Security x.0

Can you imagine an ATM running Windows XP Home Edition and being connected to the Internet or a Point of Sale terminal running Tetris? – Unlikely! Why then is allowing a customer to use any computer on the Internet to connect to the banking system, and transfer much more money than you can take out of a cash machine, a good idea? Why did arguably the most conservative organisations in the world – the banks – agree to lower their defenses so low that they practically invited the criminals in?

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

• Banknotes have watermarks and other security features to resist counterfeiting
• Cheques require the account holder's signature
• ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
• Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.

If you are a user of Ebay/Paypal or interested in security, you will already be aware that as announced earlier this year, Ebay/Paypal has rolled out one-time password tokens. Although not the first organisation to offer OTP tokens to consumers (HSBC deployed VASCO tokens in Brazil in 2004) Paypal's offering has attracted a lot of attention from security analysts, bloggers, users etc.

What is interesting about Paypal's deployment is that for the first time this particular strong authentication technology and its implementation by Ebay/Paypal are exposed to a very wide community of users. Whilst widely accepted in corporate environments (for VPN logins etc.), tokens and respective attempts of security vendors to market them as the solution to online user authentication have been criticised by many experts (e.g. Bruce Schneier's post). Most commonly cited problems are that tokens don't provide mutual authentication (the user still doesn't have any more confidence that they are talking to the right site) and transaction verification, allowing man-in-the-middle attacks (as demonstrated in the attack on Citibank).

Secure or not, offering tokens to all 133 million users of Paypal is out of the question according to Michael Barrett, chief information security officer at PayPal:

For one thing, it just isn't affordable for us to issue these tokens to all of our 133 million users.

So, what would happen then if all users in the US decide to pay their $5 to get a token (surely $5 don't cover all the costs of token provisioning etc.)? Will Paypal stop offering tokens if the number of users exceeded a certain threshold? Does it mean that from the start tokens are just a stop-gap solution whilst Paypal is looking for more scalable ways of strong authentication?

In any case, users in the blogosphere seem to be very keen to acquire their tokens. Some acknowledge the token's weaknesses but still think that they are better than passwords, others immediately pointed out that Paypal's implementation isn't ready for prime time yet, some pounding if it is worth it [to get a token] and some simply take them apart [providing a very interesting analysis].

From these reviews it appears that tokens are, in fact, VASCO's Digipass GO3. It seems these tokens have little protection for the LCD screen leaving it directly exposed to the hostile environment of user's pocket.

There is nothing between the LCD display and the outside environment to protect it from puncture, crushing, or scratches. Link

According to some RSA-sponsored study Digipass GO3 is not greatly protected from: random vibrations, mechanical shock, immersion, run-over, temperature cycling and electrostatic discharge. Although it is questionable how practical those tests are I am sure some users will be able to verify the results :) It will be interesting to see how Paypal deals with broken tokens. At the moment, as far as I can see, there is no procedure to request a replacement token.

More worryingly, in an attempt not to impact on user's convenience both Ebay and Paypal support a non-token login option for customers with tokens (that alone is a security vulnerability). When token-enabled account users doesn't have the device they can still login - a set of questions is used to prove the user's identity, followed by a phone call to one of the specified in user's profile contact numbers. Whereas the phone call is a quite secure approach (out-of-band channel). The set of question reportedly includes details such as bank account, debit card, credit card numbers.

It is bad enough that despite organisations saying they would never send an email to a user or ask for their financial details, some users are still tricked by phishing emails that play on their fears "your account has been compromised, please login to your account to stop fraudulent transactions". Now we have a financial organisation legitimately asking users to provide their payment details as a proof of their identity for a login. Could phishers have asked for more help??? If Paypal users expect to provide their bank/card numbers in order to login, stealing this information will now be easier than ever - just tell the user that "your secure key token appears to be out of sync, to re-sync it please prove your identity by providing ...".

OTP Tokens are expensive for consumer authentication, they do not protect transactions, using card/bank details in a login procedure is increasing users' vulnerability to phishing - what effect (if any) will tokens deployment have on the safety of Paypal/Ebay users? The biggest ever user test study has just begun...

