Security x.0

Millions around the world make friends, conduct business, have fun, enjoy music and art, and do it in the sophisticated worlds of online games (MMORPG). Some become “addicted”, some simply enjoy the “interaction” with the outside world. For the younger generation, however, the virtual world is no longer considered to be separate from the reality we live in, the boundaries are blurring and quickly it’s becoming just an extension.

Many hours and considerable effort is invested in order to create something, even if this something exists in the virtual world only. Time and work means value… value and a sense of achievement for the gamers. And then the question arises – how do we protect this value, how do we secure these accomplishments?

I guess it is indeed possible to deal in extreme cases the criminal activity taking place as a result of the virtual world events – an example of killing a fellow gamer for the virtual sword comes to mind. Apart from that, there are no laws to deal with the virtual theft, no ways to recover your stolen identity and no tools to protect your whole virtual life, especially when the real-life money plays a part.

MMORPGs are moving towards more “real” virtual reality at an incredible speed. With so much wealth accumulated on online accounts and often the real-money connections, games are effectively used as online banks, and, as such, become an efficient tool for all kinds of funds transfers – in both virtual and real currencies. For example, if a relative wants to transfer $20 to his family – he deposits it in the States, passes a virtual token to my avatar, and I get my $20 in China, subject to often less than a 1.5% fee. Not only it’s cost-efficient but it’s also becoming quicker and easier with the first cash cards for gamers starting to appear. What a fantastic peer-to-peer payment innovation! What an efficient money laundering facilitator … :(

And it’s not just about the money… The virtual funds don’t have just monetary value but also the emotional one – they are something you worked for often long and hard, something that you’ve accomplished – all stored behind the same old, insecure username and password…

Have you ever been asked to provide a reference?

• Six copies?
• All with original signature?
• In a sealed envelop?
• With your name signed across the seal?
• Several times?
• Covered with clear tape?
• In our digital age?

in 1882

in 2007

If you are a user of Ebay/Paypal or interested in security, you will already be aware that as announced earlier this year, Ebay/Paypal has rolled out one-time password tokens. Although not the first organisation to offer OTP tokens to consumers (HSBC deployed VASCO tokens in Brazil in 2004) Paypal's offering has attracted a lot of attention from security analysts, bloggers, users etc.

What is interesting about Paypal's deployment is that for the first time this particular strong authentication technology and its implementation by Ebay/Paypal are exposed to a very wide community of users. Whilst widely accepted in corporate environments (for VPN logins etc.), tokens and respective attempts of security vendors to market them as the solution to online user authentication have been criticised by many experts (e.g. Bruce Schneier's post). Most commonly cited problems are that tokens don't provide mutual authentication (the user still doesn't have any more confidence that they are talking to the right site) and transaction verification, allowing man-in-the-middle attacks (as demonstrated in the attack on Citibank).

Secure or not, offering tokens to all 133 million users of Paypal is out of the question according to Michael Barrett, chief information security officer at PayPal:

For one thing, it just isn't affordable for us to issue these tokens to all of our 133 million users.

So, what would happen then if all users in the US decide to pay their $5 to get a token (surely $5 don't cover all the costs of token provisioning etc.)? Will Paypal stop offering tokens if the number of users exceeded a certain threshold? Does it mean that from the start tokens are just a stop-gap solution whilst Paypal is looking for more scalable ways of strong authentication?

In any case, users in the blogosphere seem to be very keen to acquire their tokens. Some acknowledge the token's weaknesses but still think that they are better than passwords, others immediately pointed out that Paypal's implementation isn't ready for prime time yet, some pounding if it is worth it [to get a token] and some simply take them apart [providing a very interesting analysis].

From these reviews it appears that tokens are, in fact, VASCO's Digipass GO3. It seems these tokens have little protection for the LCD screen leaving it directly exposed to the hostile environment of user's pocket.

There is nothing between the LCD display and the outside environment to protect it from puncture, crushing, or scratches. Link

According to some RSA-sponsored study Digipass GO3 is not greatly protected from: random vibrations, mechanical shock, immersion, run-over, temperature cycling and electrostatic discharge. Although it is questionable how practical those tests are I am sure some users will be able to verify the results :) It will be interesting to see how Paypal deals with broken tokens. At the moment, as far as I can see, there is no procedure to request a replacement token.

