Hi-tech no panacea for ID theft woes

Discussion in 'Computer Security' started by Imhotep, Sep 9, 2005.

  1. Imhotep

    Imhotep Guest

    "There is a worrying assumption that advances in technology will provide the
    solution to identity theft whereas it is possible that they may actually
    aggravate the problem," Finch told the British Association science
    conference, Reuters reports."

    My question is this. Hasn't good security always had to adapt to new
    hacking/cracking techniques? Also, inversely, hacking/cracking has had to
    adapt to new security techniques. So what is really different?

    http://www.securityfocus.com/news/11304

    Imhotep
    Imhotep, Sep 9, 2005
    #1
    1. Advertising

  2. Good Security adapts and attackers adapt by finding new measures to
    break the adaptations.

    To be completely frank the best security measure that can be taken is
    common sense..if common sense still exists...
    Brett Michaels From Poison, Sep 9, 2005
    #2
    1. Advertising

  3. Imhotep

    Unruh Guest

    "Brett Michaels From Poison" <> writes:

    >Good Security adapts and attackers adapt by finding new measures to
    >break the adaptations.


    >To be completely frank the best security measure that can be taken is
    >common sense..if common sense still exists...


    Actually no. Common sense is our intuitive solution to problems based on
    past experience. For most of these electronic things past experience is a
    very poor guide, and thus so is common sense. Especially when allied with
    an almost complete ignorance with how it all works. There is nothing in
    past experience which would say that opening a letter was dangerous in and
    of itself. Opening an email is. There is nothing in past experience that
    says that the actions of someone 5000 miles away could be of danger to you.
    On the net there is.
    Unruh, Sep 9, 2005
    #3
  4. Unruh <> writes:
    > Actually no. Common sense is our intuitive solution to problems
    > based on past experience. For most of these electronic things past
    > experience is a very poor guide, and thus so is common
    > sense. Especially when allied with an almost complete ignorance with
    > how it all works. There is nothing in past experience which would
    > say that opening a letter was dangerous in and of itself. Opening an
    > email is. There is nothing in past experience that says that the
    > actions of someone 5000 miles away could be of danger to you. On
    > the net there is.


    some related comments regarding some of the threats and countermeasure
    issues:
    http://www.garlic.com/~lynn/aadsm20.htm#23 Online ID Theives Exploit Lax ATM Security
    http://www.garilc.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
    http://www.garilc.com/~lynn/aadsm20.htm#43 Another entry in the internet security hall of shame
    http://www.garilc.com/~lynn/aadsm20.htm#44 Another entry in the internet security hall of shame
    http://www.garlic.com/~lynn/aadsm21.htm#0 ID theft ring proves difficult to stop

    there is always the issue that crooks may be going after the
    low-hanging fruit ... and in a target rich environment ... closing one
    vulnerability may just find the crooks moving on to a different
    vulnerability. that is typically where a detailed threat model can
    come in handy.

    some mention that there is difference between identity fraud and
    account fraud, even tho lots of identity theft stories tend to lump
    them together (i.e. account fraud just needs to counterfeit authentication
    w/o necessarily requiring any identification):
    http://www.garlic.com/~lynn/2003m.html#51 public key vs passwd authentication?
    http://www.garlic.com/~lynn/aadsm20.htm#17 the limits of crypto and authentication
    http://www.garlic.com/~lynn/2005j.html#52 Banks
    http://www.garlic.com/~lynn/2005j.html#53 Banks
    http://www.garlic.com/~lynn/2005l.html#35 More Phishing scams, still no SSL being used
    http://www.garlic.com/~lynn/2005m.html#42 public key authentication

    and lots of posts on account harvesting for fraud purposes
    http://www.garlic.com/~lynn/subpubkey.html#harvest

    and for a little drift ... post on data breach vulnerability and
    security proportional to risk
    http://www.garlic.com/~lynn/2001h.html#61 Security Proportional To Risk<

    note part of the issue is that sometimes there is confusion between
    identification and authentication ... recent post touching on some of
    the confusion issues:
    http://www.garilc.com/~lynn/aadsm20.htm#42 Another entry in the internet security hall of shame

    it is possible to come up with countermeasures that make account
    account fraud much more difficult (by strengthen various
    authentication weaknesses) ... independent of addressing identity
    fraud issues. a simple example of the difference is say it was
    possible for somebody to open an offshore anonymous bank account
    .... and be provided with authentication technology for performing
    transactions. by definition, there has been absolutely no
    identification involved (and the authentication technology could still
    prevent fraudulent account transactions).

