StarTrek Authentication

If the crew of StarTrek Enterprise every had to log in to their bank accounts, this is how they probably did it . . . entering the PIN with their eyes.

Researchers at the Stanford University in California developed a new concept in authentication, called EyePassword:

“A system that uses infrared light to track the position of your eyes as you look at numbers and letters displayed on a screen could soon make that possible. “While it is simple to look over someone’s shoulder to tell what keys they are pressing, it’s harder to tell exactly where on the screen the user is looking,” says Manu Kumar, who helped create the system, called EyePassword, at Stanford University in California.

EyePassword works by shining an invisible infrared beam on the user’s face. That produces a reflection or “glint” in their eye that stays in the same spot no matter where they look, in contrast to their pupils, which move whenever their gaze shifts. A camera tracks the relative positions of the glint and the person’s pupils and uses this to work out what …”

Here is link to the article in the New Scientist Magazine (premium account required)

iPhone – Phishing Vulnerabilities

iPhone – Phishing Vulnerabilities

I am not going to rush to the store to get the iPhone. My Nokia E62 is not even close to have the same coolness factor, but at least it does email pretty well . . . except of course, if a message has a link, the Nokia browser will not kick in if I click on the embedded link. I used to get annoyed, but consider the same functionality on the iPhone.

John Leyden writes for TheRegister.com on the shortcomings of the iPhone in terms of vulnerabilities in phishing attacks:

• The iPhone’s email client only displays the first few characters of a weblink, which makes it easier to hide a fraudulent URL at the end of a link without arousing suspicion.
• The mechanism the iPhone uses to link between web browser and telephone functions also makes it easier to embed scam telephone numbers within sites, which a user may be prompted to dial.

Other researchers found a number of additional vulnerabilities which could uncover passwords hiding in Apple software.

“Plug-and-Play” Phishing Kit

“In early June, the RSA Anti Fraud Command Center (AFCC) discovered a new type of phishing kit. The kit is actually a single file which creates an entire phishing site on a compromised server when “double-clicked” on, similar to “.exe” installation files. The kit was discovered through phishing forensics work by the AFCC forensics lab.

The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site. Within seconds after running the file, a complete phishing site is “live”. During testing of the kit in the RSA phishing lab, a phishing site was installed within approximately two seconds.”

For further information: RSA June 2007 Report.

Passwords 2.0 – The Future of Authentication

What is the future of authentication? Looking at all the available technologies in the consumer authentication market, it is possible to see two general trends, which seem to be going in somewhat different directions:

1) The first approach is to keep the old passwords, but build around them a layered protection mechanism. The key driver is the fear that the user will not want to accept any change in the way they authentication.

2) Another approach is to admit that passwords are the weakest link (really the passwords + users). This perspective calls for a paradigm shift in the way we use passwords in general. Rather than applying more and more patches on an inherently insecure authentication approach, why not look for an effective and simple way to adopt a new generation of passwords – Passwords 2.0? I guess the best illustration of this approach is to think of the car keys. We had keys because we have house keys and that’s what we know to be secure. Now, the newest cars have a “Start” button, while the “key” is reduced to a token device which in close proximity to the car acts as owner identification and allows the car to start. In a similar fashion, what worked for the mainframe in closed networks is obviously not working for the 21st century WWW and requires a paradigm shift – a new kind of “keys”.

Comments anyone?

But what are the key elements in the “next generation”, or Passwords 2.0 world of authentication? Dr. Norman Fraser (CEO of Tricerion) just published a white paper which addresses the issues of “guessability” and “shareability” of regular passwords, protecting against against these vulnerabilities without compromising usability. (I think I just set my personal record for the number of “-bilities” in once sentence).

Link to the PDF – “Passwords 2.0”

Legit Keylogging

Declan McCullagh at CNET writes on the use of keyloggers to tap into people’s computers and track their activities.

“A recent court case provides a rare glimpse into how federal agents deal with encryption: By breaking into a suspect’s home or office, implanting keystroke logging software, and spying on what happens from afar.

An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif. office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives’ contents and inject a keystroke logger into the computers.

That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey claimed that the DEA needed “real-time and meaningful access” to “monitor the keystrokes” for PGP and Hushmail passphrases. “

The history of PIN (why 4 digits?)

Ever wonder why PINs consist of only four digits? BBC published an article on the inventor of the ATM – Mr. Shepherd-Barron. Here is what he has to say on that particular issue of usability of ATM passwords:

One by-product of inventing the first cash machine was the concept of the Pin number.

Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.

“Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,” he laughs.

Phishing Attack – BofA SiteKey (PassMark)

I just got an email which tries to phish Bank of America’s customers who use the SiteKey (PassMark) technology. The message tries to get people to disclose their credentials by masking the real website address (which only works under IE, and not under Firefox, which I am using in this situation).

Take a look at these images – screenshots:

(a) This is a screenshot of the original phishing email.

(b) The “verification” link in the email takes you to the file below (click on the image to see the complete representation)

(c) If you click on “Continue”, it takes you to another page where you’ll notice that under Internet Explorer, the script tries to cover the original address bar to show the “bankofamerica.com” url. Obviously not working under Firefox on a Mac.

d) And here is the larger text

e) Some of the images appear to come directly from the BofA original site.

Phishing iPhone Phanatics

A new phishing scam is targeting iPhone fans by telling them that they won a free iPhone. By clicking on the link in the phishing email, the browser opens a “site loaded with more than 10 pieces of malicious code, each targeting a potential browser vulnerability. In addition, users that attempt to visit the site more than once are redirected to another, “safe” Web site.”

Full story here

Token + Credit Card = very cool OTP

Last year I got to see a prototype of the new OTP tokens which fits into a regular plastic credit card. I still wonder how they managed to put a battery there (and how long it will last). This is a very neat product. In terms of usability, this token has a higher chance of being popular with online bank users since we all carry at least one credit card at all times. It is easy to use and carry. The key is to make sure the battery lasts till the card exprires.

“VeriSign was expected to announce a deal with Innovative Card Technologies Inc. to outfit banks and e-commerce sites with cards that work with VeriSign’s password system.

With the card, consumers logging on to an online bank account, for instance, would type in their regular username and password, along with a six-digit code that appears on the card’s display window. That code constantly changes, meaning the customer needs to have possession of the card to access the account.”

(Full article here)

Authentication and Online Trust Summit 2007 Presentations

A number of presentations from the Authentication and Online Trust Summit are now available online.

Here is the agenda and the links to the available presentations. Day 1, Day 2

Below I listed a couple of the most relevant presentations relating to authentication and anti-phishing:

“E-commerce and Online Banking Fraud Issues, Challenges & Solutions”
Karim Noorali, Sr. Product Manager, eBay
Victor Talamo, VP & Director Risk Management, JPMorganChase
Marcelo Camara, Banco Bradesco, Febraban – Brazilian Banking Organization

“How to Fry A Phish & protect your brand domain & infrastructure – Evolving technologies and countermeasures. “
Laura Mather, Ph.D. Senior Scientist, Mark Monitor
Jens Hinrichsen, Product Marketing Manager, RSA
Rod Rasmussen, Director of Operations, Internet Identity