Re: Re: Researchers fault 3-D Secure (3DS) online credit card system

[Dave Farber <dfarber () me com>]

> From: "Richard Clayton" <richard () highwayman com>
> To: "Lauren Weinstein" <lauren () vortex com>
> Cc: <nnsquad () nnsquad org>
> Date: January 29, 2010 04:14:29 PM EST
> Subject: [ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In message <20100128204341.GA6159 () vortex com>, Lauren Weinstein
> <lauren () vortex com> writes
> > Researchers fault 3-D Secure (3DS) online credit card system
> >
> > http://bit.ly/a1ygc6  (PC World)
> >
> > I have never been a fan of birthday-based and "secret-question"-based
> > systems.  Birthday data is widely available, and many "secret"
> > questions tend to have answers that are more widely available than
> > one might think.
>
> in point of fact, one of the other University of Cambridge Security
> Group papers at the same (FC10) conference was:
>
>  http://www.cl.cam.ac.uk/~jcb82/doc/fc2010_name_guessing.pdf
>
>  Joseph Bonneau, Mike Just, Greg Matthews: What's in a Name? Evaluating
>  Statistical Attacks on Personal Knowledge Questions 
>
>      Abstract. We study the efficiency of statistical attacks on human
>      authentication systems relying on personal knowledge questions. We
>      adapt techniques from guessing theory to measure security against
>      a trawling attacker attempting to compromise a large number of
>      strangers' accounts. We then examine a diverse corpus of real-
>      world statistical distributions for likely answer categories such
>      as the names of people, pets, and places and find that personal
>      knowledge questions are significantly less secure than graphical
>      or textual passwords. We also demonstrate that statistics can be
>      used to increase security by proactively shaping the answer
>      distribution to lower the prevalence of common responses.
>
> > I usually suggest that when there's a concern, secret questions
> > should be answered with anything memorable other than the
> > "real" answer.
>
> Indeed so, setting your mother's maiden name to 6fdg$Gk4 will improve
> your security posture considerably
>
> - -- 
> Dr Richard Clayton                         <richard.clayton () cl cam ac uk>
>                                  tel: 01223 763570, mobile: 07887 794090
>                    Computer Laboratory, University of Cambridge, CB3 0FD
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPsdk version 1.7.1
>
> iQA/AwUBS2LjlpoAxkTY1oPiEQJKtACeMBKnOquMSimum1V77Gbf0soCsXYAoMqU
> s1fcqrpp83nNpFczzFAzEV//
> =qwVC
> -----END PGP SIGNATURE-----


-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com