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Anne & Lynn Wheeler, Sep 9, 2005
    #4
  5. I'm talking along the lines of end users, which I beleive are the
    number one weakness in any security structure. Most end users don't
    know a hammer from a nail when it comes to computer security.
    I'm not speaking common sense on a specific user, but rather a general
    base of common sense.
    If these end users were more educated and used more common sense
    measures, eg. not opening unknown attachments, not writing your pin on
    your mac card, this would allow IT Admins to concentrate their efforts
    on more difficult security measures.
    Some end users actually do "dumb things" more than anyone realizes.
    As a security auditor, the place we find the largest pool of weaknesses
    is end user behavior/lack of policy adherance.

    The answer to security problems isnt always complicated and sometimes
    not even electronic!
    Brett Michaels From Poison, Sep 9, 2005
    #5
  6. "Brett Michaels From Poison" <> writes:
    > I'm talking along the lines of end users, which I beleive are the
    > number one weakness in any security structure. Most end users don't
    > know a hammer from a nail when it comes to computer security. I'm
    > not speaking common sense on a specific user, but rather a general
    > base of common sense.
    >
    > If these end users were more educated and used more common sense
    > measures, eg. not opening unknown attachments, not writing your pin
    > on your mac card, this would allow IT Admins to concentrate their
    > efforts on more difficult security measures. Some end users
    > actually do "dumb things" more than anyone realizes. As a security
    > auditor, the place we find the largest pool of weaknesses is end
    > user behavior/lack of policy adherance.


    ref:
    http://www.garlic.com/~lynn/2005p.html#24 Hi-tech no panacea for ID theft woes

    nominally multi-factor authentication requires that the different
    factors be subject to different vulnerabilities ... i.e. from
    3-factor authentcation model
    http://www.garlic.com/~lynn/subpubkey.html#3factor

    * something you have
    * something you know
    * something you are

    .... a "something you know" PIN is nominal a countermeasure to
    lost/stoeln "something you have" physical card.

    an institutional-centric view has been that shared-secret pin/password
    based "something you know" implementations require that the person
    have a unique pin/password for every unique security environment (as
    countermeasure to somebody in one environment attacking another
    environment ... say, part-time employee in garage ISP accessing
    people's online web financial services ... assuming common password
    for both environments).
    http://www.garlic.com/~lynn/subpubkey.html#secrets

    from a person-centric view, as the number of electronic proliferated,
    people may now be faced with memorizing scores of unique & different
    pin/passwords. one of the consequences is that you find people making
    lists and storing them in their wallet. also some study claimed that
    something like 30 percent of the people write their PINs on their
    debit cards.

    so a common lost/stolen scenario is the wallet is lost ... which
    includes any lists of pin/passwords and all cards (including cards
    that have pins separately written on the cards. as a result, there is
    a common vulnerability (failure mode) for lost/stolen wallet that
    effects all cards and some number of recorded pins/passwords
    .... defeating the objecting of having multi-factor authentication.

    another threat/exploit for account fraud is getting people to divulge
    the information on their cards and related information (phishing
    attacks).

    so there is a requirement for two countermeasures

    1) making valid account transactions based on a "something you have"
    physical object ... which uses some paradigm where the owner of the
    physical object isn't able to verbally disclose the information

    2) eliminate the enormous proliferation of the shared-secret paradigm
    .... resulting in the impossible requirement for people to memorize scores
    of different pieces of information.

    so one implementation uses asymmetric cryptography where keys are
    generated inside a chip/token and the private key is never divulaged.
    proof of possesing the chip/token ("something you have"
    authentication) is done with digital signatures ... which doesn't
    expose the private key. It is possible for the person possessing the
    token to proove that they have the token ... but they aren't able to
    divulge the information required for the proof (i.e. the private key
    contained in the token). The digital signature methodology generates a
    new value on every use ... so the operation is resistant to replay
    attacks (somebody having recorded a previous use).

