The wisdom of the ill informed

Ed Gerck edgerck at nma.com
Tue Jul 1 13:28:43 EDT 2008 

[Moderator's note: I'll let Ed have the last word. I'm sure everyone
knows what I'd say anyway. --Perry]

Perry E. Metzger wrote:
> Ed Gerck <edgerck at nma.com> writes:
>>> In any case, there are a large number of reasons US banks don't
>>> (generally) require or even allow anyone to enter PINs for
>>> authentication over the internet. 
>> Wells Fargo allows PINs for user authentication.
> 
> No they don't. 

Since you are not fully aware how Wells Fargo operates, let me 
clarify. What you say below is true for users entering the system /today/:

> The new users of their online system get a temporary
> password by phone or in the mail, and Wells Fargo requires that they
> change it on first log in. The temporaries expire after 30 days,
> too. They don't their bank account numbers as account names,
> either.
> 
> Where did you get the idea that they'd use 4-digit PINS from? It is
> totally false.

No. Any Wells Fargo user today that has an /older/ account (eg, opened 
in 2001), can login with their numeric PINs if that is how their 
online access was done then and they did not change it.

So, even though WF /today/ does not accept /new/ users to use only 
numbers for their password, WF is happy to continue to accept /older/ 
rules, including accepting the PIN for online account login.

> (Anyone who doesn't believe me can just go through their web site --
> it explains all of this to their customers.)

Their website today is what they use today. Older account users that 
have not changed their login can still use their PINs for login. I 
know one company that used way back when their numeric PIN for login, 
because that's what WF told them to do, and that just very recently 
changed to a safer password.

While it is good that WF has improved its rules, it would better if 
they had made it compulsory for all users (not just newer) to renew 
their passwords when the rules started prohibiting using only numbers 
and /not/ requiring the PIN for first login.

I imagine that there are lots of sites out there that have likewise 
improved their front-end password acceptance rules but have not 
bothered to ask all their users to renew their passwords, and thus 
force compliance with newer, safer rules.

> The system you propose as "safe" isn't used by anyone that I'm aware
> of, and for good reason, too -- people who've done things like that
> have been successfully attacked.
> 
> BTW, if anyone was this foolish, the fun you could have would be
> amazing. You could rent a botnet for a few bucks and lock out half the
> customer accounts on the site in a matter of hours. You could ruin
> banks at will. It would be great fun -- only it isn't possible. No one
> is stupid enough to set themselves up for that.

WF does that, still today, for their most valued customers -- their 
older customers. May our words be a good warning for them!

>>> I suspect that currently invalid accounts are probably even cheaper
>>> than valid ones
>> we all know that invalid accounts are of no use to attack, so this
>> issue is not relevant here.
> 
> You would use the invalid accounts to reverse engineer the account
> number format so you don't have to do exhaustive search. Any
> practitioner in this field can tell you how useful intelligence like
> that would be. I suggest you consult one.

When you do the math, you will see that knowing a few hundred invalid 
accounts will not considerably reduce your search space for the 
comparison we are talking about. Remember, we are talking about 
4-digit PINs that have a search space of 9,000 choices (before you 
complain about the count, note that all 0xxx combinations are usually 
not accepted as a valid PIN for registration) versus an account number 
that is a sparse space with 12-digits and that (by the sheer number of 
valid users) must have at least /millions/ of valid accounts.

> It is easy enough to blacklist all of the cable modems in the world
> for SMTP service. ISPs voluntarily list their cable modem and DSL
> blocks. It is a lot harder to explain to people that they can't do
> their at-home banking from home, though. With half the windows boxes
> in the world as part of botnets, and with dynamic address assignment,
> it is hard to know who's computer *wouldn't* be on the blacklists
> anyway...

Please check with actual banks. Bank users logging in from a static IP 
account are treated differently by the servers than users from a 
dynamic IP account. As they should.

The dialogue disconnect here is classical in cryptography, as we all 
have probably seen in practice. In the extreme, but not too uncommon 
position, a crypto guy cries for a "better" solution (which, more 
often than not, is either not usable or too expensive) while 
dismissing a number of perfectly valid but incomplete solutions that, 
when used together, could mount a good-enough (and affordable) 
defense. Many people have frequently made this point here, including 
yourself with EV certs.

Yes, blocking by IP is not a panacea, and may fail to block, but when 
it works it is mostly correct (and if it's not, it errs on the side of 
caution). It should certainly be in everyone's toolbox.

But blocking-by-IP is just one possible pattern, as I comment below:

>> Further, if the PIN is held constant (eg, a common PIN such as 1111)
>> and the IP as well as the browser identification are changed while
>> different account numbers are targeted, this pattern can trigger a
>> block by that PIN that repeatedly (3 or more times) causes an access
>> error, for any IP number and browser. Excessive errors/minute can
>> also trigger inspection and blocks.
> 
> You have 10,000 PINs, and 10 million customers logging in a day. Every
> PIN that gets attacked means a thousand of those customers can't get
> to their account. They call up, which costs you $10 to $100 a pop in
> customer service. So for every PIN someone tries hacking, you take a
> $10,000 to $100,000 customer service cost. Since there are thousands
> of PINs that will be attacked a day, this adds up fast, and you find
> more or less none of your customers able to log in and almost all of
> them angry as all hell at you.

Not everyone has 4-digit PINs (9,000 choices, not 10,000) and, as 
banks update their practices (but not Wells Fargo!) the search space 
increases and the problem goes away.

Nonetheless, if a system such as reported by Allan in this thread, 
uses 6-digit passwords to protect an email message, this does NOT mean 
that someone could break it in seconds. It all depends on the control 
system (and its effectiveness) to prevent many multiple tries in a 
short time.

It's not just the search space that counts but how fast you can search 
it. Why can EC use shorter keys than PKC, for the same level of 
security against brute search?

> Ed, there is a reason no one in the US, not even Wells Fargo which you
> falsely cited, does what you suggest. 

I understand you simply jumped to conclusions here and before. My 
citation on Wells Fargo was and is (today) correct. My reply to Dan 
was also a valid (even if not perfect!) method, that can be used in 
combination with other methods as I suggested.

As Father Gracian suggests in his book (recommend reading it) "The Art 
of Worldly Wisdom", never complain. So, I won't. Anyone who is using a 
public dialogue to mine the gold of truth can very well understand 
that a few stones that also come through will just make the gold even 
more valuable.

Best regards,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list