Community

Thanks Steven.

You explained that:

The tampered terminal implements the disconnected card reader protocol and requests two authentication codes: an "identify" code for login, and a "sign" code to initiate a transfer.

Isn't this highly unusual behaviour for a POS Terminal?  Surely a  terminal only ever prompts for the PIN.  This is what I meant by Social Engineering: Not only must you tamper with the terminal, but you must also suck the customer into entering Internet-related data at the terminal at the store.

So I don't see this attack as being especially momentous.  Isn't it easily overcome by having the Internet authentication protocol involve a nonce to make the OTP non-replayable?  And obviously educating customers to not enter superfluous details at a retail terminal. 

For these terribly weak CAP implementations where the OTP lasts indefintely and is replayable, I would have thought that a Man-in-the-Middle attack, or good old phishing attack to garner codes online would be more fruitful than opening up terminals and re-programming the firmware (but not as much fun).

I actually don't understand the attack (perhaps some technical details were left by the BBC on the cutting room floor). 

The reporter in the video clip says that a 'one time code' is retrieved by the attacker from the compromised retail terminal, and then used together with the name and account number to log on to the victim's net banking facility.

What sort of one time code exactly?  Also, it's not clear if this attack is designed to bypass the unconnected Chip-and-PIN Card reader that might be used at home to authenticate Internet banking logon, or whether it is used against a single factor logon protocol.

Perhaps the attack involves a measure of social engineering as well, where the tampered terminal is prompting the customer to enter Internet related secrets as well as regular card-present transaction details (PIN)?

Thanks in advance for any amplification. 

Stephen Wilson, Lockstep.

Dean edited his original blog insteading of adding a sequential comment, and I didn't immediately notice his new material ...

Update Stephen - Tuesday October 13th ABC 7.30 Australian ID Card by stealth. The medicare card 'morphs' into an IDiot card. Perhaps you might like to find it on the ABC site and view it.

Actually I've already studied the 7:30 Report story Dean.  You have it wrong.  While there is a lot of work to be done to define a new Medicare smartcard, initial indications are that the Rudd government -- if it goes down this path at all -- will be light years away from previous governments' flirtations with ID cards.  Health Minister Roxon has carefully and properly characterised any future Medicare smartcard as being (a) dedicated to health, and (b) not used to carry records but rather to carry health-specific identifiers.  These are some of the hallmarks of a good, privacy-enhancing smartcard, as experts in this field have long argued, including the Australian Privacy Foundation. 

Dean, there is nothing in the 7:30 Report story to suggest that the new idea is morphing into an ID card. You drop the phrase "Australian ID Card by stealth" when citing the story but that's your editorial.  There is nothing in the report about stealth or identity cards. 

Your assertion about morphing is baseless, and disregards the fresh approach to a Medicare card.  I have to say that you are either ignorant of the important details of the smartcard debate, or else you are deliberately misrepresenting what the new approach might be.

I quote you "I have no idea what strawman ID card Dean Procter is taking aim at.." Let's shorten it to your first four words - an apt quote for you -"I have no idea". Perhaps get one before you set the tone of our conversation next time.

Dean, the tone of this conversation was set long ago by you, with your hollow blustering about "IDiot" cards, and your unsubstantiated ambit claims about smartcards being flawed, especially your wild idea that the RSA algorithm has been "hacked".  Then you mangle my words to say that I have "no idea", in a continuation of your own abusive tone.

I've been trying to raise the tone.  Without getting personal, I've been trying to set the record straight on a couple of specific misrepresentations or misunderstandings, such as the idea that "any card reader carrying impostor" will be able to scan your smartcard, or the underlying phobia that "smartcard" equals identity card.

If you're worried about tone, then I suggest you engage in the actual debate and stop name-calling. 

Stephen.

If there is an issue then do all the cards become junk?

What sort of issue?   Multi-programmable smartcards can have their firmware upgraded post-issuance to deal with bugs, and to deploy new security countermeasures as the cybercrime arms race proceeds.  In the worst case event of a fatal flaw, then smartcards can be withdrawn and a fix re-issued, as any security device.  But it's worth noting that wholesale replacement is a dramatic step that is almost always avoidable, by implementing other fixes.  Think about OTP generators: for years they've been regarded by purists as fatally flawed (in respect of Man in the Middle attack) and yet no bank has felt compelled to swap them out.  The same goes for magnetic stripe cards themselves.  Yes there is an "issue", but no, they're not all junk.

