Category: Security thoughts

14/07/08

Permalink 01:07:13 am, by Igor Drokov, in Security thoughts, Online payments, Internet banking  

Can you imagine an ATM running Windows XP Home Edition and being connected to the Internet or a Point of Sale terminal running Tetris? – Unlikely! Why then is allowing a customer to use any computer on the Internet to connect to the banking system, and transfer much more money than you can take out of a cash machine, a good idea? Why did arguably the most conservative organisations in the world – the banks – agree to lower their defenses so low that they practically invited the criminals in?

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

  • Banknotes have watermarks and other security features to resist counterfeiting
  • Cheques require the account holder's signature
  • ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
  • Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

07/07/08

One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.

15/08/07

Permalink 11:24:29 am, by Igor Drokov, in Security thoughts, User experience, Online identity  

On Friday 10th August, the House of Lords Science and Technology Committee published results of their inquiry into "Personal Internet Security". Richard Clayton, who served as the "Specialist Adviser" to the committee, has written a great introduction to the report highlighting recommendations such as increasing ISPs' responsibility, obliging banks to bear e-fraud losses, introducing data breach notification laws and software liability.

As part of their investigation, the Committee engaged a multitude of experts ranging from e.g. PayPal CISO Michael Barrett to Prof. Ross Anderson, Bruce Schneier to Robert Littas, Head of Fraud Management in Visa Europe. Both the report and evidence (submitted in writing and during interview sessions) are available from the Parliament's web site and are a must read for every security professional.

Amongst renowned security experts and executives of multi-billion companies, Ilkley Computer Club - a local community support group in a small town (population 13,828) in the north of England (UK), was asked to submit their views on the subject. They did so with the following introduction:

Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th & 6th Formers from local schools. Today, the majority of members are “silver surfers” who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions. The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge – or lack of it – may aid understanding.

Like every other witness the Club was asked to suggest ways of "tackling the problem" and provided 6 recommendations. What I could not fail to note is that the Committee adopted 5 out of 6 suggestions made by the Club. The following excerpts from the report illustrate this.

Club: "There must be positive Government guidance pushed to users;"

Committee:

8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)

Club: "Government advice must be from a single point of contact;"

Committee:

8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects.
(6.46)

Club: "Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc);"

Committee:

8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)

Club: "Software produces must take more care when writing software to avoid bugs in the first place;"

Committee:

8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)

8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Club: "If washing machines can be “kite marked” to EU or UK standards, why not computers?"

Committee:

8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)

Everyone might have their own interpretation of how the suggestions of ordinary computer users ended up being so spot-on as far as the Committee's conclusions are concerned, but undoubtedly it is a fascinating result. Perhaps, "users don't know what they want" is not as true as many vendors tend to believe and users can not only help to identify problems but also to develop solutions?

04/07/07

Permalink 02:28:50 pm, by Elena Punskaya, in Security thoughts, User experience  

I certainly can’t claim to suffer from the early adopter syndrome, however, for the online banking experiment I was probably among the earliest adopters. Everything felt right: no more “may I please leave earlier today, I need to pop into the bank”, no queues, no closed doors and late payments – everything at a “touch of a button”, quick, effective, whenever you need it, and in the comfort of your own home. Besides, what did I have to lose – as a customer, I’m covered, no matter what happens?

I’m still covered and had almost forgotten the last time I actually visited my local branch when I suddenly found myself “having to pop into the bank” again and again. Services I was so used to were no longer available: I had to urgently transfer some money to a friend – turned out it was no longer possible for the new payees; my end of the month regular transfer of 1010 pounds didn’t go through due to a newly imposed limit of 1000, and one day I simply couldn’t login and was asked to call and answer some “security” questions … such as “what was the exact amount of your last transfer in April and how many direct debits do you have on your account?” How am I expected to remember?

Of course, with increasing online banking adoption, security is becoming a serious concern and rightly so; and it certainly IS as important to make the user feel secure as it is to actually secure their funds. And it's not just the funds that are in danger there - it's also the important private data that could be misused and exploited if exposed. However, is prevention through restriction rather than through technology really the answer? Does it make the user "feel secure and protected", or just annoyed and inconvenienced? Does it conveys the feeling of “being taken care of” or just the inability to offer adequate protection of the users' money as well as their valuable personal information?

05/06/07

Permalink 12:00:05 pm, by Igor Drokov, in Security thoughts  

Security is a tough sell, both from the inside (Security Officer) and outside (Security Vendor) points of view. The "failure to communicate" is often cited as one of the reasons:

"I wonder how much of the inability to secure sufficient funding and management buy-in is due to the approach of the security professionals themselves"

asks Andrew (through Rob)

One thing that could help is to improve the delivery method. Seth Godin and Guy Kawasaki (to name a few) are proponents of the visual delivery style, making great use of images to amplify delivered messages. Could this style improve the chances of communicating effectively security to business?

I am sure most will agree on which of the following presentation slides is most likely to bore the audience to death? :)

So, why not make your presentation a bit more colourful? A bit more visual? More concise? As Antoine de Saint-Exupéry said:

“Perfection is achieved not when you have nothing more to add, but when you have nothing left to take away”.

So, is it possible or indeed necessary to communicate all those complex security issues in a very simple form? Or would it be too simplistic?

Here is a couple of examples. Dragos Lungu used a very visual "emotional" style to present on E-Banking Web Application Security and so did we in Introducing Cronto Authentication Platform.

What do you think? What style do you use? Can you share your presentation? Could we build together a slide deck that could help everyone?

If you would like to share your presentation, I have setup a "securityDeck" group on Slideshare. If you upload your presentation there and join "securityDeck" group, you will be able to share your presentation with the group, hence making it easy to identify our slides collection from general presentations on security-related topics.

To share the presentation with the group, once you are a member, choose "Send this to group" from the list of options on the right side of the presentation (when viewing it).

:: Next Page >>