    That still leaves shared-secret vulnerabilities associated with
    memorizing human factors (and countermeasure against lost/stolen
    token). Using a chip/token would allow a PIN to be used for correct
    operation of the chip/token ... w/o requiring the PIN to be recorded.
    That makes the PIN a *secret* (as opposed to shared-secret) and
    eliminates the shared-secret based security requirement for having a
    unique PIN for every environment (if person has a single PIN for
    everything they do ... it is less of a problem to memorize ... and
    also opens the possibility of making it more complex than four numeric
    digits).

    Such an approach makes phishing attacks for account fraud much more
    difficult ... since the person can't even divulge information in the
    token that they don't now (crooks can't simply ask tens of thousands
    of people to type in their account numbers and PINs and then go off
    and extract money, they now actually require the exact physical
    token).

    it also makes crooks work harder for physical stealing tokens and also
    obtaining the associated PIN (much higher effort in order to perform a
    fraudulent transaction).

    note also that a countermeasure associated with online transaction
    environment and lost/stolen (physcial) tokens ... is the owner is
    likely to notice that it is missing and report it, resulting in the
    associated account access being deactivated. In the phishing (also
    record/replay, key logger, etc) scenarios, the victim might not
    realize that there is money leaking out of their account until weeks
    later.

    so much of the current electronic based account fraud could be
    eliminated ... forcing it purely to stealing physical object (where a
    crook actually has to physically take them one or two at a time, can't
    program a computer to lift millions)... which also will nominally have
    a much shorter window of (crime) opportunity (unitl it is reported
    lost/stolen).

    The other way of looking at it is that the fraud *ROI* (return on
    investment) is significantly reduced (enormous increase in physical
    effort, limited window of opportunity).

    You still have some number of social engineering attacks (other than
    the phishing kind) ... where the crook convinces the victim to
    perform the actual transaction (as opposed to the crook obtaining
    sufficient information to perform the transactions themselves). Some
    of these are currently getting wide-spread coverage under the heading
    of some sort of scam.

    misc. past person-centric related postings:
    http://www.garlic.com/~lynn/aadsm12.htm#0 maximize best case, worst case, or average case? (TCPA)
    http://www.garlic.com/~lynn/2003e.html#22 MP cost effectiveness
    http://www.garlic.com/~lynn/2003e.html#31 MP cost effectiveness
    http://www.garlic.com/~lynn/2004e.html#8 were dumb terminals actually so dumb???
    http://www.garlic.com/~lynn/2005g.html#47 Maximum RAM and ROM for smartcards
    http://www.garlic.com/~lynn/2005g.html#57 Security via hardware?
    http://www.garlic.com/~lynn/aadsm19.htm#14 To live in interesting times - open Identity systems
    http://www.garlic.com/~lynn/aadsm19.htm#41 massive data theft at MasterCard processor
    http://www.garlic.com/~lynn/aadsm19.htm#47 the limits of crypto and authentication
    http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
    http://www.garlic.com/~lynn/2005m.html#37 public key authentication
    http://www.garlic.com/~lynn/2005p.html#6 Innovative password security

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Anne & Lynn Wheeler, Sep 9, 2005
    #6
  7. Imhotep

    a.draper Guest

    "Imhotep" <> wrote in message
    news:...
    > "There is a worrying assumption that advances in technology will provide

    the
    > solution to identity theft whereas it is possible that they may actually
    > aggravate the problem," Finch told the British Association science
    > conference, Reuters reports."
    >
    > My question is this. Hasn't good security always had to adapt to new
    > hacking/cracking techniques? Also, inversely, hacking/cracking has had to
    > adapt to new security techniques. So what is really different?
    >
    > http://www.securityfocus.com/news/11304
    >
    > Imhotep


    It's a classic predator/prey relationship transferred into the information
    realm.That's how we will really know AI is legit...something will try to
    kill it.

