system that can perform unretrievable funds transfers. If that's all the bank's online scheme provides, this may negate the argument that the user's negligence was the sole/primary cause of the loss.
In the UK, I have 3 or 4 online accounts with different banks. My main bank asks for a 10 digit "customer number", my date of birth, and the 3 characters at random from my password. By not asking for the whole password, this prevents simple replay style attacks. Asking for my DOB is not really additional protection - it's extremely easy find (minus 5 points for anyone who can't find it out within 2 minutes of searching on the 'net) Another bank asks me for 5 different bits of information, but always the same information everytime. Whilst this would seem more secure, it doesn't prevent simple replay attacks. Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Services | Email: Simon.Lockhart@bbc.co.uk | id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
On Sun, Jul 27, 2003 at 12:37:54AM -0400, Sean Donelan wrote:
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password.
The bank hands out ATM cards, but does not offer the customer the option of logging in with SafeWord or SecureId or any other OTP. Given how much the bank saves in labor, it could surely afford the card expense. But it's easy to see why they don't, since it's the customer, not the bank, that is taking the risk. A sufficiently fancy trojan would notice when the user logged into the bank using OTP and change the destination of a money transfer or add an invisible transaction, but that's certainly quite a lot harder than a simple keystroke logger. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
From: "Sean Donelan" <sean@donelan.com>
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password.
Banks use passwords for authentication? That's what scares me. Personally, I find it terrifying that banks allow such weak authentication as a password for financial transactions. To the best of my knowledge, all banks around here use a smartcard based system. It might be a bit more inconvenient, but the added security makes it well worth it, in my opinion. It may not be a breach of the bank's security as such, but the measures they take in order to protect their customers' money is in my opinion so low that, IMHO, they are the ones guilty of negligence. -Kandra
On Sun, 27 Jul 2003, [iso-8859-1] Kandra Nyg�rds wrote:
Banks use passwords for authentication? That's what scares me.
Personally, I find it terrifying that banks allow such weak authentication as a password for financial transactions. To the best of my knowledge, all banks around here use a smartcard based system. It might be a bit more inconvenient, but the added security makes it well worth it, in my opinion.
Smartcard has become a marketing buzzword, and its difficult to figure out what people are actually refering too. In the US, almost no consumer computers include smartcard readers. Companies like American Express do issue "smartcards", but their use as smartcards in the US is extremely rare. Even minimal things like the Verified by VISA program have gained little consumer acceptance. Big projects like Secure Electronic Transaction (SET) failed. Banks in the US offer one-time-password systems to their corporate customers. I'm aware of one bank which offered OTP to consumers, but signed up less than a dozen customers in three years. SSL is the most successfull "security" feature implemented on the Internet. How many consumer ISP's offer OTPs to their ordinary customers (not employees, not special government or corporate contracts)?
From: "Sean Donelan" <sean@donelan.com>
Smartcard has become a marketing buzzword, and its difficult to figure out what people are actually refering too.
Sorry, wrong word. I was actually refering to SafeWord/SecureID/ActivCard type solutions, not "ATM cards with a chip". Sorry for the confusion. -Kandra
I don't think the average user has a smart card reader at home. Everyone has accepted a very simple two-factor authentication system for bank usage for a long time. Factor 1 is possession of the card. This is relatively easy to forge. Factor 2 is the PIN. This is no stronger than a password. Most banks use smart cards for authenticating employees, with a password required to access the smart card. This is not practical (at least today) for home banking over the internet. Last I looked, the cost of the cards and the readers exceeded what would be reasonable for the bank to provide to all their customers. I don't think most home users understand enough about security to think the smart card system would be worth the price. The real negligence in this case is the software company that released a MUA that makes trojans so convenient to distribute. As someone else stated earlier in this thread... OUTLOOK: THe Exploding PINTO on the Information Superhighway. This is _SO_ true. Owen --On Sunday, July 27, 2003 10:03 +0200 Kandra Nygårds <kandra@foxette.net> wrote:
From: "Sean Donelan" <sean@donelan.com>
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password.
