Académique Documents
Professionnel Documents
Culture Documents
AUTHENTICATION
SORT OUT
PHISHING AND
FRAUD?
Authentication, especially two- This paper traces the recent
factor authentication, is seen as evolution of malware techniques
an important step against on-line in response to technological
crime, especially for on-line changes in our security regimes,
banking and Internet shopping. But and proves once again the old
authentication alone is not cliche that the price of freedom
enough to protect computer users is eternal vigilance. The Bad Guys
against the efforts of are out to get us, and if they
organized crime to thieve their can turn our defences against us,
credentials, their data and even even in the slightest way,
their identity. then they surely will.
In fact, strong authentication in Q. Can strong authentication sort
only one part of a system may out phishing and fraud?
even make things worse if users
expect to rely entirely on
technology to protect them from A. No.
phishing and related attacks.
Organized criminals have realised
(precisely because they are Q. Hmm. That makes for a rather
organized) that phishing and short paper, don’t you think?
identity theft can be carried out
over an extended period, by
piecing together snippets of A. Yes.
information from separate attacks
for a final sting. For Q. Could you go into a little more
example, logging on using an detail?
authentication token will
neutralize password stealers, but
the very presence of a token A. These days, a lot of phishing is
authentication request can make orchestrated, or at least
an ideal trigger for spyware, assisted, by malicious code
especially if its goal is to build up a somewhere in the network. This
pattern of your on-line means that solving the problem of
behaviour by monitoring your malware is effectively a
financial transactions. necessary part of solving the
problems of phishing and fraud.
(When we say ‘fraud’ in this paper, authors, or for phishers, to go to
we mean on-line fraud the next level, does it?
against users conducting business
via their PCs. We do not
mean other sorts of financial fraud A. No. I was just being dramatic.
such as credit card abuse or Nothing, whether it is
kiting.) authentication or something else,
But solving the malware problem is can actually solve the
hard – indeed, it is problem of phishing, in a
undecidable. After all, the Halting mathematical sense of solving it.
Problem tells us that we But
cannot write a program which will we can make phishing much
reliably determine the harder, and authentication is
behaviour of all other possible indeed one of the tools we can use.
programs:
‘No program can say what another
will do. Q. Staying on the topic of malware
Now, I won’t just assert that, I’ll detection for a moment,
prove it to you: I will prove how hard is it to produce malware
that although you might work til – a new banking trojan, for
you drop, you can’t predict instance – which evades detection?
whether a program will stop.
A. That’s not how they position Q. How? Can you start by giving
themselves, of course. Several me an example of the sort of
such services exist, and some are authentication technology which
strongly supported by the can help with each item above?
security industry. VirusTotal [4], for
example, has permission
to use some 25 different products A. Of course. Let’s ask the
for scanning incoming files. questions we want answered one
In return, samples are sent to by one.
vendors who miss them, thus • Is the right program doing the
helping to improve detection and work? Some endpoint
responsiveness. firewalls can help with this, for
Unfortunately, VirusTotal allows example by using
you to withhold submissions cryptographic checksums to
from vendors (though this is not regulate which applications
the default), which could be can make what sorts of connection
said to play into the hands of to which servers.
organized crime and the • Is it really you kicking off the
counterculture. transaction? A hand-held
authenticator can ensure that you
use a new password
Q. So let’s assume you can create every time you connect, which
a new phishing trojan and helps to prevent replay
target me and my company with it. attacks where previously-stolen
How can authentication, or credentials are re-used
anything else, help me then? by someone else.
• Are you connecting to the right
service? Digital
A. When you are carrying out a certificates can help to reassure
financial transaction on-line, you that you are not
there are several things that it speaking to an imposter at the
pays you (literally and other end.
• Are you carrying out the Ross Anderson shows that
transaction you intended? problems in implementation and
Encryption and digital signatures use seem to be the main reasons
provide protection for failure, rather than weak
against exposing the details of the cryptography.
transaction, and help With hindsight, this is perhaps
prevent the transaction being obvious, since they are the two
tampered with in transit. aspects in which human error is
most likely and in which
rigorous peer review is hardest. In
Q. Firewalls, tokens, certificates the last case, human error
and encryption. Aren’t these can effectively be guaranteed by
old technologies that we’ve been cheating or misleading users.
using for ages? Are they Of course, what this means is that
failing us? systems which can work
correctly to provide us with safe
on-line commerce may fail in
A. Yes and no. There are three unexpected ways.
main ways in which
security-related systems fail, and
these are mirrored by the Q. But if a system is vulnerable
main ways in which cryptographic because it doesn’t deal well
systems fail. This is with inadvertent or unexpected
unsurprising, since computer use, doesn’t that mean the
security relies heavily on design is wrong?
cryptography. Things can go wrong
because:
A. Perhaps it does. But the PC, and
its operating system, is
• the underlying design is flawed designed to be a flexible, general-
(e.g. a defective cipher), purpose tool which can be
adapted to many tasks, such as
word processing, browsing the
• the implementation is incorrect Internet, watching movies, making
(e.g. insufficient key art, designing buildings
material is used), and searching for extraterrestrial
life. Users are generally free
to add and remove any software
• the system is used wrongly (e.g. they like at any time in order
users write down their to enjoy this flexibility.
