Category: Online identity


Permalink 07:42:01 pm, by Igor Drokov, in User experience, Online identity  

A lot is written on privacy implications of sharing your personal information with different web services. Concerns have been raised about the ownership of information users upload in "the cloud" and it's persistence.

One recent experiment demonstrated that once you have used an online service to share your photos it might be problematic to remove them even when you choose:

My colleagues Jonathan Anderson, Andrew Lewis, Frank Stajano and I ran a small experiment on 16 social-networking, blogging, and photo-sharing web sites and found that most failed to remove image files from their photo servers after they were deleted from the main web site. It’s often feared that once data is uploaded into “the cloud,” it’s impossible to tell how many backup copies may exist and where, and this provides clear proof that content delivery networks are a major problem for data remanence.

Well, maybe deleting a single photo is too small of an operation to expect the site to really make sure it's gone forever. Surely, one would hope that once you de-register your whole account, it will be gone for good?

I have recently tried to close my Facebook account. According to Facebook's privacy policy:

Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.

OK, I understand purging backup copies is probably asking too much for a user. However, I was surprised to receive the following email after deactivating my account:

You have deactivated your Facebook account. You can reactivate your account at any time by logging into Facebook using your old login email and password. You will be able to use the site like you used to.

The Facebook Team

Indeed, trying to click on the "resurrect" link I found myself back to my profile with all connections and personal information intact.

OK, maybe having a "grace" period for users deactivating their accounts on the spur of the moment is a good feature. So I deactivated my account again and this time left it for almost a month. Yet, today I was able to successfully login to my surely-by-now-non-existent account and found all my connections and information intact as it was...

Welcome to the Hotel California 2.0:

"You can checkout any time you like, But you can never leave!"


One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.


Permalink 08:00:17 am, by Steven Murdoch, in Online identity, Strong authentication  

The fundamental problem with two factor (2FA) session authentication is that the approach is vulnerable to Man in the Middle and Man in the Browser attacks. 2FA requires that customers present not only a password (something they know) when they log into online banking, but also demonstrate that they possess an authentication device (something they have). Devices normally take the form of a key fob which displays a number that changes every few seconds, but another approach is to require the customer to insert their bank card into a stand-alone reader. Unfortunately, there is nothing to stop an attacker using a 2FA authentication code to commit fraud.

In the classic Man in the Middle attack, the customer is coerced to visit the attacker's website, normally by a phishing email. The website will look identical to the legitimate bank site, but when the customer enters their account details and one-time-password, the malicious software will immediately connect to the real bank site and use the details to impersonate the customer and make a fraudulent transaction. Even mutual authentication does not defend against this attack, since the attacker also is able to see what the bank would normally show, making the customer think that they are communicating directly with the bank.

The Man in the Browser attack is an enhancement of the Man in the Middle, already seen in the wild. It is designed to work even against customers who are careful enough to not enter their bank details on sites visited from links in emails. In this attack, the fraudster installs malware on the customer's PC, either via email or a drive-by download (even with up to date anti-virus software, 80% of new malware is undetected). Then, when the customer makes a transfer using their normal online banking, the malware inside the web browser silently manipulates the amount and destination.

Man in the Browser
Man in the Browser

Both the of these attacks circumvent one-time-passwords, since 2FA only authenticates the session, not the transaction. The Man in the Browser attack is particularly hard for the bank to detect, since from their perspective the customer is visiting from their normal Internet connection and web browser. The user is also powerless to spot the attack since the URL will be correct and the certificate will be valid, it is only the content of the web page which is being modified.

The solution to these attacks is transaction authentication. Here, the person accessing the bank website proves not only that they know a one-time-password, but also that the real customer has seen the details for the transaction. In a Man in the Middle or Man in the Browser scenario, if any transaction details are modified, the authentication code will be incorrect and the bank will refuse the transfer. However, in order for this to be reliable, it must be easy to use.

There are three main options available for transaction authentication: CAP, two-channel, and Cronto's visual cryptograms. Cronto's visual signing products are designed to give strong security assurances, while being acceptable to customers. Unlike CAP, as transaction details are encoded in a visual cryptogram, the user does not have to re-enter them into the trusted device, increasing speed, reducing errors and mitigating security problems. Costs to the service provider are also reduced, and reliability improved, since unlike SMS-based two-channel authentication, no mobile phone network access is required.

