Sunday, April 01, 2007

Phorget Phishing?

When you see news stories breaking claiming that over 45 million people have had their credit card details stolen, a reasonable first reaction would be to ask why you bother protecting your data on your home PC if some faceless corporate is going to make it available to anyone who checks in. We might as well all change our banking passwords to "slartibartfast" and be done with it. When that many people find their finances suddenly put at risk, in one go, there's bound to be news coverage. Google is carrying over 1,000 reports on the problem. Mainstream newspapers all over the world are reporting. It's not helped when the company spokesperson says “These figures only relate to what we do know. There is a lot more we do not know and may never know. We have identified two [computer] files that were removed from our UK system but we still do not know precisely what was in them" - otherwise known as "we haven't a clue." The BBC was told "that 100 files were moved from its UK computer system in 2003, and two files were later stolen." Even when the information, whatever it was, was stolen is less than clear: The company confirmed that information had been stolen from 45.6 million cards used in Britain and North America between December 31, 2002, and November 23, 2003. It did not know how many had been stolen for transactions made between November 24, 2003 and June 28, 2004. (both quotes sourced from the Times Online. According to the comapany's own SEC filing, they're unable to say "whether there was one continuing intrusion or multiple, separate intrusions." Maybe the login details were put on warez.ebuy.com and made available to everyone? Yet, happily, they are able to say, with a degree of certainty that is out of line with their earlier uncertainty, "Of the details stolen in both Britain and America, 30.6m came from cards which had expired at the time of the breach, while 15m were unexpired. Of those still valid, 3.8m had "masked" or encrypted information but 11.2m had clearly accessible data." The banking industry will reassure us, of course, by saying that the new Chip and Pin technology prevents this information being useful any more - but that's why increasing amounts of cardholder not present fraud and overseas use of stolen credit cards are being seen. Such news is certainly enough to make you wonder whether the fuss over home PC security is worth it. The Anti-Phishing Working Group reports 280,179 known phishing attacks in the 12 months to January 2007 with average monthly growth of about 6%. This is, of course, "reported" attacks. Who knows how many go unreported? Perhaps a better piece of data is the number of actual phishing sites (i.e. illegitmate, say, banking sites masquerading as the real thing) which ran to over 27,000 in January, down from a peak of 37,000 in October, but still up three fold from the total a year ago. December saw the first government branded phishing attack with an email, supposedly from HM Revenue and Customs, suggesting that you were due a tax refund (of either £70 or £170, reports vary). Indeed, there may be another circulating today (although given the date I'm wary of anything published today) that offers a refund of "J140", however much that may be. When I was first shown a phishing demo by SimonF, sometime around mid-2001, I was stunned by both the brazenness and simplicity of the process. A spoof Government Gateway website, cloned from the HTML of our very own, type in your userid and password, see a failure message (your details have been captured somewhere in the background) and you're bounced back to the main Gateway site - where you enter your details again, this time on the real site. With government userid and password details being necessarily complicated (long story), mis-typing them is incredibly common - it probably happens 1 time in 3 even now (the stats are tracked but I can't remember the exact ratio). At the time it wasn't that important - government didn't pay money out via the web and we figured you were unlikely to want to file my tax return (there was some concern about the potential for de-stabilising e-government by harvesting lots of account details and then sending random tax returns, either to cause a denial of service attack or just to cause extra work behind the scenes, but it seemed unlikely). Since that early example, attacks have become far more sophisticated, notwithstanding that many still don't manage the basics of grammar. Digital certificates were one answer to this problem, although browser incompatibilities, issuance difficulties and stability problems prevented them being part of the solution then. Physical tokens - USB devices - were another but many of the problems that afflicted digital certificates were apparent: did the user have USB (at the time it wasn't as widespread as now), was the port accessible (the idea of ferreting behind a desktop PC in a library or internet cafe wasn't seen as part of the e-government experience), issuance and so on. Both are now viable but rarely used, at least at the consumer level, solutions. Instead many financial services companies have gone for simpler solutions - pull down menus with, say, letters 2 and 5 of your secret word, multiple challenge questions (what is your dog's name, what is your favourite film and so on) with any 2 of 6 picked to allow logon. Bigger banks with richer customers have opted for DES-gold style one time password (OTP) devices. The hackers will work through these and will find ways to get the information they need. It's easier to see how they work the latter than the former - if they can capture the OTP and then use it right away, perhaps they can make a transaction happen before the customer knows; challenge questions that only give part of the password would seem harder, perhaps requiring multiple passes (although doubtless some people if asked to enter the entire word will still do so). But can we Phorget Phishing? It seems unlikely. A google search for the single word "phishing" gives over 23,000,000 results. Wikipedia says that losses are large: It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims.[38] In the United Kingdom losses from web banking fraud — mostly from phishing — almost doubled to £23.2m in 2005, from £12.2m in 2004,[39] while 1 in 20 users claimed to have lost out to phishing in 2005.[40] Getting accurate, current information is still challenging. But phorgetting phishing still seems out of the question - 6 years of questionable technology advance seems to have been matched by 6 years of better advance in the world of hackers, coupled with many, many more inexperienced users added to the internet mix. Technological, legal and educational responses will all have to work together to move this forward. At Simon Moores' e-Crime conference a year or so ago I challenged the security product industry to take a less technology and marketing centric view. I put up this slide (it's an ad from Wired magazine, probably December 2005 or January 2006) Firewall and security products always seem to be sold like this razor - 5 times more protection than you had before, 1 special new blade that chops out left-handed viruses with impunity, new breakthrough technology to do all sorts of things that you won't understand so we won't explain them to you. Product names have gone from version numbers (1.5, 2.0, 3.0) to annual updates (95,97,2000) to video game console lables (the new Norton 360 seems to have copied Microsoft's Xbox, though doubtless it means something clever like "all round protection", like some new kind of deodorant). What I want is to know that whatever product I have will "kill all known germs dead" - I don't care what they are, I just want to know that they're protected. And if I'm going to pay for daily, monthly or yearly updates, I'd like the vendor to take on some of the liability - if I get infected, whether for my own stupidity or because the product hasn't worked the way it's supposed to, then I'd like to be repaid for the damage. Insurance companies don't say, "sorry sir, you should have seen that the slope was steep and that the route was clearly marked as a black run and declined to descend; when you did and you broke your leg, you failed to comply with our policies". Why should I pay the fee but get no real coverage? Having seen, only a few weeks ago, a perfectly good (and accredited) up-to-date bit of virus protection software get tricked by a particularly malicious bit of trickery causing widespread damage, it does happen. Sadly, even Domestos has had to abandon its 50 year old slogan "kills all known germs dead" to say that it kills only "99 per cent of known germs". That will be advertising standards for you. At the rate of technology change, we need kills "all germs dead, known or unknown". But, in the meantime, with Vista vulnerabilities reportedlly being sold on the internet for $50,000 and up, we're going to have to pay more than a little bit of extra attention.