More worryingly, in an attempt not to impact on user's convenience both Ebay and Paypal support a non-token login option for customers with tokens (that alone is a security vulnerability). When token-enabled account users doesn't have the device they can still login - a set of questions is used to prove the user's identity, followed by a phone call to one of the specified in user's profile contact numbers. Whereas the phone call is a quite secure approach (out-of-band channel). The set of question reportedly includes details such as bank account, debit card, credit card numbers.

It is bad enough that despite organisations saying they would never send an email to a user or ask for their financial details, some users are still tricked by phishing emails that play on their fears "your account has been compromised, please login to your account to stop fraudulent transactions". Now we have a financial organisation legitimately asking users to provide their payment details as a proof of their identity for a login. Could phishers have asked for more help??? If Paypal users expect to provide their bank/card numbers in order to login, stealing this information will now be easier than ever - just tell the user that "your secure key token appears to be out of sync, to re-sync it please prove your identity by providing ...".

OTP Tokens are expensive for consumer authentication, they do not protect transactions, using card/bank details in a login procedure is increasing users' vulnerability to phishing - what effect (if any) will tokens deployment have on the safety of Paypal/Ebay users? The biggest ever user test study has just begun...

Ben Griffiths, the CTO/founder of the "real reviews, real people" company, Reevoo, and otherwise a blogging technologist-entrepreneur, has recently published an interesting view on an application of digital identities, in particular, OpenID.

The conclusion Ben's reached that whilst not particularly suitable for any general identity federation type applications, OpenID is great for providing verified links to his blog. OpenID allows anyone to put a piece of code on their web site that could then be used to link the url of this resource to any other web site that supports OpenID authentication.

Logging in to a site with OpenId is saying “I’m the person who owns http://www.reevoo.com/blogs/bengriffiths, and if you don’t believe me, ask myopenid.com”.

So, if I am reading Ben's comments on an OpenID-enabled web site, I can see a link to his blog and find out all about Ben from his resource.

Now that I’ve proven that I own this page, the third party site can discover some really interesting things about me. There are links to some of my colleague’s blogs over in my sidebar, if those URLs are also OpenId identifiers then there’s the germ of a social network. I have links (from del.icio.us) to what I’m reading and also things I’ve linked to (in posts like this!). I have links to events I’m watching on upcoming.org. And so on.

Whilst I can see that having a link to Ben's blog is useful I am not so sure what particular value has been created by having it OpenID-verified?

"Discovering interesting things" (about the author of a post). Already, without any OpenID authentication I can simply put a link to my web resource of choice next to my post on any web site, OpenID didn't help me to discover post author's web page. It could, verify that the link is posted by the owner of the web page, but is it critical to the reader? In most cases, the link is provided by the person who made that post (i.e. me linking to my blog) and if not, oh well, it's a fake post anyway.

Niche applications. Having said that, there are some application areas where it could well be useful. For example, at the recent meeting of the Security Group, the topic of a more efficient system of academic paper reviews came up. One of the suggestions was to publish papers on the web (blogs etc.) for peer reviews before submitting them to the conference/journal. In this system, I can definitely see a benefit from having e.g. critical comments submitted with OpenID authentication, to enable the author to verify "Who's the Dick on my blog?", to paraphrase Dick Hardt :). It would also work well as all academics have their own web pages, so they can embed required OpenID code easily and as the pages are hosted on the University web site, it provides implicit verification of the page owner's identity.

Protecting Identity It could be useful for an average Internet user if no one but the genuine owner of the web resource (e.g. a blog) can post e.g. a malicious comment and e.g. link it to his blog. So, could it be that OpenID can help me to protect my online identity (a url resource)? - Not really... unless all web sites implement and require OpenID authentication, on any site without OpenID authentication an imposter can simply put a link to my blog in his post; therefore I am not convinced a verified link from your web footprints to your own web page has any appeal to the majority of web users.

In conclusion of his post, Ben said:

In all kinds of ways, this blog page can become my identity, a digital effigy of me that I control. That makes OpenId a lot more interesting – maybe it’s enough to launch the next MySpace…

If you ask me, MySpace it aint... but for some niche communities OpenID can provide a very cost-efficient way of incorporating digital identities into open collaborative systems.