Cronto have published a whitepaper “Beyond phishing – de-mystifying the growing threat of Internet banking fraud”, discussing the threat of Man in the Middle and Man in the Middle attacks in more detail.


Permalink 11:24:29 am, by Igor Drokov, in Security thoughts, User experience, Online identity  

On Friday 10th August, the House of Lords Science and Technology Committee published results of their inquiry into "Personal Internet Security". Richard Clayton, who served as the "Specialist Adviser" to the committee, has written a great introduction to the report highlighting recommendations such as increasing ISPs' responsibility, obliging banks to bear e-fraud losses, introducing data breach notification laws and software liability.

As part of their investigation, the Committee engaged a multitude of experts ranging from e.g. PayPal CISO Michael Barrett to Prof. Ross Anderson, Bruce Schneier to Robert Littas, Head of Fraud Management in Visa Europe. Both the report and evidence (submitted in writing and during interview sessions) are available from the Parliament's web site and are a must read for every security professional.

Amongst renowned security experts and executives of multi-billion companies, Ilkley Computer Club - a local community support group in a small town (population 13,828) in the north of England (UK), was asked to submit their views on the subject. They did so with the following introduction:

Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th & 6th Formers from local schools. Today, the majority of members are “silver surfers” who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions. The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge – or lack of it – may aid understanding.

Like every other witness the Club was asked to suggest ways of "tackling the problem" and provided 6 recommendations. What I could not fail to note is that the Committee adopted 5 out of 6 suggestions made by the Club. The following excerpts from the report illustrate this.

Club: "There must be positive Government guidance pushed to users;"


8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)

Club: "Government advice must be from a single point of contact;"


8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects.

Club: "Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc);"


8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)

Club: "Software produces must take more care when writing software to avoid bugs in the first place;"


8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)

8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Club: "If washing machines can be “kite marked” to EU or UK standards, why not computers?"


8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)

Everyone might have their own interpretation of how the suggestions of ordinary computer users ended up being so spot-on as far as the Committee's conclusions are concerned, but undoubtedly it is a fascinating result. Perhaps, "users don't know what they want" is not as true as many vendors tend to believe and users can not only help to identify problems but also to develop solutions?


Permalink 01:38:05 pm, by Elena Punskaya, in Online identity  

Millions around the world make friends, conduct business, have fun, enjoy music and art, and do it in the sophisticated worlds of online games (MMORPG). Some become “addicted”, some simply enjoy the “interaction” with the outside world. For the younger generation, however, the virtual world is no longer considered to be separate from the reality we live in, the boundaries are blurring and quickly it’s becoming just an extension.

Many hours and considerable effort is invested in order to create something, even if this something exists in the virtual world only. Time and work means value… value and a sense of achievement for the gamers. And then the question arises – how do we protect this value, how do we secure these accomplishments?

I guess it is indeed possible to deal in extreme cases the criminal activity taking place as a result of the virtual world events – an example of killing a fellow gamer for the virtual sword comes to mind. Apart from that, there are no laws to deal with the virtual theft, no ways to recover your stolen identity and no tools to protect your whole virtual life, especially when the real-life money plays a part.

MMORPGs are moving towards more “real” virtual reality at an incredible speed. With so much wealth accumulated on online accounts and often the real-money connections, games are effectively used as online banks, and, as such, become an efficient tool for all kinds of funds transfers – in both virtual and real currencies. For example, if a relative wants to transfer $20 to his family – he deposits it in the States, passes a virtual token to my avatar, and I get my $20 in China, subject to often less than a 1.5% fee. Not only it’s cost-efficient but it’s also becoming quicker and easier with the first cash cards for gamers starting to appear. What a fantastic peer-to-peer payment innovation! What an efficient money laundering facilitator … :(

And it’s not just about the money… The virtual funds don’t have just monetary value but also the emotional one – they are something you worked for often long and hard, something that you’ve accomplished – all stored behind the same old, insecure username and password…

:: Next Page >>