So please Dean, enough already of the woolly FUD about smartcards having "issues" and needing to be replaced.

Stephen - your last paragraph is testament to our security but misses the point about whether this card solution is a solution to anything except ensuring a cash-flow out of the public purse for a very poor return.

Dean evidently subscribes to the security-by-obscurity theory, which is totally discredited.  Good security should be vested in publicly scrutinised design, not in secrecy.  If you're a security product developer, who advances a particular solution (while rabidly criticising all others) then the onus is on you to be transparent, so independent evaluation can be done.

Finally I end with a call for honesty - if everyone needs to buy a reader to participate then why weren't the public told all the facts in the first place?

Well once again, it's hard to know what card scheme Dean is criticising. While I do strongly advocate engineering government smartcards with advanced security so they can be used by consumers for G2C and even B2C transactions, there are sadly few examples anywhere in the world where this is actually done (Estonia being a rare example).  So, if Dean is referring to the UK National ID System, then as far as I know, it is not necessary to buy a smartcard reader to "participate".  And if it were necessary, then I think this could be a very good thing, if it meant that consumers could avail themselves of improved Internet security tools. 

Stephen Wilson, Lockstep.

Dean, you cover so much territory and mash up so many different issues, it's hard to follow.  Some of your points are certainly valid, but they have nothing to do with smartcard technology. 

To answer some of the concerns ...

"I fail to see how the primary concerns of individuals - that of being able to participate in the identity scheme is met by the ID-iot card."

It would help if you were specific about what ID card you're criticising. There are many different models in action and on the drawing board.  Malaysia, Hong Kong, Estonia, and the UK have markedly different architectures and philosophies.  Note that no ID card is on the horizon for Australia.

BTW I am no fan of ID cards generally; I agree they're not a good response to terrorism.  But I do advocate targetted use of smartcards for securing e-government services, because smartcards are the best way to deliver mutual authentication, and the best way to stop attack and replay of personal identifiers online.

"What the card carriers don't want us to know is that they'll be absolutley useless to anyone without the reader. This means people interacting on the net, in the street will not have the privilege of being able to confirm anyone's identity, unless they have the reader which, the cheapest I could find was about $20. So the public would have to fork out another billion dollars to participate and prove their identity online?"

Some of this is very silly.  DVDs too are absolutely useless to anyone without a player.  If buying a $20 card reader represents the public 'forking out billions', then what does it mean to have to buy a PC to access the Internet?  Trillions perhaps?  In any case, we're seeing smartcard readers increasingly built in to standard notebooks.  Mine has one.  Look up the new Dell e6500 which has both contact and contactless card readers as standard.

Dean then skips across a range of public safety issues:

"I need a little help in understanding exactly how they make the world a safer place. The IRA had no trouble getting into London whenever they wanted to. ... Tube Risk From RFIDiot chips ... In fact the miss-use of these type of chips puts the lives of Britons in more danger every day ... I don't see how we 'need' these IDiot things to protect us from terrorism".

There are some worthy points here, but they're lost in a bizarre mash up of RFID and government ID.  They're different beasts.  Elsewhere in his original blog, Dean chose to mix in the spectre of DNA weapons, and the risks of various encryption systems being "hacked" (some of the risks more imagined than real) and comes up with an incoherent conclusion that smartcards are no good.

What about this for a considered and consistent approach (mine):

- Government ID cards are not a quick fix for terrorism or border control

- Smartcards are good for protecting individual identity online, in applications like credit card payments, e-health, e-voting and anonymous participation in OSNs

- There is no such thing as perfect security

- But the better smartcards have a range of encryption, access control, tamper resistance and anti-copying mechanisms, which in the higher end architectures like FIPS 201 have not been defeated.

"Does anyone think about these sorts of things or perhaps they're just focusing on the vendor's luncheon wine-list and their next holiday?"

