Saturday, September 25, 2004

AOL and Key Fobs

AOL announced last week that they would allow their users to protect their accounts with an additional layer of security through using an RSA Device. The widget is probably the size of a matchbox and has an LCD that shows a multi-digit number that changes every minute or so. When you access AOL, you'll need (I think) both your usual password and whatever the display shows as its current code. This is a neat extra layer of security designed to protect phishing or key logging attempts. If someone is watching your key strokes, the passcode is valid for only 60 seconds after use - pretty difficult to take advantage of. There are a few flaws here though, which is a shame because (for the most part) we really need something like this to become widely available: - You have to pay extra for the security - pricing looks to be $10 for the fob and then $1.95 or so a month extra. I've not seen many people want to pay extra for security - we've got too used to accepting what is there and dealing with it. Not enough people pay extra for firewalls, anti-virus software, anti-spyware software etc, so why will this be different? - It doesn't work on all devices. For sure it won't work on Mac (I am pretty sure that RSA doesn't yet support OS X) and it almost certainly won't work on linux. - I had one of these RSA widgets (I'm pretty sure it was called a "DES Gold" key at the time) at Citibank and, every so often, it would get out of sync with the main servers at the centre and I'd need to call tech support to sort it out. I can't see that thrilling AOL (who, given they still have millions of users will find that, if it ever takes off, a surprisingly large number of people per day get out of sync - the law of averages and all that) - Eventually the battery will go. Maybe it will take 3 years, maybe less. But it will go. - There's another flaw I think, which probably doesn't apply to AOL, but does if, say, government were to want to use this. The key is not sufficient to digitally sign an XML document - a tax return or benefit claim perhaps - so as to secure it in transmission and provide non-repudiation and a guarantee that it wasn't changed in flight. I am, though, pleased that AOL are giving it a try. It might make the technology a little more mainstream and that, in turn, might drive innovation that addresses the flaws. I've not heard that AOL are going to offer to federate the identity - i.e. offer the service to third parties - e.g. banks - but that will be needed if it's going to take off properly. $1.95 to protect your AOL account is one thing, but that much to protect your three online banks, your broker and perhaps even Amazon is probably a better proposition. And, that way, perhaps the banks would even pay for it as a service to customers and to reduce their exposure to fraud losses.

6 comments:

  1. Anonymous9:40 pm

    Bit of a philospher's stone isn't it, this hunt for technical authentication?

    Civilisation haven't solved it to-date, so technology isn't going to help either.

    And before you asked, I ain't letting government database my DNA without a fight.

    Who are AOL's core customers anyway, isn't it American apple pie eating families? Why do they need security when the Patriot Act overrides it anyway?

    ReplyDelete
  2. Anonymous7:46 pm

    A philosopher's stone, huh? I guess only in the harry potter kind of way rather than the alchemical version.

    As to civilisation not solving it for all this time and so technology not helping, you're right. after all technology isn't involved in televisions, telephones, PCs, lighthouses, electricity or online banking (to pick a few).

    I'm surprised to find you posting online - how did you get your typewriter to do that?

    Alan

    ReplyDelete
  3. Anonymous9:58 pm

    Tssk, sarcasm, the last gasp of the pointless.

    So run past us again your belief in technical authentication of the population?

    Still can't see your BNP electorate carrying round those fobs, even if it is a neat bit of RSA.

    ..and don't get me started on Rivest & Shamir, my typewriter doesn't have your humor.

    ReplyDelete
  4. Anonymous3:31 pm

    agreed, sarcasm is terrible, but i can't speak in music.

    first things first, i'm not necessarily putting "technical" and "authentication" in the same space - at least not the way I think you mean, which is identification/authorisation/authentication.

    i'm on the page that says if we know who you are then giving you a token that helps to prove you are the same person that you were when we gave you the token in the first place, we're a step further ahead than where we were before. userid and password is base one, but not much good; userid, password and dynamic token is base two - further on but still not all the way there.

    aol are not much use to us in the UK - they probably still have 30 million customers in the US but perhaps 1 million or so in the UK - it's a long time since i checked their numbers (the last time was years ago actually when I owned the stock for a while). maybe they have fewer now.

    but my point is that the private sector is stepping up to say that phishing is bad and we need to find a way to stop it; a physical token in someone's hand is better than just userid/password.

    they're also saying that we need more security around access to services.

    maybe the next step is that i won't need 101 devices to access all the services that i need, but that these folks will collaborate. at home i've just consolidated my remote controls so that i have one for the lights, the video, the sound system, the projector etc. it's much better - why can't i have the same online? and a physical token is much better than one passord.

    as to rsa, you're probably a lot smarter than me. all i know is that there is no better encryption standard known right now and even if it was the wonks at bletchley or gchq that invented it but rivest et al that took the credit, i don't see anything better. unless you mean the device, and i think i was clear on the flaws that i saw.

    does that help?

    ReplyDelete
  5. Anonymous10:55 pm

    3 Questions:

    1 - Why can't a phisher phish the email address of a fob holder?

    2 - Banks etc use generic addresses for mailshots which are automatic, these machines, by definition, can't operate a fob (no fingers etc...). How can I trust a generic email from AOL to be true?

    3 - My friend Godel asks will and when will AOL claim 100% ownership and use of fobs by all of it's customers, all of its customer's email accounts and all of it's email account users? At this point will you claim it to be phishfree?

    ReplyDelete
  6. Anonymous9:34 am

    ok, i'll have a go at these/

    1 - Why can't a phisher phish the email address of a fob holder?

    i'm absolutely sure that they could, although why i would care about getting someone's email address i have no idea. i could buy that (from a spam list), make it up (using lists of known domains and an alphabet programme) or just swipe it from various forums. i may have missed something, but what use is an email address?

    2 - Banks etc use generic addresses for mailshots which are automatic, these machines, by definition, can't operate a fob (no fingers etc...). How can I trust a generic email from AOL to be true?

    ah, now isn't that the point. you can't trust any email to be true. what the fob stops, or at least the way i think it works, is that when some russian fraudster sends you a mail and it asks you to type in your login details to a perfect replica of, say barclays bank website, you also need the RSA key. so the bad folk might get your userid and password, but the token from the fob is useless after 30 seconds or whatever, or maybe it's 2 mins. can they use it? sure, if they're quick or using some automated tools, but it increases the sophistication required and reduces the odds. i've posted before about phishing and what i think is needed to help stop it, and RSA wasn't it - but it all helps.

    3 - My friend Godel asks will and when will AOL claim 100% ownership and use of fobs by all of it's customers, all of its customer's email accounts and all of it's email account users? At this point will you claim it to be phishfree?

    i don't think it's about AOL and 100%. it's about someone in the private sector stepping up and hopefully it making a change. your question is a bit like asking when will linux have 100% of desktops. it doesn't need that to have an impact. or does it?

    ReplyDelete