Banks use passwords for authentication? That's what scares me.
Personally, I find it terrifying that banks allow such weak authentication as a password for financial transactions. To the best of my knowledge, all banks around here use a smartcard based system. It might be a bit more inconvenient, but the added security makes it well worth it, in my opinion.
It may not be a breach of the bank's security as such, but the measures they take in order to protect their customers' money is in my opinion so low that, IMHO, they are the ones guilty of negligence.
-Kandra
"Owen" == Owen DeLong <owen@delong.com> writes:
Owen> I don't think the average user has a smart card reader at home. They don't need readers. The devices in question support a (supposedly :) secure challenge- response system. With some devices, the web site would display the challenge, the user would enter that into their device, the device displays a response, and the user uses that response as their passwd for that login. With others, the passwd the device displays varies with time rather than any input. The challenge in that case is implicitly the current date/time of the login attempt. The downside of course is that you have yet another small, losable device to keep track of. (And to carry around if you want to login while traveling.) Security as always is a HARD problem. People just hate to bother until the risk hits some magic barrier. Businesses of course have fewer risk protection laws on their side, so adding secure features for business customers will always be easier than adding them for typical consumers. Especially in places like the US where the consumer protection laws are so strong. OTOH, any business in real competition for consumers will eat small losses as part of their advertizing/marketing budget.... -JimC
At 01:03 AM 7/27/2003, Kandra Nygårds wrote:
From: "Sean Donelan" <sean@donelan.com>
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password.
Banks use passwords for authentication? That's what scares me.
Personally, I find it terrifying that banks allow such weak authentication as a password for financial transactions.
Not only do they use password authentication, but they use a supposedly secure password policy that effectively renders the password completely insecure. What do I mean? I mean that in my case, my bank requires that I change the password to my online account management website every 90 days. For passwords which are used daily or several times a day, a 90 day change interval can make sense in many circumstances. But since I only login to my banking account once a month, that means that I have to change my password once out of every 3-4 times I use this account. I know how to create a secure password, but I can NOT create a new one every 3-4 uses and then remember, 30 days later, what the most recent password for this one account is. I have many reasons to suspect that my problem is one that most (perhaps all) of the bank's users have - the change interval is too frequent (as compared to use intervals) and so the password is not effectively memorized on an ongoing basis. So, I end up having to do something INSECURE to remember the stupid password. Either I have to create an insecure and "easy to remember" password, or I have to write it down somehow. Now we are back to the root problem, that the user's computer/user's password is now "insecure" and it "isn't the bank's fault" when the user's password is discovered and used without the user's permission. Well, that's BS. The bank created a policy that can not be securely followed! There is more to maintaining a secure password than changing it frequently. The policy has to be on that can be effectively followed by most people! It would be far more secure *in the real world* for the bank to only require that the password be changed once a year and to then have customers securely maintain that password in their heads instead of cached on the computer (a very common practice) or written down (usually on a piece of paper that then is found under the keyboard, another very common practice). But that would *appear* to be a less secure policy to anyone auditing the bank's password policy. It is obvious that the appearance of security is much more important than real security. That's why we can't take nail scissors on airplanes, it's deemed more important to have the appearance of security at the security checkpoint than it is to have actual *real* security on the airplane itself (better doors to the cockpit, better security procedures in the event of a hijack, etc.). We needlessly inconvenience users to create an *impression* that we are serious about security when we are actually accomplishing absolutely nothing. sigh. I keep on not doing enough to remember the stupid password, and today I can't log-in to the bank account. Again. So now I have to have them reset the password. Oh, BTW, this secure policy also has a password limitation of 8 characters, and it only requires 1 non-alpha character. So I can use a supposedly "secure" password - like bananas1 (and then change it to bananas2 90 days later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one isn't the most secure in the world, but you get the point), because it's too long, even though it's obviously much harder to crack. But that isn't deemed a "fault" in the bank's secure password policy. jc
Speaking on Deep Background, the Press Secretary whispered:
So, I end up having to do something INSECURE to remember the stupid password. Either I have to create an insecure and "easy to remember" password, or I have to write it down somehow. Now we are back to the root problem, that the user's computer/user's password is now "insecure" and it "isn't the bank's fault" when the user's password is discovered and used without the user's permission. Well, that's BS. The bank created a policy that can not be securely followed! There is more to maintaining a secure password than changing it frequently. The policy has to be on that can be effectively followed by most people!
