EYEdentityOnline.com

As a vendor in the strong authentication space I feel that my criticism of certain practices that competing vendors live and breathe on are not only not taken seriously, but nearly completely discounted. To be honest, this is completely understandable, but consequently, I am happy when 3rd party sources point out various shortcomings and problems. Recently, the following bulletins were pointed out to me and I thought I would mention them here too buttress points made in earlier posts. In this case SiteKey / Passmark is called out, but I would generalize these problems to many offerings in the “strong authentication” space. I put “strong authentication” in quotes as most of these approaches are not actually strong and never were, but were pitched as such. Let’s review them in order as listed on the NIST National Vulnerability Database. I hope readers will perform their own searches and comment on other pertinent situations back here.

Warning, this post contains blatant compare and contrast content about TriCipher’s offering in context of these three vulnerabilities. I’ll try not to do this too often, but I believe these are valuable touchpoints to discuss fully and removing my own vendor hat doesn’t seem particularly useful for this post.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7199
“EMC RSA Security SiteKey allows remote attackers to display the correct image via a man-in-the-middle (MITM) attack in which an attacker-controlled server proxies authentication data to and from a legitimate SiteKey server.

“This vulnerability basically points to what I’ve generally referred to as the “device registration man-in-the-middle (MITM) problem. In this attack users are drawn to a false site which proxies the actual site. The proxy of course doesn’t have the cookie that the user does and consequently walks the user through the source site’s “register your device” screens. This happens whether the user actually has the 2nd factor cookie or not. Given that users have now been conditioned to go through this process many times such, that it isn’t an exception event worthy of concern, they complete the process. The attacker now ends up with the password and a legitimate cookie and off they go with the user none the wiser.

The “vendor disputes” note points to the fact that everyone acknowledges this is a weak system and that backup monitoring is necessary. This is why so many solutions that originally touted themselves as a “two-way, two-factor” solution moved much more strongly into the fraud detection space such that the detection offering became the true value of their products. Passmark (which is what Bank of America’s SiteKey is) and Bharosa are two examples of this. See my earlier post “Pictures and fraud detection” for more. All solutions using such light touch, as in no-client-touch solutions are vulnerable to this simple attack, even the lowest part of the TriCipher solution utilizing cookies / device markers. Vendor pitch alert: Fortunately for us, we have many more secure offerings off the same platform such that as risk and attacks rise, our customers have somewhere to go without a new implementation.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7200
“EMC RSA Security SiteKey issues challenge-bypass tokens that persist forever without a cancellation interface for end users, which makes it easier for attackers to bypass one stage of authentication by stealing and replaying a token.”

This one is pretty simple and straightforward. Cookies are planted and except when deleted, are persistent and consistent across all registered machines. The Passmark system apparently doesn’t know which machines are registered and does not have the ability to unregister devices. To be honest, I’m pretty surprised they haven’t fixed this as it was, and apparently still is, a nice competitive differentiator for us at TriCipher.

Vendor pitch alert: We mark each device independently and provide an interface such that users can name each device for their own ease of use. We then provide the interface for users to unregister single devices or if in a real moment of paranoia, can unregister all devices. Seemed like prudent and obvious practice to us and the fact Passmark hasn’t fixed this indicates they truly are focused on the back end detection, best-guess approach to supposedly strong authentication.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7201
“EMC RSA Security SiteKey does not set the secure qualifier on the SiteKey Flash token (aka the PassMark Flash shared object), which might allow remote attackers to obtain the token via HTTP.”

To be honest, this is a nice technical callout by the folks at NIST, but given the simplicity of the attack in CVE-2006-7200, not sure adding this secure qualifier would buy much. Sure, this “secure qualifier” attack is rated higher, presumably because authentication is not required to exploit, but it still does require the victim’s voluntary interaction with the attack mechanism. Certainly something nice to fix from an “attention to security detail standpoint”, but addressing the “device registration MITM” attack seems to buy more.

Vendor pitch alert: Of course, moving up TriCipher’s Authentication Ladder would buy significantly more protection across the board.

So there you have some 3rd party call-outs of issues with the light touch, pictures and cookies approach. While I’m tempted to apologize for the strong TriCipher pitch content in this post, I believe it is important to discuss not only these vulnerabilities, but the entire “light-touch, make the user feel safe, but not actually make them safe” approach.

I did a few searches on one time passwords, OTP and MITM, but didn’t find anyentries on the Vulnerabilities database calling out the known and real world implementation attacks against OTP systems. I’ll keep looking and report back here should I find them or not.

I would like to pick up the thought thread from my Feb 23, “Pictures and fraud detection” entry, you may want to scroll down there, read that and come back.  Tying into that thread are two news items from last week that you should also read or at least scan before continuing:

1. Tracking the Password Thieves by Brian Krebs / Security Fix
2. Thieves raid online accounts in penny stock scam by Kathleen Pender / San Francisco Chronicle

So what’s special about two more “people got ripped off online” stories?

First tie-in to my Feb 23 posting is the fact that this is just another in an ongoing line of similar stories and regardless of whether they indicate some new attack vector or not, these add up to an ongoing drumbeat to many consumers that they should continue to avoid the online channel.  This of course has immediate impact on e-commerce bottom lines as revenue is lost and profit margin and productivity gains remain unrealized.

