Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment Re:Passwords (Score 1) 409

You are correct about the security uselessness of the OTP devices however I would suggest you checkout my passwindow 2FA method which isnt vulnerable to phishing / MITM / MITB etc because it can do passive mutual authentication and include transaction information in the window. There are details on the security page. Its also just a cheap piece of plastic which fits in your wallet and is easy to distribute by letter.

Comment Theres not many solutions to this problem... (Score 1) 113

Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in. The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser. The OTP security token method is pretty much useless actually not really protecting against much at all which isnt already covered by ssl. The problem with the OTP devices is they are only one way authentication. The MITB attacks defeat just about everything else available even recently the active mutual authentication electronic tokens. About the only online authentication method which isnt vulnerable is the passwindow cards as they are the only online authentication I know of capable of passive mutual authentication. (active means a human has to do something and then gets tricked by the torjan in the browser, passwive is where you just view and dont do anything except enter the password) http://en.wikipedia.org/wiki/Mutual_authentication

Comment Side channel attack proof? (Score 1) 200

Id be interested to know what if any crypto they are using in the cards. Id also like to see them run through these side channel "analysis" kits I saw a very good demonstration of recently http://www.riscure.com/inspector/product-description/inspector-sca.html which includes modules for 3-DES, AES, RSA and ECC and are able to determine the secret keys or ID right off smartcards without damaging them. To my mind the writing is on the wall for smart card technology and in 5-10 years these "analysis" kits will be as small,fast,convenient and cheap as the magnetic stripe reader/writers are today.

Comment Odesk isnt bad either (Score 1) 735

I cant believe these sites didnt get immediately mentioned, everyone I know goes to them to get program written and have done for years now. Theres loads of great programmers sitting around with nothing to do in xyz country who will do code at a fraction of the price it would cost me to do it.
Google

Security Expert Warns of Android Browser Flaw 98

justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'" Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.

Comment Albert Gonzalez (Score 1) 484

While he didnt come to them squeaky clean he did become from their point of view "one of the good guys" working alongside NSA agents, giving talks at their conferences etc all the while in his spare time ripping off millions of credit card numbers even using some of the government servers in the attacks. The Gonzalez trial is such a public spectacle I cant help but think that might have influenced their attitude.

Comment Good study, would have preferred a more diverse (Score 1) 105

Interesting study however needed a more diverse range of sample testers all of which were early twenties volunteer university graduates. I only bring this up because I see a very different responses to CAPTCHAS. The response and attitude towards CAPTCHAS from young university people hanging around the IT labs where this was most likely advertised will be far far different to the average online citizen. . Im not sure how accurate this is but out in the non IT section of society CAPTCHAS are loathed and hated beyond belief, also the failure rates sound spectacular. Full credit for the new variations on the old warped text captchas but I hazard a guess that those bizarre mental challenges are not going to fly with your average joe. In fact its amazing that captchas have entered mainstream at all. Im sure the study was limited with money and time but I look forward to a more mainstream diverse study.

Comment Re:Primer on how to get caught. (Score 2, Interesting) 66

Many ZeuS packages have an option to remove the outgoing transactions from the user's browser as part of the MITB package, this includes changing the balance total to before the outgoing transactions were made so the user wont know until a paper statement turns up if one ever does as many banks are ditching paper statements in favor of browser based ones. And since they are now using the same trojan tactics on users mobiles to defeat mobile sms authentication I am sure you will see a Zeus mobile trojan upgrade to divert any calls made to the banks hotline number to an even more "helpful" team who will probably need even more user information "to get to the bottom of this please give us your..." /s

Comment Possible online fraud attack with virtual numbers? (Score 1) 242

I am curious, some people above have mentioned that their online bank account allows them to instantly generate virtual credit card numbers. I am wondering with the trojans like Zeus etc which actively go after online accounts instead of the trojan trying to authenticate an outgoing transfer to a local mule account they could or are switching tactics and going after banks these virtual number generating accounts and then sucking the money out of the accounts from anywhere through the virtual card number charges. I know with the existing schemes they have to bounce the outgoing cash off a local mule and pay him 10% before sending it out overseas but a credit card transaction would rarely be flagged as fraudulent and if the trojan owns the browser like zeus does the account holder wouldnt even know their account was being drained. Can anyone explain why this isnt feasible? Id like some of the above mentioned account holders to explain what authentication is required by the bank websites to generate the card numbers?