Strip <http://www.zetetic.net/index.html> is your helper here. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
At 07:21 AM 7/27/2003, David Lesher wrote:
Strip <http://www.zetetic.net/index.html> is your helper here.
I have strip. Unfortunately, I don't always have my Palm at hand when I want to login to my bank, and I didn't have it at hand the *last* time, when I had to change the password, so the new password didn't get entered into strip. But that's beside the point, using strip on a pda (to help remember passwords) is a solution that only works for some people, in some circumstances. It would be much better to have a policy that just WORKED. jc
On Sun, 27 Jul 2003, JC Dill wrote:
At 07:21 AM 7/27/2003, David Lesher wrote:
Strip <http://www.zetetic.net/index.html> is your helper here.
I have strip. Unfortunately, I don't always have my Palm at hand when I want to login to my bank, and I didn't have it at hand the *last* time, when I had to change the password, so the new password didn't get entered into strip. But that's beside the point, using strip on a pda (to help remember passwords) is a solution that only works for some people, in some circumstances. It would be much better to have a policy that just WORKED.
or a 10 dollar key fob that always had a code you could combine with your 'pin' for a password... why is a solution like RSA/ACE so difficult for people to accept on a wide scale? Afterall, banks charge you for checks, why not for the FOB, and make you purchase the replacement when you lose it? -Chris
Not only do they use password authentication, but they use a supposedly secure password policy that effectively renders the password completely insecure.
What do I mean? I mean that in my case, my bank requires that I change
Thus spake "JC Dill" <nanog@vo.cnchost.com> the > password to my online account management website every 90 days. That's not even the dumbest part. You can reset your password at most banks, insurance companies, stores, airlines, etc. by claiming you forgot it; they'll happily reset it to your mother's maiden name, SSN, or some other publicly-available datum. I've even run across one telephone company which will accept my SSN in lieu of my password _without_ resetting the latter, so the hack is completely undetectable by the victim.
It would be far more secure *in the real world* for the bank to only require that the password be changed once a year ...
It seems a better general solution would be to require the password be changed every N uses.
Oh, BTW, this secure policy also has a password limitation of 8 characters, and it only requires 1 non-alpha character. So I can use a supposedly "secure" password - like bananas1 (and then change it to bananas2 90 days later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one isn't the most secure in the world, but you get the point), because it's too long, even though it's obviously much harder to crack. But that isn't deemed a "fault" in the bank's secure password policy.
There's a staggering number of web sites that won't allow me to use non-alphanumeric characters in my passwords at all. I've even run into a few which also don't allow and/or preserve upper-case letters. Those who fail to learn the lessons of history... S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Sun, 27 Jul 2003, Stephen Sprunk wrote:
That's not even the dumbest part. You can reset your password at most banks, insurance companies, stores, airlines, etc. by claiming you forgot it; they'll happily reset it to your mother's maiden name, SSN, or some other publicly-available datum.
