December 18, 2010

"Compound threats" to appear in 2011 ?

One of the things that happened a while back was the arisal of the MITB, which spooked the online banks in Europe. They aggressively pushed forward on their multi-factor approach: using the cell-phone (which Europeans colloquially call the Handy) to confirm the transaction.

It was recognised at the time that his was a good solution due to the divergence of the two platforms. A hacker could hack the browser, but not the phone. But the next development was also expected: an attack that covered both platforms.

Now, there is suggestion that this might be expected to emerge:

McDaid warned, for example, that criminals are increasingly targeting mobile banking and NFC-enabled payments. “I 100 per cent expect these kinds of attacks to increase next year, not just malware attacks but compound threats too,” he explained.

“This is where criminals exploit SMS, email, phone calls and other channels to target victims.”

Next step after that? Well, we go back to dumb phones. But this time, the phones are tasked just to do the online payments, and there are no other apps downloadable. Reasonable? Yes, because the basic phone price in bulk has now dropped to a few bucks. Downside is convincing consumers to use it. Upside is that we can do it if we can get them to think of them as credit cards ...

All in a days work for the strategic marketing department of your bank. If they've got one :)

Posted by iang at December 18, 2010 06:23 AM | TrackBack


I predicted the failure of smart phones and SMS side channels some considerable time ago about the time phones moved off of WAP and had "proper web browsers" that included the either the phones electronic serial number or phone network identity number in the browsers identity string sent to the web server...

Some time later I had an argument over on lightbluetouchpaper about it (one of the Camb Lab researchers was involved with a startup and had produced a smartphone app to do transaction authentication).

The usual argument is still as then "it's signed code we can tust it" which used to make me laugh now it just makes me shake my head sadly.

As recently noted by Gunner over on 1raindrop lawyers don't use the word "trust" for good reason.

Authentication is a hard problem, transaction authetication doubly so (with appologies to Douglas Adams ;)

That is BOTH ends need to reliably authenticate each other, it does not matter how many factors you have in the authentication if it is only one way authentication...

Further every transaction has to be two way authenticated and the "token" doing the authentication has to be realy immutable when in use (that is no upgrades over the air, and physical interlocks and tamper evident seals). And most importantly the human has to be the only link between any side channel (token) and the transaction system as technical only solutions can be subverted.

The "banks and other financial institutions" do not appear to "get it" but in reality they don't care as they have externalised all but the PR risk in most cases. And it is the bad PR risk that drives them forward on sorting out authentication but they are anything up to ten years behind the curve in their thinking let alone their actuall implementations.

Oh and there are other issues with side channel tokens, trying to convince people that they need to carry another phone as it's just like a credit card is going to be a hard sell.

If you think about it you can get something like twenty credit cards in the average wallet and still put it in your pocket with relative ease. There is no way you can get one phone in the average wallet and there is no way most people are going to carry an extra phone just to get bank SMS's and phone calls. And sharing a phone with multiple banks has all sorts of currently unregulated security and personal privacy issues.

Then there are issues with secondary services such as SMS, where neither timely delivery or delivery at all are guarented. And even primary (voice) services now have issues due to the likes of pico cells (call them "personal base stations" but imagine they are 100% owned by a fraudster as might well happen near a cash point in a busy tourist or passenger transit area where card skimming is traditionaly high).

As I realised well over fifteen years ago authentication is a very hard problem which side channels via tokens or mobile phones potentialy could help with. I then realised a little over ten years ago that the problems did not go away with the tokens they just moved and changed appearance. I also realised that no mater what the technology it could be subverted in some way and thus could not be made secure unless "authentication went through the human".

So ultimatly the limiting factor is a matrix of technology failings and human failings as a bottle neck...

Whilst the technology failings can be "patched" not so the human failings and as I found with Capatchas trying to leverage solutions using apparent human strengths over technology can be subverted by paying an anonymous individual in some low cost of living area a few cents to be the substitute human in the fraudulant transaction...

Posted by: Clive Robinson at December 19, 2010 12:49 AM

not only compound ... but also "flash" ... the (ooda-loop) tempo significantly accelerates.

Card Fraud: 'Flash Attacks' and Wireless Transmissions

from above:

Gartner's Litan says emerging card-fraud schemes such as 'flash attacks' highlight the need for stronger cardholder authentication and transactional analytics.

... snip ...

"something you have", "something you know", and "something you are" authentication that involves "static data" with skimming/evesdropping/harvesting exploits and some form of replay attacks (reproducing the "static data") has been around for decades

i would contend that capatchas aren't countermeasure to "replay attacks" ... but trying to slow-down automated attacks (trying to force a real human somewhere in the loop). The attackers are responding with better technologies (w/o human in the loop) and/or semi-automated with some human participation (somewhat analogous to large call center operation).

Posted by: Lynn Wheeler at December 19, 2010 10:49 AM

@ Lynn,

"The attackers are responding with better technologies (w/o human in the loop and/or semi-automated with some human participation(somewhat analogous to large call center operation)"

Yes and it is our own fault.

We have never raised the security bar sufficiently to stop the attackers.

Each time we raise it it is like putting the apple just out of reach so the attackers learn to jump, so we raise it again and they get something to stand on etc...

That is we are causing an evolutionary response in the attackers who learn to get the next layer of fruit up the tree.

Or to put it another way we've trained them in turn to climb knolls, hills and mountains. and in the process they have also learnt to use ropes and design petons, crampons, ice axes, belays and all the other tools they need to get to the summit every time...

Posted by: Clive Robinson at December 21, 2010 10:45 AM

there has been lots of discussions that financial institution have some interest in preserving fraud ... since significant amount of interchange fees have been fraud "pro-rated". A couple years ago there was report that payment transaction fees account for less then 10% of european institution bottom lines but 40% (or in some case more) for US institutions.

specifically with respect to internet fraud ... there were a number of "secure" internet payment products being pushed at the beginning of the century ... with high acceptance rates by the major internet merchants. then came the word that the interchange fees for these products would effectively be an additional surcharge on top of the highest interchange fraud rate. This resulted in major cognitive dissonance among merchants who had been conditioned for decades that fees are proportional to fraud/risk (and had been expecting major fee decrease with the new products).

Plugging the payment transaction fraud ... is also likely to drive the crooks to other forms of attacks ... likely involving "identity theft" form involving opening new accounts (as opposed to payment transactions "identity theft" with fraudulent transactions against existing accounts). This would become purely a financial institution risk (not easily charged off to merchants) and also involves various gov. "know your customer" mandates. Customers have been taken some hits by financial institutions (for this kind of "identity theft") ... but an increasing number have involved "synthetic IDs" (where there is no corresponding real person).

One might claim that the institutions are playing a delaying game, maintain the current paradigm for as long as possible (with only small incremental changes) ... since it is so enormously profitable for them. The other issue is the game-changing paradigms in the payment landscape is likely to commoditize the payment business; significantly reducing costs and opening it up to lots of competition (that would come with any significant reduction in risk/fraud).

My other analogy for the current paradigm is occupying a valley floor with little cover and the opposing forces having all the high ground ... resulting in an enormously target rich environment.

Posted by: Lynn Wheeler at December 21, 2010 12:44 PM

this is discussed quite a bit in "naked payment" metaphor posts

also here in previous financial cryptography "naked payment" threads:

and recent related discussion in (linkedin) ibm alumni disucssion group

Posted by: Lynn Wheeler at December 21, 2010 01:12 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.