Comment Re:Nice responses to the original article (Score 1) 144

Interesting, no doubt there will be more of that type of fraud in the future. So what exactly were in the boxes? fake credit cards? Sorry Im a little confused about the CDRW drives. I work in fraud prevention and after my last post here sure enough I had had a report of exactly what I described. Some African guy in Italy sending out paper letters around the world simply asking for cash. "To the responsible, Honest, humble, handicapped italian man. Financially needy. Open to any proposal, Western union or credit card. Blah Blah.. Thanks.." So yeah they went ahead and did it, cut out all the complexity and just went straight for the money, I guess they did drop in the handicapped angle for sympathy. If I thought I would get a straight answer id almost pay just to know what his ROI is.

Comment Re:Nice responses to the original article (Score 1) 144

Your right, someone could ask for the person to mail their card and they would also need to include their online username and password but for my liking this is getting too close to a rubber hose attack. It would only take one of the billion people who get such a letter to report the physical address to police and the whole scam goes down and also the attacker must start physically injecting himself into the scam which generally isnt the reason they got into online fraud in the first place.

Still its an interesting point I have often wondered if you sent out a billion letters just saying Hello, please send me your money. signed Matt what sort of return on inventment you would get.

Comment Re:Nice responses to the original article (Score 1) 144

Dont forget me with my PassWindow :)
*Works on any device irrespective of OS or software.
*Doesnt matter if a trojan or malware is present on the device, assumes malware is present.
*Costs practically nothing to implement.
*Not vulnerable to phone based extensions of the above attack where users are called and socially engineered out of their authentication keys.

Comment Re:PassWindow could have prevented this (Score 1) 144

Yes, when the whitepaper was done and PassWindow was initially featured on Slashdot it was a static challenge with several digits in the static challenge, these were interceptable in say 30 interception so a month or 2 worth of normal use. However since then weve had some major breakthroughs beyond just switching to the purely animated cyclical method, weve been able to easily achieve interception rates of 10K plus with very little usability obfuscation. A side benefit of this new method is the analysis doesnt actually give the attacker a clear probablistic determination at say 80% of the necessary number of interceptions, actually its only until the last few interceptions that it all falls into place for the attacker so a guess at 80% isnt knowing 80% of the key pattern. Of course since the whole key process has been pre analyzed its managed and a new card can be issued before it gets anywhere near this number of authentications which might compromise the key pattern. Once you start talking thousands of interceptions required by a normal user even if they authenticate every single day of the year and the attacker is prepared to analyze over a number of years he still wont get anywhere near the numbers required and the average membership card usually only has a few years of life in it anyway. But beyond that the EMV chip doesnt help online based authentication as was shown in the article, its not even helping much of the atm fraud it was desgined for where most ATM's in the world dont even check the EMV chip. The associated CAP readers which use the digital key off an EMV chip for their online authentication use the exact same method of authentication as provided in the article and we can see that has failed.

re telephoto lens attack etc, you are incorrect, it is not trivial to copy as we simply tint the key pattern, in normal lighting conditions it appears black but screens are quite bright and still allow the user to see quite clearly. This is without even going into transflective laminates etc, really the only way would be with a rubber hose or physical interception and there EMV will fail too. A piece of transparent plastic card costs less than a few cents and so if a bank was really paranoid about their user's waving their credit cards around in public they could easily issue a separate card. A digital version could also be constructed however the costs outweigh the benefits.

Slashdot Top Deals

"In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos

Working...