"Bumper sticker" definition of secure software

[vanderaj at greebo.net (Andrew van der Stock)]

NB: I am not speaking on behalf of my employer and this is my  
personal opinion.

Banks in general do not use smart cards as they suffer from the same  
issue as two factor non-transaction signing fobs - they are somewhat  
trivial to trick users into giving up a credential. Connected keys  
are the worst - they induce laziness in the user and infer security  
which is not actually there.

Smart card integration over web apps is non-existent. The HTTP 1.1  
protocol does not support two factor transaction signing nor smart  
cards in general (unless you are just using SSL with a client-side  
cert, which is just as vulnerable as a normal IB app today if the  
attacker chooses a CSRF attack). Therefore, you need *something*  
extra to make 2FA USB fob authentication work. RSA has an ActiveX  
plugin (Keon WebPassport) which works great in an Intranet  
environment and you control all the resources. However, such  
solutions have a support overhead and locks users into just Win32  
platform, and locks out pretty much any site that blocks ActiveX  
controls on their PCs.

Here's why such devices will not fly:

*) costs money to ensure that the crypto is compliant with national  
and international standards
*) costs money to develop and deploy secure internal PKI and secure  
operational procedures to issue certificates for the devices. For the  
average institution, this is a lot of overhead.
*) costs money to deploy (need to send out software, instructions,  
device, smart card)
*) costs money to register users securely (is sending through the  
mail acceptable?) <- this step was stuffed up in the UK's Chip and  
Pin roll out, so we have an excellent data point already

http://www.theregister.co.uk/2004/09/16/chip_pin_crime_wave/

*) costs money to train users to only insert their smart card when  
your app is running and not just leave it in
*) costs money to support users when your software gets the blame for  
their user's support woes (whether true or not)
*) doesn't improve security if the user can just say yes.

The typical dialog for these things is "Please press Submit to pay  
Nice Person $100 using your token". If the app suffers from an XSS,  
why is this prompt safe? Can you trust "Nice Person" or $100?

Disconnected trx signing devices are simple, cheap, and have *fewer*  
costs. Note I do not say none of the costs, but it is significantly  
less and at least we don't trust the user's browser, the user's  
browser can be any platform (MacOS X, Linux, FreeBSD, Win95, XP,  
Vista), we don't end up supporting the user's desktop, and we don't  
need to train the users so much.

That's why smart cards will not be used if the Bank has done a proper  
side-by-side comparison, and compared the relative risk versus cost.  
Smart cards (and anything which requires platform support) are less  
secure, less trustworthy, take more effort, and cost more.

thanks,
Andrew

On 23/07/2006, at 3:42 PM, mikeiscool wrote:

> No I disagree still. Consider a smart card. Far easier to use then the
> silly bank logins that are available these days. Far easier then even
> bothering to check if the address bar is yellow, due to FF, or some
> other useless addon.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20060724/21195f27/attachment.bin