7 comments:

  1. Anonymous4:19 pm

    I came up with a solution to this some while ago. I'm particularly fond of solutions that implement the ways and means act, which is a method of my other uncle likes. My dad used to say, if you can't get the wicket get the man, and aside from cricket being more boring than my taste in clothes, it yields some interesting analogies.

    Anyway, I digress as usual. What happens is that aol, google, yahoo, and msn get together and form a new email system, whereby everyone has an account associated with their credit card.

    When you send an email the recipient's account is credited with, say, 10 pence, and your email system bounces without you receiving 10 in return. This is bypassed from big organisations that are well known and registered.

    In an average year, people send a few and receive a few, and the costs will cancel out.

    If however, you're a spammer. 6,000,000 ten pence pieces adds up, doesn't it?

    Ian

    ReplyDelete
  2. Anonymous10:41 pm

    I've just re-read my post and it's as clear as mud, as usual. So I'll clarify the design.

    Firstly your email is hosted somewhere, and that somewhere has a federated list of email addresses it owns, along with CC numbers to bill, or credit.

    You wish to send an email from Harry Source@gmail to Billy Destination@yahoo

    Mr Source's safemail client, Apple's iSafepod goes to the owner of his own email address, and says "I wish to send an email, entitled, 'fancy a beer this weekend,", 450 bytes, no attachments, to Mr Destination@yahoo"

    One of two things can then happen.
    1. gmail doesn't know who source is, and so tells him to F-Off.
    2. harry Source correctly logs into his own gmail email server with the request, and so Gmail contacts yahoo to ask how much to send an email to Mr Destination@yahoo, from Harry Source@gmail.