Online retail sales are on the way to hitting $329 billion (see Forrester) with the majority of these being credit card purchases. However, with ever increasing media reports of security and fraud risks, the "late majority" of Internet users are still not convinced and there has even been a decline in the number of "early adopters" who believe that card transactions are secure.

The mission was, and still is, to create a secure environment for online shoppers. In the early years, the main threat was perceived to be someone monitoring Internet traffic and stealing your credit card details during a purchase; hence, a great deal of effort was put into introducing SSL and site certificates (trustmarks were displayed prominently to declare the online shop secure). Long gone are the days though when it seemed so important whether your browser could use 128-bit keys for strong encryption or was limited to 40-bit keys because of US government restrictions on the export of cryptographic technology. New types of attacks have emerged, such as phishing, pharming, cross-site scripting... not much has changed, however, to protect the shopping experience. The most popular anti-fraud tool is still Address Verification Service (AVS) with Card Verification Number (CVN) more recently added to the list (see reports by CyberSource). Admittedly, checking the cardholder's address and a 3-digit number printed on the back of the card is hardly a match for the innovation of criminal minds so the credit card companies respond with the new standard. Originally designed by Visa and licensed to other cards, 3-D Secure - most commonly known as "Verified by Visa" and "MasterCard SecureCode" - enables a merchant to enlist the card issuer's help in order to confirm the cardholder's identity during the transaction. Sounds like a good idea, doesn't it?

It is indeed... for the merchant. 3-D Secure verification makes any online transaction equivalent to "card-present" and verified by usual PIN, thus reducing high processing charges associated with risky "card-not-present" transactions. Most importantly, it shifts the fraud liability from the merchant to the cardholder … but is the end user implementation really that secure?

During the normal purchasing process with a participating merchant, the user is asked to sign up to e.g. "Verified by Visa". If the user agrees, the purchase is put on hold (disrupting the transaction) and the user is transferred to the web site of the bank that issued the card. The intention is that the bank will then ask the user a number of questions that will prove the user's identity and will set up a special password. This new password will have to be provided to complete any online transaction with this card, adding a second authentication factor. The password is effectively another card PIN for online transactions, and is supposed to fit with the consumer model of how cards work and benefit from the recent "success" of Chip and PIN introduction in the UK.

Is this equivalent of "offline PIN" secure? Without questioning the effectiveness of Chip and PIN in the real world (although here is a demonstration by the Security Group at the University of Cambridge Computer Laboratory of an impressive but relatively simple to execute attack), it does not seem too difficult too steal this new online second authentication factor. Infecting a user's computer with a trojan keylogger for example is much more effective and significantly cheaper than shoulder-surfing by an ATM. What does it mean practically? Without even realising it, the user trades off a small reduction in fraud risk for a significantly higher exposure (liability). With more and more merchants implementing 3-D Secure, some even try to force the user to enrol (only a verified purchase is allowed).

Even worse is a lack of security for enrolment; consider this real user's account:

I was forced to register for 3D secure recently and was appalled at the lack of security around the registration process for that. I had a bad experience whereby I abandoned the Web transaction because it was trying to force me to enrol with 3D Secure, I decided to call and do a MOTO [over the phone] transaction to avoid 3D and got as far as the girl saying 'you need to choose a password now' before I realised that SHE was enrolling me via her Web Browser!!! The only extra bit of info she asked from me was my date of birth(!), which since I was buying travel tickets didn't seem unreasonable. I had to stop the card!

Imagine if your postman delivered your credit card PIN in an open envelope and asked for your card number and date of birth - a full package for stealing your identity. Also imagine trying to prove to your bank later that this verified by PIN transaction wasn't performed by you. Think it is easy? - just read this account.

3-D Secure standard was designed to support multiple strong authentication mechanisms and the passwords are the weakest, but even the preferred alternative - smartcard-based authentication (CAP) isn't as strong as users are led to believe. Online transactions have to become more secure and 3-D Secure could probably help. Unfortunately, its current implementation is flawed from the user's point of view: increasing the liability without making transactions more secure is hardly an attractive proposition.