JAN 28

I signed up for a Treasury Direct account this month (so I can buy I Bonds). They have the most impressive online security I've ever seen on a site designed for consumers.

When you sign up for your account, you enter your email address and pick a password. Then they send your account number to your email. You still can't login, though. They also send you in the postal mail a personalized decoder ring card. It has 10 columns and 5 rows of letters, presumably different from everyone else's.

When you go to log in to treasurydirect.gov, you punch in your account number as you would on any site. Then you use a virtual on-screen keyboard to enter your password. Many banking sites do this (such as HSBC), but Treasury Direct is the first I've seen that randomizes the order of the keys on the virtual keyboard. This is important because the whole point of the virtual keyboard is to prevent a program from logging the key strokes or mouse clicks of your password. If the on-screen keyboard is always the same, then having the virtual keyboard doesn't help at all against that sort of attack and is just an annoyance to the user.

The final login step involves the decoder card you received in the mail. The site gives you a list of coordinates (such as B2, G5, etc.) and you have to enter the letters at those coordinates. Entry of these letters is also done with the randomized virtual keyboard.

Very, very impressive. In this case, the government is the vanguard and a role model for the private sector. Let's hope the rest of the financial industry wakes up some day and follows the Treasury Department's lead.

tags: security banking
permalink | comments | technorati
JUL 14

Back when we designed the security for Wireless USB, one of the attacks we protected against was the man-in-the-middle attack. From a product marketing perspective, this was one of the hardest features to get agreement on because it requires the end user to perform a manual verification step.

Many people think that manual verification hurts usability unnecessarily since, in their eyes, MITM attacks are very difficult to do. Their reasoning is as follows: It's extremely unlikely that an attacker would be present at the exact moment in space and time when the end user performs the security pairing. Therefore we really don't need MITM protection.

However, the more paranoid members of our team correctly pointed out that it would be trivial for an attacker to simply jam the transmission of one of the devices. The connection would then stop working. When faced with this situation, most users "reboot" the devices and perform the pairing ritual again.

We ended up including fairly robust protection against MITM attacks. Which is a good thing, since a recent article discusses how easy it is to force a Bluetooth device to dump its pairing data and initiate the rekeying process. This attacks the protocol directly and is even easier to accomplish than the denial-of-service-type jamming attack that we were concerned with.

tags: security wireless bluetooth
permalink | comments | technorati
JUL 15

The Emperor's New Security Indicators is an extremely interesting (and terrifying) journal paper presented at the 2007 IEEE symposium on security and privacy.

Mandatory reading for anybody working on security, and it should prove very interesting for everybody else.

Conclusions from the paper:

  • Users will enter their passwords even when HTTPS indicators are absent
  • Users will enter their passwords even if their site authentication images are absent
  • Site authentication images may cause users to disregard other important security indicators
  • Role playing has a significant negative effect on the security vigilance of study participants
  • 36% of study participants who were using their own personal banking account chose to login after seeing an explicit warning page saying that the connection was probably insecure

tags: security
permalink | comments | technorati
SEP 10

I use PasswordMaker to create really strong passwords for use on web sites. It's great. Unfortunately, there are many slacker web sites out there that don't allow punctuation or symbols in passwords. Not only does this make it very hard to use a tool like PasswordMaker, but it also means that they offer significantly weaker security to their users.

Here's the Weak Password Website Hall of Shame (which I will keep updated moving forward):

  • American Airlines
  • American Express
  • America West/US Airways
  • Banana Republic
  • Best Buy
  • Chase Bank/Credit Card
  • HSBC Bank
  • Staples
  • SourceForge
  • TD Ameritrade
  • ... more to come ...

tags: security
permalink | comments | technorati