Hi-tech no panacea for ID theft woes

"There is a worrying assumption that advances in technology will provide the
solution to identity theft whereas it is possible that they may actually
aggravate the problem," Finch told the British Association science
conference, Reuters reports."

My question is this. Hasn't good security always had to adapt to new
hacking/cracking techniques? Also, inversely, hacking/cracking has had to
adapt to new security techniques. So what is really different?

http://www.securityfocus.com/news/11304

Imhotep

Imhotep

Good Security adapts and attackers adapt by finding new measures to
break the adaptations.

To be completely frank the best security measure that can be taken is
common sense..if common sense still exists...

Brett Michaels From Poison

"Brett Michaels From Poison" <> writes:

>Good Security adapts and attackers adapt by finding new measures to
>break the adaptations.

>To be completely frank the best security measure that can be taken is
>common sense..if common sense still exists...

Actually no. Common sense is our intuitive solution to problems based on
past experience. For most of these electronic things past experience is a
very poor guide, and thus so is common sense. Especially when allied with
an almost complete ignorance with how it all works. There is nothing in
past experience which would say that opening a letter was dangerous in and
of itself. Opening an email is. There is nothing in past experience that
says that the actions of someone 5000 miles away could be of danger to you.
On the net there is.

Unruh

Unruh <unruh-> writes:
> Actually no. Common sense is our intuitive solution to problems
> based on past experience. For most of these electronic things past
> experience is a very poor guide, and thus so is common
> sense. Especially when allied with an almost complete ignorance with
> how it all works. There is nothing in past experience which would
> say that opening a letter was dangerous in and of itself. Opening an
> email is. There is nothing in past experience that says that the
> actions of someone 5000 miles away could be of danger to you. On
> the net there is.

some related comments regarding some of the threats and countermeasure
issues:
http://www.garlic.com/~lynn/aadsm20.htm#23 Online ID Theives Exploit Lax ATM Security
http://www.garilc.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
http://www.garilc.com/~lynn/aadsm20.htm#43 Another entry in the internet security hall of shame
http://www.garilc.com/~lynn/aadsm20.htm#44 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/aadsm21.htm#0 ID theft ring proves difficult to stop

there is always the issue that crooks may be going after the
low-hanging fruit ... and in a target rich environment ... closing one
vulnerability may just find the crooks moving on to a different
vulnerability. that is typically where a detailed threat model can
come in handy.

some mention that there is difference between identity fraud and
account fraud, even tho lots of identity theft stories tend to lump
them together (i.e. account fraud just needs to counterfeit authentication
w/o necessarily requiring any identification):
http://www.garlic.com/~lynn/2003m.html#51 public key vs passwd authentication?
http://www.garlic.com/~lynn/aadsm20.htm#17 the limits of crypto and authentication
http://www.garlic.com/~lynn/2005j.html#52 Banks
http://www.garlic.com/~lynn/2005j.html#53 Banks
http://www.garlic.com/~lynn/2005l.html#35 More Phishing scams, still no SSL being used
http://www.garlic.com/~lynn/2005m.html#42 public key authentication

and lots of posts on account harvesting for fraud purposes
http://www.garlic.com/~lynn/subpubkey.html#harvest

and for a little drift ... post on data breach vulnerability and
security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61 Security Proportional To Risk<

note part of the issue is that sometimes there is confusion between
identification and authentication ... recent post touching on some of
the confusion issues:
http://www.garilc.com/~lynn/aadsm20.htm#42 Another entry in the internet security hall of shame

it is possible to come up with countermeasures that make account
account fraud much more difficult (by strengthen various
authentication weaknesses) ... independent of addressing identity
fraud issues. a simple example of the difference is say it was
possible for somebody to open an offshore anonymous bank account
.... and be provided with authentication technology for performing
transactions. by definition, there has been absolutely no
identification involved (and the authentication technology could still
prevent fraudulent account transactions).

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Anne & Lynn Wheeler

I'm talking along the lines of end users, which I beleive are the
number one weakness in any security structure. Most end users don't
know a hammer from a nail when it comes to computer security.
I'm not speaking common sense on a specific user, but rather a general
base of common sense.
If these end users were more educated and used more common sense
measures, eg. not opening unknown attachments, not writing your pin on
your mac card, this would allow IT Admins to concentrate their efforts
on more difficult security measures.
Some end users actually do "dumb things" more than anyone realizes.
As a security auditor, the place we find the largest pool of weaknesses
is end user behavior/lack of policy adherance.

The answer to security problems isnt always complicated and sometimes
not even electronic!