    --
    "The mind is its own place, and in itself
    can make a Heaven of Hell, a Hell of Heaven."----Milton.

    "Why, this is Hell; nor am I out of it!"----Marlowe.
    a.draper, Sep 10, 2005
    #7
  8. Imhotep

    Unruh Guest

    "Brett Michaels From Poison" <> writes:

    >I'm talking along the lines of end users, which I beleive are the
    >number one weakness in any security structure. Most end users don't
    >know a hammer from a nail when it comes to computer security.
    > I'm not speaking common sense on a specific user, but rather a general
    >base of common sense.
    >If these end users were more educated and used more common sense
    >measures, eg. not opening unknown attachments, not writing your pin on
    >your mac card, this would allow IT Admins to concentrate their efforts
    >on more difficult security measures.
    >Some end users actually do "dumb things" more than anyone realizes.
    >As a security auditor, the place we find the largest pool of weaknesses
    >is end user behavior/lack of policy adherance.



    Unfortunately this is usually false. It comes from admins or whatever have
    no knowledge whatsoever of people's abilities and psychology. It is like
    thinking that you can build a ladder to the moon because you have no
    knowledge of physics. People CANNOT remember 10 complicated passwords. They
    simply cannot. IF they are to use the system they have to subvert it. Of
    course the administrator then comes down on them for being stupid, dumb,
    whatever. It is not they who are, it is the administrator almost always.
    Ie, security policies which make assumptions about people are not let down
    by the end user, they are let down by the administrator who originally put
    them into place.


    >The answer to security problems isnt always complicated and sometimes
    >not even electronic!


    Agreed. We may disagree however on where the problem lies.
    Unruh, Sep 10, 2005
    #8
  9. I agree that people cannot remember 10 passwords, even if they are not
    complicated. I was talking more along the lines of security overall.
    Take the top threats to any end user: viruses/spy/adware, spam,
    phishing.

    Most people didn't or still don't know how to help curb or reduce risk
    to these threats. After some education, and making prevention common
    knowledge, the exposure to these threats is lessening.

    As far as an administrator standpoint, a policy to require users to not
    write down their passwords or store them near their systems isn't hard
    to follow, however, end users do tend to ignore policies in favor of
    being lazy.
    Disregard for rules isn't really specific to computer rules, but any
    rules, it's just part of being human I suppose. At any rate, Social
    engineering(analogous to conning) will still be going hard and strong.

    It's ironic actually, how the answers to security problems can be
    simple and non electronic, and at the same time the easiest methods for
    attackers to break into systems are also simple and non electronic.

    I just think overall, IT managers need to budget more time and money
    into user education and policy enforcement and take a little away from
    buying more and more complex controls.
    Brett Michaels From Poison, Sep 12, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Craven Birds

    Anti-theft precautions!

    Craven Birds, Feb 1, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    1,043
  2. Heather Potter
    Replies:
    8
    Views:
    729
    Toolman Tim
    Jun 13, 2004
  3. Giuen
    Replies:
    0
    Views:
    864
    Giuen
    Sep 12, 2008
  4. Lawrence D'Oliveiro

    Theft Is Theft?

    Lawrence D'Oliveiro, Nov 7, 2009, in forum: NZ Computing
    Replies:
    7
    Views:
    513
    Mary Hanna
    Nov 8, 2009
  5. R I G Consulting, Inc.

    Initial Device Configuration - A panacea?

    R I G Consulting, Inc., Mar 20, 2012, in forum: Cisco
    Replies:
    0
    Views:
    770
    R I G Consulting, Inc.
    Mar 20, 2012
Loading...

Share This Page