Solving password problems one at a time, Re: The password-reset paradox
Anne & Lynn Wheeler
lynn at garlic.com
Sat May 9 14:26:51 EDT 2009
On 05/09/09 07:33, Jerry Leichter wrote:
> On May 8, 2009, at 3:39 PM, Ian G wrote:
>>> The difficulty with client certs is that I need them to also work on my
>>> laptop. And my other laptop. And my phone.
>>>
>>> So, how do I get hold of them when I'm on the road?
>>
>> Good point. The difficulty with my passwords is that I have so many
>> that are so long that I can only manage them on my laptop, and have to
>> carry my laptop with me ...
>>
>> We can imagine all sorts of techie solutions to this, but it does
>> appear that we are in a bit of a grey zone with auth at the moment,
>> and the full solution might take a while to emerge. Try them all?
> This is part of a broader UI issue.
>
> I had a discussion with a guy at a company that was proposing to create
> secure credit cards by embedding a chip in the card and replacing some
> number of digits with an LCD display. The card would generate a unique
> card number for you when needed. They actually had the technology
> working - the card was pretty much indistinguishable from any other. (Of
> course, how rugged it would be in typical environments is another
> question - but they claimed they had a solution.)
>
> I pointed out that my wife knows one of her CC numbers by heart. The
> regularly quotes it, both on phone calls and to web forms. The card
> itself is buried in a thick wallet, which is buried in her pocketbook,
> which is somewhere in the house - likely not near the phone or the
> computer.
>
> Hell, one of the nice things about on-line shopping is that I can do it
> in my bathrobe - except that I *don't* know my CC by heart, so in fact I
> tend to put off buying until later when I have my wallet with me. (This
> does save me money....)
>
> When I'm in a store, I'm used to having to have my CC with me, because I
> always had to have the wallet with money anyway. At home, it's a whole
> different story. In any case, merchants are trying to make the in-store
> experience as simple as possible, pushing for things like RFID credit
> cards and even fingerprint recognition.
>
> So many people would see these "safer" cards as a big step backwards in
> usability. Why would they want such a thing? The card companies are
> trying to sell "safety", but in the US, where your liability is at most
> $50 if your CC number is stolen (and where in practice it's $0), the
> only cost you as an individual bear is the inconvenience of replacing a
> card. Because replacements for security problems have gotten so common,
> the CC companies have streamlined the process. It's really no big deal.
> I've had CC numbers stolen a couple of times (by means unknown);
> recently, two of my CC's were replaced by the companies based on some
> information known only to them. In every case, the process was very
> quick and painless. Hell, these days even on-line continuing charges
> often update to the new number automatically (though I've learned to
> keep track of those and check).
>
> The person arguing for this claimed that CC companies could offer a
> discount for users of the "secure" cards. But if you look at actual loss
> rates - how much could you offer? (I'd guess it's about the same as
> Discover offers: About a 1.5% rebate on most purchases. Not enough to
> let Discover steal customers from Visa and MC. Given all the other
> charges - and the absurdly high interest rates - on cards, anything like
> this gets lost in the noise.)
>
> Security that depends on people changing their habits in a way that is
> inconvenient to them ... won't happen (unless you're in an environment
> where you can *force* such changes).
> -- Jerry
at least the initial introduction of one-time-account number displays
had a problem because they couldn't meet the flexing specification
(like cards in mens wallet and getting sat on).