Brett Michaels From Poison

"Brett Michaels From Poison" <> writes:
> I'm talking along the lines of end users, which I beleive are the
> number one weakness in any security structure. Most end users don't
> know a hammer from a nail when it comes to computer security. I'm
> not speaking common sense on a specific user, but rather a general
> base of common sense.
>
> If these end users were more educated and used more common sense
> measures, eg. not opening unknown attachments, not writing your pin
> on your mac card, this would allow IT Admins to concentrate their
> efforts on more difficult security measures. Some end users
> actually do "dumb things" more than anyone realizes. As a security
> auditor, the place we find the largest pool of weaknesses is end
> user behavior/lack of policy adherance.

ref:
http://www.garlic.com/~lynn/2005p.html#24 Hi-tech no panacea for ID theft woes

nominally multi-factor authentication requires that the different
factors be subject to different vulnerabilities ... i.e. from
3-factor authentcation model
http://www.garlic.com/~lynn/subpubkey.html#3factor

* something you have
* something you know
* something you are

.... a "something you know" PIN is nominal a countermeasure to
lost/stoeln "something you have" physical card.

an institutional-centric view has been that shared-secret pin/password
based "something you know" implementations require that the person
have a unique pin/password for every unique security environment (as
countermeasure to somebody in one environment attacking another
environment ... say, part-time employee in garage ISP accessing
people's online web financial services ... assuming common password
for both environments).
http://www.garlic.com/~lynn/subpubkey.html#secrets

from a person-centric view, as the number of electronic proliferated,
people may now be faced with memorizing scores of unique & different
pin/passwords. one of the consequences is that you find people making
lists and storing them in their wallet. also some study claimed that
something like 30 percent of the people write their PINs on their
debit cards.

so a common lost/stolen scenario is the wallet is lost ... which
includes any lists of pin/passwords and all cards (including cards
that have pins separately written on the cards. as a result, there is
a common vulnerability (failure mode) for lost/stolen wallet that
effects all cards and some number of recorded pins/passwords
.... defeating the objecting of having multi-factor authentication.

another threat/exploit for account fraud is getting people to divulge
the information on their cards and related information (phishing
attacks).

so there is a requirement for two countermeasures

1) making valid account transactions based on a "something you have"
physical object ... which uses some paradigm where the owner of the
physical object isn't able to verbally disclose the information

2) eliminate the enormous proliferation of the shared-secret paradigm
.... resulting in the impossible requirement for people to memorize scores
of different pieces of information.

so one implementation uses asymmetric cryptography where keys are
generated inside a chip/token and the private key is never divulaged.
proof of possesing the chip/token ("something you have"
authentication) is done with digital signatures ... which doesn't
expose the private key. It is possible for the person possessing the
token to proove that they have the token ... but they aren't able to
divulge the information required for the proof (i.e. the private key
contained in the token). The digital signature methodology generates a
new value on every use ... so the operation is resistant to replay
attacks (somebody having recorded a previous use).

That still leaves shared-secret vulnerabilities associated with
memorizing human factors (and countermeasure against lost/stolen
token). Using a chip/token would allow a PIN to be used for correct
operation of the chip/token ... w/o requiring the PIN to be recorded.
That makes the PIN a *secret* (as opposed to shared-secret) and
eliminates the shared-secret based security requirement for having a
unique PIN for every environment (if person has a single PIN for
everything they do ... it is less of a problem to memorize ... and
also opens the possibility of making it more complex than four numeric
digits).

Such an approach makes phishing attacks for account fraud much more
difficult ... since the person can't even divulge information in the
token that they don't now (crooks can't simply ask tens of thousands
of people to type in their account numbers and PINs and then go off
and extract money, they now actually require the exact physical
token).

it also makes crooks work harder for physical stealing tokens and also
obtaining the associated PIN (much higher effort in order to perform a
fraudulent transaction).

note also that a countermeasure associated with online transaction
environment and lost/stolen (physcial) tokens ... is the owner is
likely to notice that it is missing and report it, resulting in the
associated account access being deactivated. In the phishing (also
record/replay, key logger, etc) scenarios, the victim might not
realize that there is money leaking out of their account until weeks
later.

so much of the current electronic based account fraud could be
eliminated ... forcing it purely to stealing physical object (where a
crook actually has to physically take them one or two at a time, can't
program a computer to lift millions)... which also will nominally have
a much shorter window of (crime) opportunity (unitl it is reported
lost/stolen).

The other way of looking at it is that the fraud *ROI* (return on
investment) is significantly reduced (enormous increase in physical
effort, limited window of opportunity).

