using SMS challenge/response to secure web sites

Ian Grigg iang at systemics.com
Fri Oct 3 12:07:46 EDT 2003 

Merchants who *really* rely on their web site being
secure are those that take instructions for the
delivery of value over them.  It's a given that they
have to work very hard to secure their websites, and
it is instructive to watch their efforts.

The cutting edge in making web sites secure is occuring
in gold community and presumably the PayPal community (I
don't really follow the latter).  AFAIK, this has been
the case since the late 90's, before that, some of the
European banks were doing heavy duty stuff with expensive
tokens.

e-gold have a sort of graphical number that displays
and has to be entered in by hand [1].  This works against
bots, but of course, the bot writers have conquered
it somehow.  e-gold are of course the recurrent victim
of the spoofers, and it is not clear why they have not
taken serious steps to protect themselves against
attacks on their system.

eBullion sell an expensive hardware token that I have
heard stops attacks cold, but suffers from poor take
up because of its cost [2].

Goldmoney relies on client certs, which also seems
to be poor in takeup.  Probably more to do with the
clumsiness of them, due to the early uncertain support
in the browser and in the protocol.  Also, goldmoney
has structured themselves to be an unattractive target
for attackers, using governance and marketing techniques,
so I expect them to be the last to experience real tests
of their security.

Another small player called Pecunix allows you to integrate
your PGP key into your account, and confirm your nymity
using PGP signatures.  At least one other player had
decided to try smart cards.

Now a company called NetPay.TV - I have no idea about
them, really - have started a service that sends out
a 6 digit pin over the SMS messaging features of the
GSM network for the user to type in to the website [4].

It's highly innovative and great security to use a
completely different network to communicate with the
user and confirm their nymity.  On the face of it,
it would seem to pretty much knock a hole into the
incessant, boring and mind-bogglingly simple attacks
against the recommended SSL web site approach.

What remains to be seen is if users are prepared to
pay 15c each time for the SMS message.  In Europe,
SMS messaging is the rage, so there won't be much
of a problem there, I suspect.

What's interesing here is that we are seeing the
market for security evolve and bypass the rather
broken model that was invented by Netscape back in
'94 or so.  In the absence of structured, institutional,
or mandated approaches, we now have half a dozen distinct
approaches to web site application security [4].

As each of the programmes are voluntary, we have a
fair and honest market test of the security results [5].

iang



[1]  here's one if it can be seen:
https://www.e-gold.com/acct/gen3.asp?x=3061&y=62744C0EB1324BD58D24CA4389877672
Hopefully that doesn't let you into my account!
It's curious, if you change the numbers in the above
URL, you get a similar drawing, but it is wrong...

[2] All companies are .com, unless otherwise noted.

[3] As well as the activity on the gold side, there
are the adventures of PayPal with its pairs of tiny
payments made to users' conventional bank accounts.


[4]  Below is their announcement, for the record.

[5]  I just thought of an attack against NetPay.TV,
but I'll keep quiet so as not to enjoy anyone else's
fun :-)

============================================================== 
N E T P A Y. T V N E W S L E T T E R 
October 3rd, 2003 
Sent to NetPay members only, removal instructions at the
end of the message 
==============================================================
1. SMS entry - Unique Patent pending entry system -
World first! 
==============================================================

http://www.netpay.tv/news.htm 

 

What is this new form of entry? 

 

Do you own a mobile phone? Can you receive SMS
messages? Would you like to have your own personal
NetPay security officer contact you when entry to your
account is required? Netpay would like to introduce a world
first in account security. This new feature is so simple, yet
so effective - we believe every member will utilize it. 

 

If you answered yes to the above, then your SMS capable
mobile is a powerful security device, which will stop any
unforced attempts of entry into your Netpay account. No
need to purchase expensive security token hardware, no
need to be utterly confused on how to use the security
device. If you know how to use your mobile, then you know
how to totally protect your Netpay account from any
possible unlawful entry. 

