Note: This column represents the opinions
of the writer and as such, is not purported as fact
Sponsor's Message
|
It looks as if work continues on creating a universal authentication system
designed to facilitate the interaction between citizens and governments
through the Net.
According to this story
on Stuff, Datacom has secured the almost $15m contract to develop and
implement the necessary systems.
What does this mean to the average Kiwi and Kiwi businesses?
It looks as if you'll have yet another login ID and password to remember,
which means yet another opportunity for identity theft amongst those who
engage in such practices.
The "two factor" system discussed in the story is a reasonable approach
to providing stronger authentication and has been used by some banks for
a while -- but it's not as bullet-proof as you might think.
Now have your say
|
Got something to say about today's column, or want to see what
others think?
Visit The Forums
While you're here, why not visit the Aardvark
Hall of Shame
and perhaps make your own nomination.
|
|
The goal of this "two factor" system is to provide the legitimate user
with information that would not be available to a phisher or would-be
ID thief -- but the "SMS to your cellphone" method is too simplistic to
be truly effective in the longer term.
It will may work more effectively when each transaction is assigned a special second-factor
key, but not if it's simply used as a login-authenticator.
How can such a system be circumvented?
Quite simply actually...
The thief needs only install a trojan keylogger as normal, which sends
all keystrokes and data sent too/from selected banking/financial sites
back to the villain's system.
After reviewing this data at their leisure, the thief can then identify
which infected PCs have been used to access large amounts of money.
A proxy trojan is then installed on that machine which works as follows...
When the legitimate user keys in the URL of a selected banking/financial site,
the keystrokes requests are actually routed (unencrypted and in real-time) to the villain's
computer, where they're logged before passing through an SSL layer to the
requested site. The actual SSL connection only exists between the villain's
PC and the banking site -- the user probably remains unaware that they're
not talking directly to that site.
In effect, the user performs the login and authentication process for the
thief and simply relays data in both directions *until* the logout command
is given. At that stage, the villain returns a fake copy of the site's
logout screen but does not pass on the logout command.
This leaves the user thinking they've logged out -- but the villain still
has a valid session with the bank's site, allowing them to perform any other
transaction they may choose.
What's more -- the thief can perform this slight-of hand from anywhere in the
world and through a plethora of relays and proxies -- making it very difficult
to track them down.
Even a transaction-based (rather than session-based) system could be thwarted
using this realtime proxy system if the thief were to replace the target
account number and perhaps even the amount with their own during the
transaction entry process.
I wonder how long it will be before we see the first examples of this type
of malware and tactic being used to siphon large amounts of money from someone's
bank account.
I also wonder what government will do when it's finally demonstrated
that the "two factor" authentication is not as bullet-proof as perhaps claimed and
the $14.8 million they're spending still doesn't offer quite the levels
of protection they may have expected.
Aardvark Forums
The forums are back up at:
www.aardvarkforums.co.nz/forums,
have your say on today's column
Unfortunately you'll have to re-register because we're starting the new year
with a complete reinstall.
Yes, You Can Gift Money
I've published this website for the past nine years as a service to the
local internet and IT industry and during all that time it has been 100%
free to access. It is my intention to ensure that it remains completely
free and free of charge and contains only the most sparse levels of advertising.
Aardvark is not a business, it is a free resource.
If you feel that this is a good thing and/or you hold a "geniune affection"
for yours truly -- then you are welcome to gift me some
money using the buttons provided. In gifting this money you accept that no goods,
service or other consideration is offered, provided, accepted or anticipated in return.
Just click on the button to gift whatever you can afford.
NOTE: PayPal bills in US dollars so don't accidentally gift more than
what you were intending :-)
Contacting Aardvark
I'm always happy to hear from readers, whether they're delivering brickbats,
bouquets or news tip-offs.
If you'd like to contact me directly, please
this form. If you're happy for me to republish
your comments then please be sure and select For Publication.
Other media organisations seeking more information or republication rights
are also invited to contact me.
Add Aardvark To Your Own Website!
Got a moment? Want a little extra fresh content for your own website or
page?
Just add a
couple of lines of JavaScript
to your pages and you can get
a free summary of Aardvark's daily commentary -- automatically updated
each and every week-day.
Aardvark also makes a summary of this daily column available via XML using
the RSS format. More details can be found
here.
Contact me if you decide to use either of these feeds and
have any problems.
Linking Policy
Want to link to this site? Check out Aardvark's
Linking Policy.
|
Did you tell someone else about Aardvark today? If not then do it
now!
|
|
= open in new window