NOTE: I've had over $42,000 stolen from bank accounts via the internet. Take that into account when you read this... First of all security of the physical and network bank web sites may very well be up to snuff. However when you combine with the customer service side of things for the whole package BANK SECURITY IS AN ABSOLUTE JOKE! At one bank I was at someone called up claiming to be me and setup my web account and wired themselves $9,500 three times over a two day period. They even called the bank back asking what was taking so long and why the money wasn't in their account yet. When I found out about this a month later (I had no reason to check the website since I didn't use it) the bank was able to reverse two of the tranfers and ate the other one (noone ever said thieves were smart, they never moved most of the money out of the destination account). During the conversations with the bank I asked that the account be disabled and never enabled again and to have this request noted. Well about 8 months later someone called in claiming to be me and got the account reenabled. They had a bank check made out to themselves for about $13,500 and sent via postal mail. Fortunately they got caught cashing the check in AZ and are now in jail awaiting trial. That however is not the end of things. I haven't had any more money stolen, but at another bank, which I have been at for well over 10 years thus predating any web site, they automatically setup web accounts with a default password (last four digits of your SSN). When I heard this I said to my self "oh %^&*!" I asked to have the web account disabled and was told this could not be done. So I immediately went back to my computer and changed the password. Fortunately noone has done anything with that account. Basically while the network security may be there that is only part of the package and the rest of the package is not up to snuff. The big "problem" in my eyes is that physical presense is no longer necessary so it is next to impossible to catch these thieves (unless they do stupid things like the ones who stole from me). A sophisticated criminal will probably be able to get away with millions of dollars in a very short period of time and be able to vanish without a trace. I'm not sure what needs to be done, but the security as now implemented is not even close to enough IMHO. Networkwise (to bring this back on topic) I'm not sure there is really much that can be done. bye, ken emery
ken emery wrote:
I'm not sure what needs to be done, but the security as now implemented is not even close to enough IMHO. Networkwise (to bring this back on topic) I'm not sure there is really much that can be done.
Don't forget the desperate need for user *and* staff education. I have now multiple time got calls from my bank asking to discuss my account. Could I just verify my details ? they asked. Er, you first, I said. They didn't get it. They didn't understand why, as someone who is lightly paranoid and understand more about security than they do, I was concerned that they couldn't prove they were from the bank... Peter
On Sun, 27 Jul 2003, Stephen Sprunk wrote:
There's a staggering number of web sites that won't allow me to use non-alphanumeric characters in my passwords at all. I've even run into a few which also don't allow and/or preserve upper-case letters. Those who fail to learn the lessons of history...
Its even worse, we're actually moving backwards. Not only users, but even "security consultants" don't understanding the history. They have checklists. The checklist says you must change the password every 30 days pass/fail. If you go to the library (or use Google) and look up the Green Book, you'll find password lifetime was not a critical factor. The Green Book has the somewhat arbitrary recommendation for a 1 year password lifetime. The original analysis was based on 300/1200 baud modems, but even that isn't relevant *PROVIDED* you implement the other recommendations in the Green Book. Most bank 4-6 numeric PINs have indefinite lifetimes. Most ISPs don't require consumers to change network passwords. The problem is fewer and fewer modern systems implement the other recommendations. So password lifetime has become the primary protection factor. How many systems notify the user - the date and time of user's last login - the location of the user at the last login - unsuccessfull login attempts since last successful login How many web systems control the rate of login attempts - by source - by userid How many web systems notify anyone or block the account after N unsuccessful login attempts either temporarily or permanently Systems like VAX/VMS had a relatively sophisticated intrusion detection and evasion process built into the the operating system by the 1980's. Note: if the user's PC has been compromised it doesn't matter how frequently they change their password. Even pseudo-random one-time-password systems are vulnerable when the user's system has been compromised (as some mobsters found out when the FBI infiltrated their systems).
participants (20)
-
Alex Rubenstein -
Barney Wolff -
Christopher L. Morrow -
David Lesher -
David Schwartz -
James H. Cloos Jr. -
JC Dill -
Kandra Nygårds -
ken emery -
Len Rose -
Owen DeLong -
Patrick -
Paul Vixie -
Peter Galbavy -
Rob Thomas -
Sean Donelan -
Simon Lockhart -
Stephen Sprunk -
Valdis.Kletnieks@vt.edu -
Vinny Abello