——

AlphaCenttauri,

There is always a “next” attack scenario. The bad guys in Eastern Europe having to execute the kind of “Mission: IMPOSSIBLE” scenario you describe rather than just have a future victim’s browser touch an infected web site (e.g., via a successful spear-fishing attack) is a problem that our industry should be seeking to “create” rather than “solve”!

Note that this “dial-back” security technique also moves the fraud from a gray area of the law (UCC-4A’s language about “commercially reasonable” “security procedures”) to one where the law might be more clear (bank culpability for allowing a person with a heavy European accent to get them to change your registered phone number).

And how, exactly, do you propose that the bad guys even find out which phone number they are trying to change? One would presume that even an organization like PlainsCapital Bank would have its CSR insist that the impostor know what the current dial-back number is before they will change it to a new one. (And, who knows? They might even have the wit to *call* the current number to see if the real customer answers!)

At some point, the effort per dollar gets too high and the bad guys will move to some other crime. I am afraid that is as good as it gets in this Fallen world.

Like or Dislike: 0  0

On March 22 2010 you wrote:

> Why isn’t one of the banking committees
> in our federal government looking at some
> of these incidents?

No member (or their staffers either) of the House Committee on Financial Services’ Subcommittee on Financial Institutions and Consumer Credit with whom Authentify has met so far had previously heard of this problem, nor the member of the Senate Banking Committee’s Subcommittee on Financial Services either. As it happens, *Howard Schmidt*, Obama’s new cyber-security tsar had not heard of it before I mentioned it to him at RSA 2010 on March 4.

Congress would need at least 100X its current staff to be on top of all the emerging issues that people are sure they “ought” to be on top of. Until Congress expands its staff (and its budget) it behooves those of us with leading-edge awareness of emerging problems to simply go up the Hill and brief our elected representatives on them, rather than sit back and complain about what “they” are not doing. In a democracy, there really is no one here but us chickens! Refer to the NEWSWEEK article by Nick Allard, head of Barton, Boggs’ lobbying practice about how “We Need More Lobbyists”:

http://www.newsweek.com/id/233444

> How soon would a banking committee look at this issue?

It’s a long shot, but the Senate Banking Committee has already reported the current banking reform act out. It is now before the Senate and could (in theory) be amended. I don’t think this problem *should* be addressed via amendment without hearings unless I can get the American Bankers Association (ABA) to endorse our proposed solution. I will know more on Monday after our first meeting with them.

> Chris Dodd and Barney Frank really
> don’t care about the normal people.

How well do you know these gentlemen? I have not had the privilege, but I *have* seen Rep. Frank rage at financial services industry miscreants who richly deserved such treatment.

And, anyway, Chris Dodd is retiring so the person to go to on the Senate side is Sen. Chuck Schumer. I can tell you that at least his office has heard of the problem–God Knows, his state has enough victims! I hope to get in to share ideas with his staffer for his participation in the Subcommittee on Financial Services in DC this week.

Like or Dislike: 0  0

If I were a criminal and there were hundreds of thousands of dollars available if I pull off a successful scam, I would try to have your phone number changed in the bank records. I would even be willing to send a letter on official looking stationery in advance of my plan to empty your accounts, during the time while I am recording what you do when you make your legitimate bank transactions. I might even fax it from your computer. Then I would call you with the transaction you think you are making to have you enter your PIN. I can even record the tones from your phone when you do it. When the bank robocalls me at the new number I gave them to confirm the fraudulent transaction, I can confirm it. To have any phone confirmation, even if restricted to the most suspicious transactions, you would need a foolproof way of preventing the criminals from updating phone records that doesn’t prevent you from accessing your own account if you are at a different phone, or if your bookkeeper’s cell phone is stolen and your employees need to be paid.

Like or Dislike: 2  0

Our approach is documented at http://www.intercomputer.com.

Like or Dislike: 0  1

“Am non-geek, agree puppylinux DVD solution within reach but not easy reach.”
Anyone who wants Puppy Linux should try to find a geek to set up Puppy with Firefox and add-ons. After that, normal use is fairly straightforward. I like to imagine that, given instructions, even non-geeks can set up Puppy and Firefox if they put in the effort.

“Toshiba says their later-softmodems absolutely do not work with linux; had to buy hardware modem and get used to no dialing noises.”
That can be seen as a lesson: For the software developer, the needed changes would be relatively minor, being pretty much the same code with different interfaces to a different OS. But making the changes involves learning Linux and finding and learning a new development environment. Because Linux is a small market, that seems like too much trouble. This same issue is what malware authors face in trying to profit from their work, which is what gives anything other than Microsoft Windows a security advantage. The example is evidence that developers do avoid working on a secondary platform.

“Haven’t found capable linux screen grabber to capture/crop/etc. transaction details (know of one?);”
Actually, I prefer to see Firefox as the main program platform, with tens of thousands of add-on programs to choose from. For graphical screen capture I use “Shooter,” but one might consider something like “printpdf” or an on-line variant like “Web2PDF” or even just cut-and-paste to Google Docs or Google Mail.

“Yes, linux doable but a tad exasperating.”
Anguish is to be expected upon making any major change. Some things are actually better on the Puppy side, but mostly we just find different ways to accomplish our goals. Seeing Firefox as a program platform adds another level of opportunity to do things the way we want, opportunities which also work under Microsoft Windows.

“Matt’s PassWindow provides excellent security at very low cost making linux DVD unnecessary.”
Well, that is a claim and a conclusion. Sadly, there is no mechanical crank to turn and process the truth of such a claim. Security people tend to use old systems for a reason.

While I am not a protocol guy, I have been around cryptographic protocols for a while and have seen many failures. A deep understanding of protocol issues usually is a lot harder than it seems at first. For example, a serious protocol error recently was found in SSL (a protocol central to Web security), even after all this time and all the implementers who looked at it. Not too long ago, dongles and 2-factor auth in general were going to save online banking, a simple idea which also turned out wrong.

If we allow the possibility of infection, that is, a live bot calling home on broadband as we work, we are just daring the bot-master to find a way in. Such an “in your face” approach requires security protocols to be nearly perfect, something which cannot be proven. The better approach is to lose the bot.

Puppy Linux from DVD avoids the bot, resists the bot, resists infection, is easily reconstructed as clean, and is available now. We do not have to wait, and we do not have to trust a new protocol.

“Linux does not yet offer the ease of Windows+ PW+ software_breadth.”
Not only does Linux not have “software breadth” now, it never will. Puppy Linux right now is good enough for secure banking, email and browsing. Puppy seems to have almost accidentally collected all the tools needed to construct a more secure environment than current Microsoft Windows can possibly offer. Almost 93 percent of browsing occurs under Microsoft Windows. If the Microsoft approach to malware actually worked, there would not be a malware problem.

Although we often talk about insecurity in the context of a bot infection, that is really just a nod to the ubiquity of Microsoft Windows. The real problem is the infection. A hard-drive infection can be acquired by a single human mistake and remain in place until the OS is re-installed. Trying to attain banking security with a bot in place is a Windows-context recognition that we do not have tools to find every bot, and may not want the hassle of a re-install. Security argues for a different context.

We can accept weakness if we can avoid problems. And when avoidance just means doing the banking first, that seems more than good enough. But that only applies to Puppy from DVD, not Microsoft Windows.

Trying to live with the bot is the problem of Microsoft Windows. Avoiding the bot is the advantage of Puppy Linux from DVD.

Like or Dislike: 0  0

It’s up to the end-user to secure themselves. And like Health Insurance, once they reach the big scary point of self realization that they have to actually do something themselves, then they will do something themselves.

Like or Dislike: 0  1