The wisdom of the ill informed
Ed Gerck
edgerck at nma.com
Tue Jul 1 13:28:43 EDT 2008
[Moderator's note: I'll let Ed have the last word. I'm sure everyone
knows what I'd say anyway. --Perry]
Perry E. Metzger wrote:
> Ed Gerck <edgerck at nma.com> writes:
>>> In any case, there are a large number of reasons US banks don't
>>> (generally) require or even allow anyone to enter PINs for
>>> authentication over the internet.
>> Wells Fargo allows PINs for user authentication.
>
> No they don't.
Since you are not fully aware how Wells Fargo operates, let me
clarify. What you say below is true for users entering the system /today/:
> The new users of their online system get a temporary
> password by phone or in the mail, and Wells Fargo requires that they
> change it on first log in. The temporaries expire after 30 days,
> too. They don't their bank account numbers as account names,
> either.
>
> Where did you get the idea that they'd use 4-digit PINS from? It is
> totally false.
No. Any Wells Fargo user today that has an /older/ account (eg, opened
in 2001), can login with their numeric PINs if that is how their
online access was done then and they did not change it.
So, even though WF /today/ does not accept /new/ users to use only
numbers for their password, WF is happy to continue to accept /older/
rules, including accepting the PIN for online account login.
> (Anyone who doesn't believe me can just go through their web site --
> it explains all of this to their customers.)
Their website today is what they use today. Older account users that
have not changed their login can still use their PINs for login. I
know one company that used way back when their numeric PIN for login,
because that's what WF told them to do, and that just very recently
changed to a safer password.
While it is good that WF has improved its rules, it would better if
they had made it compulsory for all users (not just newer) to renew
their passwords when the rules started prohibiting using only numbers
and /not/ requiring the PIN for first login.
I imagine that there are lots of sites out there that have likewise
improved their front-end password acceptance rules but have not
bothered to ask all their users to renew their passwords, and thus
force compliance with newer, safer rules.
> The system you propose as "safe" isn't used by anyone that I'm aware
> of, and for good reason, too -- people who've done things like that
> have been successfully attacked.
>
> BTW, if anyone was this foolish, the fun you could have would be
> amazing. You could rent a botnet for a few bucks and lock out half the
> customer accounts on the site in a matter of hours. You could ruin
> banks at will. It would be great fun -- only it isn't possible. No one
> is stupid enough to set themselves up for that.
WF does that, still today, for their most valued customers -- their
older customers. May our words be a good warning for them!
>>> I suspect that currently invalid accounts are probably even cheaper
>>> than valid ones
>> we all know that invalid accounts are of no use to attack, so this
>> issue is not relevant here.
>
> You would use the invalid accounts to reverse engineer the account
> number format so you don't have to do exhaustive search. Any
> practitioner in this field can tell you how useful intelligence like
> that would be. I suggest you consult one.
When you do the math, you will see that knowing a few hundred invalid
accounts will not considerably reduce your search space for the
comparison we are talking about. Remember, we are talking about
4-digit PINs that have a search space of 9,000 choices (before you
complain about the count, note that all 0xxx combinations are usually
not accepted as a valid PIN for registration) versus an account number
that is a sparse space with 12-digits and that (by the sheer number of
valid users) must have at least /millions/ of valid accounts.
> It is easy enough to blacklist all of the cable modems in the world
> for SMTP service. ISPs voluntarily list their cable modem and DSL
> blocks. It is a lot harder to explain to people that they can't do
> their at-home banking from home, though. With half the windows boxes
> in the world as part of botnets, and with dynamic address assignment,
> it is hard to know who's computer *wouldn't* be on the blacklists
> anyway...
Please check with actual banks. Bank users logging in from a static IP
account are treated differently by the servers than users from a
dynamic IP account. As they should.
The dialogue disconnect here is classical in cryptography, as we all
have probably seen in practice. In the extreme, but not too uncommon
position, a crypto guy cries for a "better" solution (which, more
often than not, is either not usable or too expensive) while
dismissing a number of perfectly valid but incomplete solutions that,
when used together, could mount a good-enough (and affordable)
defense. Many people have frequently made this point here, including
yourself with EV certs.
Yes, blocking by IP is not a panacea, and may fail to block, but when
it works it is mostly correct (and if it's not, it errs on the side of
caution). It should certainly be in everyone's toolbox.
But blocking-by-IP is just one possible pattern, as I comment below:
>> Further, if the PIN is held constant (eg, a common PIN such as 1111)
>> and the IP as well as the browser identification are changed while
>> different account numbers are targeted, this pattern can trigger a
>> block by that PIN that repeatedly (3 or more times) causes an access
>> error, for any IP number and browser. Excessive errors/minute can
>> also trigger inspection and blocks.
>
> You have 10,000 PINs, and 10 million customers logging in a day. Every
> PIN that gets attacked means a thousand of those customers can't get
> to their account. They call up, which costs you $10 to $100 a pop in
> customer service. So for every PIN someone tries hacking, you take a
> $10,000 to $100,000 customer service cost. Since there are thousands
> of PINs that will be attacked a day, this adds up fast, and you find
> more or less none of your customers able to log in and almost all of
> them angry as all hell at you.
Not everyone has 4-digit PINs (9,000 choices, not 10,000) and, as
banks update their practices (but not Wells Fargo!) the search space
increases and the problem goes away.
Nonetheless, if a system such as reported by Allan in this thread,
uses 6-digit passwords to protect an email message, this does NOT mean
that someone could break it in seconds. It all depends on the control
system (and its effectiveness) to prevent many multiple tries in a
short time.
It's not just the search space that counts but how fast you can search
it. Why can EC use shorter keys than PKC, for the same level of
security against brute search?
> Ed, there is a reason no one in the US, not even Wells Fargo which you
> falsely cited, does what you suggest.
I understand you simply jumped to conclusions here and before. My
citation on Wells Fargo was and is (today) correct. My reply to Dan
was also a valid (even if not perfect!) method, that can be used in
combination with other methods as I suggested.
As Father Gracian suggests in his book (recommend reading it) "The Art
of Worldly Wisdom", never complain. So, I won't. Anyone who is using a
public dialogue to mine the gold of truth can very well understand
that a few stones that also come through will just make the gold even
more valuable.
Best regards,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list