Hello World

Steven D'Aprano steve+comp.lang.python at pearwood.info
Sat Jan 17 22:45:34 EST 2015 

Roy Smith wrote:

> In article <54bb1c83$0$12979$c3e8da3$5496439d at news.astraweb.com>,
>  Steven D'Aprano <steve+comp.lang.python at pearwood.info> wrote:
> 
>> Even that doesn't protect you, because your security is controlled by
>> websites and banks etc. with stupid security policies. E.g. I am forced
>> to deal with one bank that uses a cryptographic key to sign in to their
>> bank, but your passphrase is limited to exactly eight characters. Another
>> bank I use limits you to SIX characters, taken from case-insensitive(!)
>> letters, digits, and a small set of punctuation.
> 
> Tell me about it.  I have an E-Trade ATM card.  When I first got it, I
> set it up with a 6 digit PIN.  I was shocked to discover some time later
> that it actually only looks at the first 4 digits.  And, no, I'm not
> talking *characters*, I'm talking *digits*.  There are 10**4 possible
> PINs.  The mind boggles.
> 
> On the other hand, E-Trade gave me an RSA key fob so I use two-factor
> authentication on their web site.

You know that two-factor authentication doesn't offer any real security
against Man In The Middle attacks? Scenario:

* You log in to the bank, and transfer $1 to me.
* Evil haxor intercepts the transfer between your PC and the Internet,
  changing it to a request to transfer ONE MILLION DOLLARS to evil 
  haxor's account.
* Bank receives the request and sends you a token.
* You receive the token and approve the transfer.
* Evil haxor makes the money disappear.
* When you complain to the bank that your account is ONE MILLION DOLLARS
  overdrawn, they insist that you authorized the transfer so their 
  liability is limited to exactly Sweet FA.

(I am very cynical about most of the "security features" the banks are
pushing for, since in my opinion they are more about giving the banks
plausible deniablity so they can push responsibility for security breaches
onto the customer.)


As soon as I heard that banks were turning to two-factor authentication I
predicted that attackers would trivially move to man-in-the-middle and
man-in-the-browser attacks to get around them. And sure enough, as long ago
as 2006 that's exactly what happened:

http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html

More here:

https://www.schneier.com/blog/archives/2012/09/man-in-the-midd_5.html

(read the comments for more examples)

All of the MITM attacks I know of involve social engineering attacks, but if
and when customers get too sophisticated to fall for phishing attacks[1],
the bad guys will move to scenarios like the one I described, where they
hijack your own legitimate transactions.




[1] Try not to laugh. It could happen.

-- 
Steven

More information about the Python-list mailing list