You still have some number of social engineering attacks (other than
the phishing kind) ... where the crook convinces the victim to
perform the actual transaction (as opposed to the crook obtaining
sufficient information to perform the transactions themselves). Some
of these are currently getting wide-spread coverage under the heading
of some sort of scam.

misc. past person-centric related postings:
http://www.garlic.com/~lynn/aadsm12.htm#0 maximize best case, worst case, or average case? (TCPA)
http://www.garlic.com/~lynn/2003e.html#22 MP cost effectiveness
http://www.garlic.com/~lynn/2003e.html#31 MP cost effectiveness
http://www.garlic.com/~lynn/2004e.html#8 were dumb terminals actually so dumb???
http://www.garlic.com/~lynn/2005g.html#47 Maximum RAM and ROM for smartcards
http://www.garlic.com/~lynn/2005g.html#57 Security via hardware?
http://www.garlic.com/~lynn/aadsm19.htm#14 To live in interesting times - open Identity systems
http://www.garlic.com/~lynn/aadsm19.htm#41 massive data theft at MasterCard processor
http://www.garlic.com/~lynn/aadsm19.htm#47 the limits of crypto and authentication
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/2005m.html#37 public key authentication
http://www.garlic.com/~lynn/2005p.html#6 Innovative password security

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Anne & Lynn Wheeler

"Imhotep" <> wrote in message
news:CbydnZ2dnZ2N3sjRnZ2dnbCKvN6dnZ2dRVn-...
> "There is a worrying assumption that advances in technology will provide
the
> solution to identity theft whereas it is possible that they may actually
> aggravate the problem," Finch told the British Association science
> conference, Reuters reports."
>
> My question is this. Hasn't good security always had to adapt to new
> hacking/cracking techniques? Also, inversely, hacking/cracking has had to
> adapt to new security techniques. So what is really different?
>
> http://www.securityfocus.com/news/11304
>
> Imhotep

It's a classic predator/prey relationship transferred into the information
realm.That's how we will really know AI is legit...something will try to
kill it.

--
"The mind is its own place, and in itself
can make a Heaven of Hell, a Hell of Heaven."----Milton.

"Why, this is Hell; nor am I out of it!"----Marlowe.

a.draper

"Brett Michaels From Poison" <> writes:

>I'm talking along the lines of end users, which I beleive are the
>number one weakness in any security structure. Most end users don't
>know a hammer from a nail when it comes to computer security.
> I'm not speaking common sense on a specific user, but rather a general
>base of common sense.
>If these end users were more educated and used more common sense
>measures, eg. not opening unknown attachments, not writing your pin on
>your mac card, this would allow IT Admins to concentrate their efforts
>on more difficult security measures.
>Some end users actually do "dumb things" more than anyone realizes.
>As a security auditor, the place we find the largest pool of weaknesses
>is end user behavior/lack of policy adherance.


Unfortunately this is usually false. It comes from admins or whatever have
no knowledge whatsoever of people's abilities and psychology. It is like
thinking that you can build a ladder to the moon because you have no
knowledge of physics. People CANNOT remember 10 complicated passwords. They
simply cannot. IF they are to use the system they have to subvert it. Of
course the administrator then comes down on them for being stupid, dumb,
whatever. It is not they who are, it is the administrator almost always.
Ie, security policies which make assumptions about people are not let down
by the end user, they are let down by the administrator who originally put
them into place.


>The answer to security problems isnt always complicated and sometimes
>not even electronic!

Agreed. We may disagree however on where the problem lies.

Unruh

I agree that people cannot remember 10 passwords, even if they are not
complicated. I was talking more along the lines of security overall.
Take the top threats to any end user: viruses/spy/adware, spam,
phishing.

Most people didn't or still don't know how to help curb or reduce risk
to these threats. After some education, and making prevention common
knowledge, the exposure to these threats is lessening.

As far as an administrator standpoint, a policy to require users to not
write down their passwords or store them near their systems isn't hard
to follow, however, end users do tend to ignore policies in favor of
being lazy.
Disregard for rules isn't really specific to computer rules, but any
rules, it's just part of being human I suppose. At any rate, Social
engineering(analogous to conning) will still be going hard and strong.

It's ironic actually, how the answers to security problems can be
simple and non electronic, and at the same time the easiest methods for
attackers to break into systems are also simple and non electronic.

I just think overall, IT managers need to budget more time and money
into user education and policy enforcement and take a little away from
buying more and more complex controls.

Brett Michaels From Poison