PINs). When you carry out commerce on-
line, for example when
clicking on a [Buy now] link, you
In a seminal paper about the failure need to turn your PC –
of cryptosystems [5], temporarily, and at short notice –
into a secure cryptographic
device which acts as an important banking but that they expect it to
component of the be cheap, and easy, and
transaction. accessible from anywhere. If the
So it is hardly surprising that the bank cuts off their Internet
design of such a system banking in the interests of safety,
makes certain assumptions about and requires them to visit a
the state of the PC, and the branch to sort out any possible
awareness of the user. And it is problems (a reasonable
hardly surprising that the PC, security precaution, you might
or the user, or both, sometimes let think), this is viewed as a bug
the system down. in the system, not a feature.
Uri Rivner of RSA, which makes and
sells cryptographic
Q. Is this really unsurprising? Don’t solutions including hand-held
the banks owe it to us to authenticators, agrees:
do better?
The trojan waits for you to begin Q. When the criminals are forced to
what you believe to be a confront stronger
transaction with the bank, though authentication, how hard will they
you are in fact find it?
transacting with the trojan. This
means that you mistakenly
authenticate against the trojan, The criminals may not need to
and the trojan uses the subvert the authentication
information you supply – including process at all. Instead, they may
the one-time password simply come up with new
you carefully type in from your ways of tricking you out of your
token – to authenticate itself money. Spammers, for
with the bank. example, already know how to
conduct on-line fraud without
getting hold of your account
The trojan is then free (at least number or password. Many
within certain parameters) to spammers operate by persuading
alter various aspects of the you to conduct a transaction
transaction, such as the amount, willingly and overtly, using your
the destination account, or any hand-held authenticator if
other details of its choosing. you have one, and then supplying
sub-standard goods, or
nothing at all, in return.
Q. Are there already Trojans which Now imagine how much easier it
can carry out this sort of would be for criminals to
attack? seduce you into bogus transactions
if they had a complete
picture of your spending habits.
A. Not yet. The main reason is
almost certainly that token For example, if they knew
authentication is not very common you paid your rent on the seventh
in the Internet banking of every month, and which
world. This is partly because the agency you paid it to, they could
expense and complexity of attempt to phish you into
paying it into a different account. A. ComScore is no longer
And before you respond by distributing Marketscore, perhaps
saying, ‘but it’s such a big step to due to the publicity it received
start paying bills to a new when some American
recipient, so that would simply universities decided to block it
never work’, remember that it outright, despite the strongly
sounds just as far fetched to held tradition of academic freedom
believe that users would willingly on their networks [15].
go and type in their personal But here is what comScore
banking credentials into an themselves [16] have published
unknown website on the say-so of about its behaviour:
an email which could have ‘...[C]omScore has recruited for the
come from anywhere, and probably Marketscore Panel over
did. one and a half million opt-in
The technology to allow outsiders members who have agreed to
to keep detailed track of have their Internet behavio[u]r
your secure on-line activities, confidentially monitored
including everything you buy, and captured on a totally
and when, and where, already anonymous basis. These members
exists. give comScore explicit, opt-in
permission to confidentially
monitor their online activities in
One example is the application return for valuable benefits
Marketscore, created by the
market research company
comScore Networks, Inc. In return [...].
for a modest payment for Those individuals who choose to be
participation, users joined the part of the Marketscore
‘Marketscore Panel’ and installed Panel [...] download comScore’s
the Marketscore technology to their
application. Amongst other browser where it unobtrusively
features, Marketscore routes the member’s
incorporated what is effectively a Internet connection through
man-in-the-middle SSL comScore’s network of
proxy which aimed to crack open servers [...]. The technology allows
and to monitor all your comScore to capture
secure on-line transactions, the complete detail of all the
sending data about everything you communication to and from
bought, and how much you paid for each individual’s computer – on a
it, back to comScore. site-specific,
individual-specific basis.
Information captured on an
Q. Surely a legitimate application individual member basis includes
wouldn’t go quite that far? every site visited, page
viewed, ad seen, promotion used,
product or service
bought, and price paid. some of the new features of
[...] Windows Vista, such as User
Access Control, which tries to
restrict the subversive use of
It is extremely challenging, even the administrator account, and at
with a consumer’s opt-in the features of SELinux,
permission, to capture information which does away with the idea of
communicated to and an all-powerful account
from a browser in a secure session completely.
(e.g. any purchase The short answer points out that
transaction). In order to do this operating systems are
successfully, technology is becoming more resistant to trivial
required that “securely monitors a exploitation, but reminds us
secure connection”. all that there are still two important
[C]omScore’s patent-pending risk vectors:
technology does this at no
incremental cost to comScore or
risk to the panelists...’ • Users and administrators who
As dubious as this may sound, make errors of judgement,
remember that some security and who carry out fully-
products provide gateway-based authenticated installations of
tools to open and examine risky or inappropriate software.
SSL connections out of a network. Vista’s warning that ‘this
Whilst this is culturally operation requires elevation’, and
rather different to placing a its careful display of a
market-research-oriented SSL program’s digital certificate (or lack
proxy on every PC, it is technically of it), for example,
and functionally similar. can be undone with a single mouse
Like many technologies, whether it click to authorize the
is good or evil depends on offending operation.
how it is used, and who is using it.