Your personal pinpad
Last week I had very nice holidays in Morocco. Unfortunately there was not any good Internet connection. I wonder why people generally do not demand this going to n-star holiday resorts. You can get everything there, food, drinks,Ah... there was an Internet cafe with several PCs. So after several days of being completely off-line, I decided to give it a try. Bought 1 hour of on-line time (4$). Unfortunately there was no way to connect my laptop. I could only use one of the "public" computers there. Quick check showed the PC was running Windows XP SP1, no firewall and no antivirus. How could it survive is a mystery to me. But still touching an unprotected XP SP1 machine was something I could not feel comfortable with. I fired the Microsoft Internet Explorer and started typing the first URL address when I realized I better not did that. Public machine, hundreds of people had used it before me, no protection at all, the most vulnerable browser / OS combination... it could not be clean and safe.
What happens when you sit at an unknown machine and try to type something in? One easy to imagine scenario is all your keystrokes are saved somewhere or even transmitted on-line somewhere else. It takes just a very simple piece of software to do that. I bet 90% or more PCs in public places run software doing this. The remaining 10% use keyboards with built-in key logging hardware buffers. Later on some bad guy takes your credentials to pretend being yourself in order to empty your bank account or at least use your email address... So you type in http://www.mybankaccount.com, then login and password... upppsss.... I just realized I do not want to access any site with my personal profile. Be it a bulletin board or web mail or eBay auctions... almost anything, as I 99% of the Internet sites I visit are requesting my login / password combination. OK be careful, but don't be paranoid. Just the login name won't let a potential hacker get in. But password? Would you really type in YOUR password using an unknown, totally unprotected computer? Thank you, I'll pass...
Necessity is the mother of invention. Last week I envisioned mobile operators as smart pipes providing (paid) authentication services. Does this model fit in here? Sure! Do you trust your mobile phone? I think you do. You use it to do your mobile banking or even confirm stock transactions. So here are two scenarios for the password - prompting websites to consider. Both assume you associate your mobile phone number with your account. Simply when setting up an account with any web site / service, after giving your login name and password, you enter your mobile phone number. So the web site knows it. Then you go to the Internet cafe.
Scenario 1. One time passwords over SMS. You log in, giving your login and instead of typing a "normal" password you click an option "one time password over SMS". Within a second or two the web site sends you a random generated one time password as an SMS message. You read it, type it in on the "public" PC and do not worry if it is captured or sniffed. It is a random one time
password, so a potential hacker will not be able to use it again.
Scenario 2. Personal PINs over USSD. You log in, giving your login name and instead of typing a password you click an option "use my PIN number entered on my phone". The web site forwards PIN request to your mobile network, the application there fires an USSD push message saying "please enter your PIN". You use your personal phone as a pin pad, forcing it to respond to the initial USSD request and the mobile network forwards the PIN to the original web site. The authentication procedure goes on, the site checks if the PIN matches and lets you in. Note you used your trusted phone as a pin pad and the web site did not require you to enter a password. This way the password will never get in the hands of the hackers, while you will still be able to use the public PC with relative safety.
Both scenarios seem to be relatively simple to implement, yet I am not aware of any well known web site that uses any of them. Strange... but may be this is an opportunity?
hi:
ReplyDeleteOTP via sms entered back thru PC keyboard simply "cat chasing tail". problem with PC is keyboard as u know is zero encryption on keypress. with key logger active entering the sms PIN on the PC simply captured in clear then changed on the fly and invalidating the real session while real PIN has already been submitted on parallel and now hijacked session.
ak
You're right. But a simple trick with an on-screen keyboard (a keyboard displayed as a series of links on a web page) should do. Still OTP seems to be the only sensible way to use your online services on machines you do not trust...
ReplyDelete"u cannot solve problem on level that created it" (einstein:)
ReplyDeletehook the keyboard. hook the mouse. on screen pin keyboards would have to be randomized and then your into "behavioral science" ... users are lazy they simply revert to pressing keys
there are 3 critical components 2authenticity here:
(1) destination
(2) source
(3) "presence"
(2 + 3) = validating the "user rather than the browser" and ensuring that a person is present (rather than a bot)
right now all attempts have focused on "left brain" and computational activity. the solution engages right (non linear emotional).
ussd model proposed is closer however fails on (1) since pushed. any input has 2b "above band" (cellular) and "pushed" since only mobile origination cannot b faked.
ak
"on screen pin keyboards would have to be randomized"
ReplyDelete-> they already are; many online banks are doing that
"users are lazy they simply revert to pressing keys"
-> you can easily prevent them from doing that, it is just a matter of the page design