note that there has been big push to "signature debit" (similar interchange
fees and fraud as "signature credit") with 15 times the fraud of PIN-debit
(which has significantly lower interchange fees compared to signature debit)
reference
http://www.digitaltransactions.net/newsstory.cfm?newsid=73
mentioned in this post from 2006
http://www.garlic.com/~lynn/2006e.html#21
there has been some articles about "unsafe" cards being a profit item
for financial institutions ... since they charge merchants a significantly
higher interchange fee. there have been references that there can be
as much as a order of magnitude difference in fees between "unsafer" transaction
fees and "safer" transaction... with "unsafe" transaction fees
contributing significantly to reports that payment fees have represented
as much as 40% of bottom line for US consumer financial institutions
(an order of magnitude reduction would be a big hit). part of thread
on this subject in this mailing list from two years ago
http://www.garlic.com/~lynn/aadsm27.htm#31
http://www.garlic.com/~lynn/aadsm27.htm#32
http://www.garlic.com/~lynn/aadsm27.htm#33
http://www.garlic.com/~lynn/aadsm27.htm#34
http://www.garlic.com/~lynn/aadsm27.htm#35
http://www.garlic.com/~lynn/aadsm27.htm#37
http://www.garlic.com/~lynn/aadsm27.htm#38
http://www.garlic.com/~lynn/aadsm27.htm#39
http://www.garlic.com/~lynn/aadsm27.htm#40
http://www.garlic.com/~lynn/aadsm27.htm#41
http://www.garlic.com/~lynn/aadsm27.htm#42
http://www.garlic.com/~lynn/aadsm27.htm#43
In the 90s, one of the proposals for some "safer" (PKI-based) internet transactions,
as part of offsetting cost of PKI deployment, was changing the burden of proof
(instead of bank/merchant proving consumer did it, consumer has to prove that they didn't
do it) ... something more akin to what was done in the UK. some recent references:
http://www.garlic.com/~lynn/2009f.html#61
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?RSS&newsid=14437
http://www.garlic.com/~lynn/2009g.html#28
http://www.securecomputing.net.au/News/143759,chipandpin-security-goes-on-trial.aspx
http://www.networkworld.com/news/2009/043009-phantom-withdrawal-case-concludes-in.html?nlhtsec=rn_050109&nladname=050109securityal
that PKI effort floundered for a number of reasons ... some discussed in this recent
post (besides the digital certificates being redundant and superfluous):
http://www.garlic.com/~lynn/20098g.html#23
in the early part of this decade/century, related to introduction of some of
"safer" internet payment technologies, there was an attempt to justify even
higher merchant interchange fees ... than the "unsafe" fees. this resulted in
some amount of cognitive dissonance ... since merchants had been accustomed
to their interchange fees being proportional to amount of fraud ... aka as the amount
of fraud goes up ... so does the interchange fees ... but this change would
create two domains ... one where the interchange fees go up proportional
to fraud ... and then a point where interchange fees continue to climb
as fraud is reduced. related post
http://www.garlic.com/~lynn/2009f.html#60
In the 90s (as part of AADS chip strawman), I semi-facetiously commented about
taking a $500 milspec part, cost reducing by 2-3 orders of magnitude while improving
the integrity.
http://www.garlic.com/~lynn/x959.html#aadsstraw
Another part of the AADS chip strawman was enalbing a shift from an institutional-centric
hardware token paradigm to a person-centric hardware token paradigm ... i.e. the same AADS
chip could be used for contact, contactless, proximity, transit turnstyle, single-factor authentication,
multi-factor authentication, low value transactions, high value transactions, payment transactions,
point-of-sale transactions, internet transactions, login authentication, etc. It wasn't just
that the same kind of chip could be used for all these different purposes ... but provide
the individual the option of being able to register their personnal chip for a broad range of
applications. Part of the challenge was documenting all the issues that were raised justifying
a institutional-centric hardware token paradigm ... and addressing each issue.
Part of it was the x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959
part of it was demonstrating an AADS (certificateless) Kerberos solution
http://www.garlic.com/~lynn/subpubkey.html#kerberos
and part of it was demonstrating an AADS (certificateless) RADIUS solution
http://www.garlic.com/~lynn/subpubkey.html#radius
lots of the stuff shows up in the AADS patent portfolio (all assigned patents)
http://www.garlic.com/~lynn/aadssummary.htm
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list