The wisdom of the ill informed

Ed Gerck edgerck at nma.com
Mon Jun 30 21:50:49 EDT 2008


Perry,

You may well think that "You're completely wrong here," as you wrote. 
However, a first evidence that I'm correct is that the online banking 
system has /not/ collapsed under this attack (Dan's point) in many 
years... even though bad guys do have access to large blocks of 
different IP numbers, etc.

> In any case, there are a large number of reasons US banks don't
> (generally) require or even allow anyone to enter PINs for
> authentication over the internet. 

Wells Fargo allows PINs for user authentication. Passwords are 
optional and PINs are used for password setting. This is just to name 
one key US bank.

Further, when you wrote:

 > I suspect that currently invalid accounts are probably even cheaper
 > than valid ones

we all know that invalid accounts are of no use to attack, so this 
issue is not relevant here.

But let me address your other points.

 > I'm sure you will now go on about some other way to evade Dan's
 > crucial point, but it should be obvious to almost anyone that you're
 > not thinking like the bad guys. If you really want to go on about
 > this, though, I'll let you have as much rope as you like, though
 > only for a post or two as I don't want to bore people.

(don't worry, you never bore people)

Dan's question has to do with how to protect online access from 
multiple tries on the account number for a given PIN. Of course, the 
reverse (repeated use of the same account for different wrong PINs) 
can easily trigger a block.

As I replied to Dan, a counter-measure is for the server to 
selectively block IP numbers for the /same/ browser and /same/ PIN 
after 4 or 3 wrong attempts.

You present a valid objection in that there are people hijacking huge 
IP blocks for brief periods for spamming. People also hijack vast 
numbers of zombie machines. Either technology is easily used to 
prevent block-by-IP from doing squat for you, you wrote.

Not so fast.  Block-by-IP is not that useless. Many anti-spam 
blacklists use block-by-IP and it works. Further, if the PIN is held 
constant (eg, a common PIN such as 1111) and the IP as well as the 
browser identification are changed while different account numbers are 
targeted, this pattern can trigger a block by that PIN that repeatedly 
(3 or more times) causes an access error, for any IP number and 
browser. Excessive errors/minute can also trigger inspection and blocks.

You can find many other ways to try to trick the system. For example, 
you can space out the attacks and rotate the trivial PINs to reduce 
suspicion -- but you will also reduce the number of tries per hour 
that you can perform for each account.

What makes a good difference in preventing an attack as mentioned by 
Dan is to /not/ allow weak passwords in the first place! But, because 
this is not really possible with PIN systems (even with 6 digits), the 
security designer can detect attack patterns and use them to trigger a 
block even for an a priori unknown IP.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list