 

This new system sends you an automated 6 digit secure
random PIN direct to your phone whenever you try to
access your account. Without this PIN, it is impossible to
login. The PIN arrives direct to your mobile within seconds!
It is as good as having your own personal security officer
calling you whenever someone is trying to access your
account! 

 

SMS AUTHENTICATED SECURITY ENTRY 

 

It is simple. This new feature allows each member to set
his or her own mobile phone number within his or her
account. Now when you go to access your account again,
you choose to Login via SMS authentication (It is
impossible to access via standard login once you load a
mobile phone number within your account). 

 

You only need to now remember your 4 digit Trojan
bypassing PIN (unique to NetPay) and your Netpay
account number (this number is public knowledge). No
need to recall your password or any other numbers, as the
server instantly links your PIN and account number with
your SMS enabled mobile phone and sends you a random -
one time, 6 digit PIN (expires after 5 minutes) instantly to
your SMS capable phone! 

 

Once you receive the random security code, you then enter
it into the final entry page online and you now have access
to your account. 

 

Visit Flash promo here: http://www.netpay.tv/netpay.swf 

 

How do I set SMS entry for my account and what does it
cost? 

 

Very simple. Enter your account and go to the My Info
page in the secure members area - ADD your mobile phone
by clicking the link which states: Cell phone # for SMS
authentication. 

 

>From here, you need only ADD an SMS enabled phone and
authorize this by entering your NetPay ID number (set
when you registered and is more than likely a passport or
drivers license number). You now have total SMS
protection. 

 

Each time you access, a small charge of 15c is removed
from your account to cover the fee charged for the SMS
secure message. This 15c is the best money spent when it
comes to securing your account online. *Remember, you
must have your SMS phone enabled and on when you try to
access or you will not be able to enter your account. 

 

Why is the new Patent pending NetPay SMS entry system
simpler than security encryption tokens or calculators? 

 

- Nearly everyone can use a GSM enabled mobile phone
(no confusion compared to expensive hardware tokens and
yet our online entry system is just as secure) - SMS
messages can be received in any country using GSM
(please check our list of countries before registering your
mobile as your phone may not be compatible). 
- It is totally portable. You can access your account from
any PC, anywhere SMS messages can be sent and as long
as you have your mobile switched on. Even if the PC was
infected with a virus, you can still enjoy secure access! 
- No need to purchase expensive and confusing hardware -
just simply read your text SMS message via your mobile
and you can access your account in total security. Total
account protection for only 15c per authorized entry. 
- You dont need to send any messages back for
verification, simply enter the 6 digits PIN you receive on
the online automated form. 

- SSL security ensures the PIN is totally encrypted,
random, and only able to be used once only. 

 

What makes this more secure than standard entry
systems? 

 

-Even if the user was using a PC with a virus or Trojan
keyboard logger, it would not be possible for the hacker to
obtain the 6 digit PIN being sent to your mobile - as it is a
one time, expiring PIN and is sent totally offline. Even if it
records the PIN when you enter it - it is useless, as it can
only be used once. This ensures at all times, even when
one is using someone elses PC, they are secure. The only
details the Trojan will pick up is the users account number,
which is common public knowledge (as the 4 digit Netpay
PIN number is entered not via the keyboard but using our
Patented keyless entry - which bypasses standard Trojans). 
- 6 digit SMS PIN sent is a one time only useable PIN,
totally random and is valid for a maximum of only 5
minutes. This ensures even if someone else reads the SMS
and tries to access, the time limit would have expired after
the 5-minute period. 
- SMS messages travel on a secure signaling network -
any possible interception of the PIN would take
considerable effort and time, thus the 5 minute limited life
of the random PIN ensure full security 

- Even if someone were to steal your mobile, they would
not know how to access your NetPay account as they
would need to know both your account number and 4 digit
security PIN. 

 

ENJOY THIS PATENTED FORM OF ENTRY NOW -
ACCESS YOUR ACCOUNT AND ADD A SMS MOBILE
NUMBER TODAY (COSTS ONLY 15c PER
AUTHORIZED ENTRY). 
http://www.netpay.tv

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list