Second tie-in to the previous post is that the seven affected brokerage firms spent roughly $300k each “attempting to make their customers whole”.  Being a vendor in this space I can pretty confidently assert these seven firms could have purchased “a product” on average for no more than that and it would have prevented this attack.  Note the attackers logged in as the victims.  Simple password theft, though the method of password obtainment is not mentioned in the pump-n-dump article. 

• Unbelievable to me that John Reed Stark of the SEC indicates the thieves “did not penetrate the brokerage firms’ infrastructure or security systems”.  If I were one of the 30 - 40 victims, I would certainly be taking issue with that statement.  The thieves make off with $732,941, the brokerages spend $2,000,000 making victims whole (no, the math doesn’t make sense to me either, must be some “hush-type” money involved, eh?), the attackers likely have lots of personal identity information on these same victims and there wasn’t a penetration of the security system?  Really?!  Or is he saying this is how they designed their security system to work?

Third tie-in, fraud detection is a great thing, but it is lousy all alone as a security system.  Did you only install motion detectors in your house when you installed your security system?  Didn’t think so.  Time to add truly strong perimeter, i.e. strong authentication, to your defense-in-depth strategy.

These are all obvious things really, but the last and actually most important thing I’d like to tie-in here is:

Can we please quit playing the “educate the end-user” card?  This can no longer be proffered by serious security professionals as a prominent part of a security plan.  I would actually argue it is exactly the lack of a plan that leads to this being plied as a significant e-commerce security component.  I’m reminded of my favorite line from my favorite B-movie, Tremors.  While running for their lives from the monster, Kevin Bacon asserts “I have a plan”, to which Fred Ward replies, “Running isn’t a plan, running is what you do when a plan fails!”.

Please go back and revisit the list of victims in Brian Krebs piece on Password Thieves.  So only one of them is a computer security professional from IBM, but these aren’t exactly Ma & Pa Smith online bankers either.  Do I have anything against Ma & Pa Smith?  Of course not.  On the contrary, Ma & Pa Smith are the realization of the adoption being sought.  Get everyone to the presumably low cost online channel, once you quit paying “make customer whole” settlements, anyway.  If we can’t provide an environment where even arguably “educated” consumers, such as these, can safely and confidently transact, what hope is there to get the timid, the paranoid or just plain “newbie” to come join us?  By the way, at this point, aren’t they only showing properly rational behavior given the identity theft and account compromise coverage they see and hear daily?

We need to give our current and would-be customers a security environment that protects them not only from the thieves, but from themselves and the complexities of their computing environment.  Customers shouldn’t have to maintain associates degrees in computer security and maintain a “25 best practices” list to get online and get something done.  We need to give them secure tools properly designed to be “user-proof”, attacker thwarting and still simple to use.  I know that for me, this is the starting point of all design discussions in my particular arena, strong authentication and digital credential issuance.  How about where you ply your trade?

 
 

If you haven’t had a chance to read the Harvard / MIT study on user’s lack of attentiveness to various visual clues, including the ludicrous “pick a picture” scheme popularized by Passmark, you should go give it a look.  It is aptly titled “The Emperor’s New Security Indicators“.

Louie Gasparini, co-CTO of the consumer division of RSA, the security division of EMC stuck selling the Passmark site-to-user authentication technology was given a chance to respond to this study over at the Wall Street & Technology blog.  My response to his response is the first comment on that page or for your reading pleasure, as follows:

I find it interesting that Mr. Gasparini would use the door lock analogy given that he’s arguing for a security system that is completely reliant on the equivalent of motion detectors alone in a physical security system. Fraud detection techniques, the invisible authentication he aludes to, is a perfectly reasonable approach in a layered approach, but not as the only layer. The Harvard / MIT study and Mr. Gasaparini’s own response point to the fact that the entire, supposed 2-way, 2-factor picture mechanic is nothing more than a “reassuring” device and of no security value at all. So where are the layers?

How many motion detectors, pressure pads, video surveillance cameras would you need to have in your house or business before you would feel comfortable to remove all the doors and windows? Yet, this is what consumers are being asked to put up with from those that want their online business, but aren’t willing to exert anything but the bare minimum to protect themselves and nothing to protect the consumer. Bank risk mitigation? Yes. Consumers though, feel good with your pictures, manage your own risk and good luck out there.

Until we security professionals can impress upon our business application colleagues / customers that we need to do something from the client side and not just the server side, customers remain on their own. “Caveat emptor” should be changed to “caveat surfer”.

I want to build on this in following posts.  in the meantime, ponder who is to blame for the sad state of affairs that exists with regard to how chintzy and half-hearted efforts are to secure consumers, instead forcing them to be their own security experts when they can’t or won’t even follow the seemingly simplest instructions.  Also, why do financial institutions fear customers actually calling them for a little security support more than they can envision the revenue upside of more customers actually using a more secure online channel confidently?  When will online entities move to use true, strong security features as a competitive driver similar to when automakers embraced safety features as differentiating components?