Gratuitous insults and the smug "IDiot" slogan don't lend authority to what is a very hollow criticism of smartcard technology.  And I think it's a bit rich coming from someone who has spent years grandiosely advertising his own cell phone based solution but who steadfastly refuses to reveal how it works.

Stephen Wilson, Lockstep.

The main comedy here is that Dean Procter presents a grab bag of unsophisticated media reports as some sort of "argument".

A number of security systems have indeed been subverted over time, almost always because of poor design in the key management. 

No, I don't remember RSA encryption being cracked.  It has never happened. If Dean is thinking of the cases of short (512 bit) RSA keys being attacked by brute force, then it's misleading or ignorant or both to call this "cracked".

And he hasn't come up with any examples of late model smartcards card like FIPS 201 being attacked. 

To borrow from former PM Paul Keating, debating smartcard security with Dean is a bit like being whipped by a piece of wet lettuce.

Stephen Wilson, Lockstep Technologies.

I have no idea what strawman ID card Dean Procter is taking aim at in his latest oblique pitch for the magic and inscrutable Transinteract.  I am not aware of any actual government DNA scheme.

I would have ignored the entire rant except for an important misrepresentation about smartcards.  He suggests that "any card reader carrying impostor" will be able to take your smartcard are make away with its contents.  This is quite wrong.  Well designed smartcards employ mutual authentication, so that the card detects what sort of reader it's been inserted into, and will only divulge information to readers that are cryptographically verified by the card. This is one of the reasons they're called smart.  You cannot stick a decent smartcard into any old reader and scan it (which of course is the fundamental point about EMV).

If Dean has examples of hackers outsmarting sophisticated cryptographic smartcards, like the FIPS-201 and the EU smart health card breeds, then let's see 'em.  Otherwise, his sweeping generalisations criticising smartcards in favour of his own secret solution are utter hyperbole.

Stephen Wilson, Lockstep Technologies.

I agree strongly with Nick and Joe.  Yes there are alternatives to chip cards to address card skimming, and there is a host of non-chip solutions to other fraud modalities too, but they're all ad hoc, or short term.

It's important I think to focus on the underlying vulnerability that enables most identity related frauds, namely the replayability of ordinary digital data.  To properly tackle most payment fraud, we must prevent the replay of ID data (most feasibly through asymmetric cryptography i.e. digital signatures).  And we should protect users against real time fraudsters (phishers, pharmers) through intelligent personal security devices.

In plain English, the unique and powerful thing about smartcards is they can tell what's going on around them.  Smartcards (and their intelligent cousins SIMs, smartphones, USB keys etc.) can act as proxies for their owners. They can test the digital bona fides of web sites and of terminal equipment, detect Man-in-the-Middle attacks, detect spam, and self-monitor to tell if they're being used inappropriately. 

So ... we can keep tinkering with magnetic stripes, end-to-end encryption, tokenization and two factor authentication, to erect short term barriers to specific attack vectors, but with significant total cost and at teh expense of user confusion and divergence.  Or, we can transition to a single, fundamentally robust, extensible, long term approach to all digital ID protection, using chip cards to address skimming, counterfeiting, CNP fraud, and ID theft all at the same time.

Cheers,

Stephen Wilson, Lockstep.

Self confessed hacker groupie Robert Siciliano says "Protect yourself".  Really? 

Education and self defence have reached their use by date.  With credit card numbers being stolen by the million from backend processors, there's nothing Jo Public can do anymore.  They might have never shopped online in their lives and still get stung by cybercrime.

The emphasis shouldn't be on consumers to protect themselves, as if the Digital Economy is the Wild West.  The onus should be on the payments system to move to non-replayable identifiers.

Stephen Wilson, Lockstep.

And similarly, biometrics can be stolen! 

Both biometrics and DNA forensics have attained a dangerous aura of invincibility.  It's ironic that in this highly educated, high tech era, it's actually hard to get lay people to sit down for 10 minutes to understand how these things work, so they may appreciate their foibles too.  But nope, if someone has seen DNA testing on CSI, or if they've seen biometrics on a science fiction movie, then that's that -- they work!

Stephen Wilson, Lockstep.