[Cryptography] PRISM-Proofing and PRISM-Hardening

Mon Sep 30 21:01:23 EDT 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Found at: 
> <http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600&en=295ec5d0994b0755&ei=5090&partner=rssuserland&emc=rss>
>
> 
> 
> To quote from the above:
> 
> The idea is that if customers do not see their [preselected] image,
> they could be at a fraudulent Web site, dummied up to look like
> their bank’s, and should not enter their passwords.
> 
> The Harvard and M.I.T. researchers tested that hypothesis. In 
> October, they brought 67 Bank of America customers in the Boston
> area into a controlled environment and asked them to conduct
> routine online banking activities, like looking up account
> balances. But the researchers had secretly withdrawn the images.
> 
> Of 60 participants who got that far into the study and whose 
> results could be verified, 58 entered passwords anyway. Only two
> chose not to log on, citing security concerns.
> 
> This approach requires the customer to verify the image every log
> on. Conning them by replacing the image with, "Site undergoing 
> maintenance"[1] is fairly easy. With my approach, I would
> authenticate the bank's key once, when I establish an account or
> sign up for online banking. My software would check that
> authentication every time I log on after that. (If the bank decides
> to change it's key every year, I might need a new piece of paper
> every year -- which might get old after a few years.)
> 
> 
>> and http://en.wikipedia.org/wiki/Phishing#cite_note-88 which say 
>> simple things like "show the right image" don't work.
> 
> Found at: 
> <http://web.archive.org/web/20080406062154/http://people.seas.harvard.edu/~rachna/papers/emperor-security-indicators-bank-sitekey-phishing-study.pdf>
>
> 
It's also worth pointing out that common browser ad blocking / script
blocking / and site redirection add-on's and plugins (NoScript,
AdBlockPlus, Ghostery, etc...) can interfere with the identification
image display. My bank uses this sort of technology and it took me a
while to identify exactly which plug-in was blocking the security
image and then time to sort out an exception rule to not block it.

The point being - end users *will* install plug-ins and extensions
that may interfere with your verification tools.

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iQEcBAEBAgAGBQJSSh7jAAoJEDMbeBxcUNAel+AIAIx5Y1M0zlQtPU14aKaIE0Eo
jpQRCRgY4X/g30EnNt5wh+umKPS7ZSwPg62GfLpmntijPsGCThXVxY62OfJpnZU9
uWh+AwNG3RkMn90w2at1YaCbOyXiPEwN/2PuRsJ+RRQRKu4hbJmF1/1X36ykoIAc
s6LZ44a1FpIX8uGg5D6yo/emse3ZaKB6XlhoYZfbNlEnUc63/Sj8mC8K7ErhQbRu
qM8/LayQHLNDy+xHFfHLS2v8EJUz8DOVXKWBxxNY6Ig2Z4g4oUbbrhP1pAo2S9J9
YIR/DO4I+epiAy6WvLl/H31EHqnne5qN7B+nOz8mXxH/yg3zMliVmNKI6UCypyM=
=PXyH
-----END PGP SIGNATURE-----