    At this point, Mr Destination, has already set up his email.

    Friends pay ten pence (just to deter people who've cracked the encryption,) which will be refunded when they read the message, because that's their settings in Outlook "Protect and Server" version.

    Businesses pay £1 to send the email. They may or may not get it back.

    Anyone else, pays £5, which may also be refunded, if they get on their trusted list.

    gmail sends this information back with a login token given by yahoo for this transaction, plus a login token it made up itself, back to Harry Source, whose email client is expecting them, and so then he sends the email to the login to yahoo's securepop via securesmtp, with the login token that yahoo gave back to him when he was told the price.
    He then gives yahoo, the gmail token gmail gave him as well, so yahoo can prove it's been given it.

    Yahoo then federates an announcement back to gmail, saying we've got the email, give us the ten pence. We'll refund it later if he says so.

    Harry's monthly account balance is debited, and Billy Destination's is credited.

    Later on, Billy reads it, and yahoo sends a refund message. (Or doesn't. This feature's optional, because for most people it doesn't matter. Harry gets his money back when Billy replies, via the reverse mechanic.)

    Tadah! WS-Federation at work, and I'll bet you guys all thought I wasn't listening when you were talking about OASIS standards.

    Of course, "safemail (tm)" requires a higher level of awareness by the IPs of who is sending the mails, but I can't see the FBI complaining about that.

    I

    ReplyDelete
  3. BillG agrees. what illustrious company you keep Ian

    http://www.microsoft.com/presspass/press/2004/feb04/02-24RSAAntiSpamTechVisionPR.mspx

    alan

    ReplyDelete
  4. Anonymous9:17 am

    This is amazing. Is someone from microsoft reading my emails?; because he agrees with me on the Linq stuff as well, we're getting it in visual studio 9, I've always thought that in-memory SQL queries would be very powerful.

    Maybe it's because we're both university dropouts, perhaps he's a resource investigator too.

    I'm beginning to think I have friends in high places without me knowing it, though I've never forgiven him for MSDOS. (I was a CPM systems man myself.)

    Maybe I should go into product development consultancy.
    "Ian and his wacko ideas Ltd." or "Far alongside of his own time ltd." LOL!

    Ian

    ReplyDelete
  5. Re: the TK-Maxx Identity Heist.

    Ammusingly, given the circumstances, TJX, as they known in the states (or TJ-Maxx, I believe) posted a variety of open letters to there customers in the UK press.

    The full page spread on page 50 of the Sun (no I'm not normally a reader - it's the step-father in-law's copy, of course) of Saturday the 31st of March has these important points to make:

    "We truly regret that this has happened. But we want you to know these facts:

    * No TK Maxx data was included in the data that we believe was stolen relative to approximately 45.7 million payment cards used in transactions in North Armerica.

    * Personal Identification Numbers (PINs) were not compromised in the intrusion at TK Maxx. We do not store PINs at TK Maxx, and they are encrypted when entered at the PIN pad in the store."

    A number of items disturb me about the above quotation, but in particular two points, firstly, it is good to know no TK Maxx data was stolen, that must reasure the customers no end, secondly, by saying PINs were not stolen - it implies everything else was, card number, expiry date, name, security code, the lot - apart from PIN (lets go online & telephone shopping !).

    Frankly if I was one of the possible victims I would be concerned by the apology offered, and the issues it raises further about the heist.

    ReplyDelete
  6. Anonymous9:21 am

    Yes.

    I agree. However, I believe the american government could reduce this problem dramatically if it wanted, with just a bit of Sarbanes Oxley type regulation.

    All they've got to is
    1. mandate that credit card details aren't held, by retail companies that deal with america.

    Each billing once initiated, could return a guid, and all interaction after the initial auth transaction uses the guid instead of the card.

    I reckon Most card companies are more than capable of introducing this kind of enterprise service bus technology.

    It's not a complete solution, which will eventually be solved by biometrics, when the technology's mature, but it would certainly plug a few holes.

    Ian.

    ReplyDelete
  7. Anonymous5:27 pm

    I found this phishing tool that may be useful:

    http://www.download.com/BlueFur-Phish-Phinder/3000-2368_4-10668935.html

    ReplyDelete