Disconcerting Phish

Log Out | Lost Password? | Topics | Search | Who's Online Contact | Register | My Profile | SO home | MOL home

Thread Originator Last Poster Posts Pages Last Post   Closed: New threads not accepted on this page

Author Message   Rastro Citizen Username: Rastro Post Number: 2375 Registered: 5-2004 Posted on Thursday, February 23, 2006 - 2:47 pm:        I just received a very disconcerting phish "from" a bank I no longer use (Citibank). The email contains my actual address. So somehow, someone has linked my email address with my physical address. Time to check my credit report... ••••! I hate these people.   TarPit Coder Citizen Username: Tarpitcoder Post Number: 40 Registered: 12-2004 Posted on Tuesday, February 28, 2006 - 7:27 am:        That sucks Rastro. I worry about Phishing from the point of view of my mum. She's not very computer saavy and I know how a conversation about that would go: Mum> I got an email from the bank asking me to change my password - and I tried changing it but then they asked me lots of annoying questions I couldnt remember. Me>UhOh... Uh Mum - did you type any in? Mum>I don't know - it was so confusing Me>That might have been phishing mum. Mum>Fishing? What? I wasn't fishing. Me>Phishing is when someone impersonates someone else and gets all your information. Mum>But it said it was from the Bank! - and it was the Banks screen. Phishing is a *real* scary problem. The Creditcard companies are staying quiet on it because they don't want to face up to it. If you do some reading about it you'll see they are all just keeping their mouths shut. They don't want people to know how big a problem it is. About time they shipped out smartcards or other similar security tokens that you HAD to plug into the machine with a key on it that only they have. Of course with the occurance of multiple banks/credit cards misplacing backup tapes of all the account holders details I don't know if they could even keep the keys safe... Good luck Rastro. --Tarp   Tom Reingold Supporter Username: Noglider Post Number: 12665 Registered: 1-2003 Posted on Tuesday, February 28, 2006 - 7:45 am:        Fingerprint readers have become cheap, and perhaps retinal scanners are, too. If not, they soon will be. I got a phish claiming to be from Chase. I have a Chase account. I followed the link out of curiosity. I put in false login info. It refused my password the first time and accepted it the second time. This lets them believe with greater certainty the info I put in. The screens look very good. They've done their homework. This is very bad. They only need a very small percentage of people to bite for them to make lots of money.   TarPit Coder Citizen Username: Tarpitcoder Post Number: 42 Registered: 12-2004 Posted on Tuesday, February 28, 2006 - 8:02 am:        Tom, This situation is *really* depressing. We need to figure out a solution that isn't Orwellian. I'm not quite ready to give-up on this and have the three sets of six digits laser inscribed on my forehead. --Tarp   Tom Reingold Supporter Username: Noglider Post Number: 12667 Registered: 1-2003 Posted on Tuesday, February 28, 2006 - 8:24 am:        Are you saying biometric devices are a bad thing? Why? My fingerprint doesn't say anything about me except who I am.   TarPit Coder Citizen Username: Tarpitcoder Post Number: 43 Registered: 12-2004 Posted on Tuesday, February 28, 2006 - 9:03 am:        No - it's not bad. Lots of biometrics I have no problem with - it's the stuff like the ability to do an iris scan from 100 feet away thru glasses without anyone knowing it that is a little freaky. --Tarp   Gatica™ Citizen Username: Katracho Post Number: 283 Registered: 11-2002 Posted on Tuesday, February 28, 2006 - 10:05 am:        TarPit - you mean something like "Minority Report" where every single ad you pass reads your iris and says "Hello Mr. so and so, would you like a shot of Jack Daniels before you go into your office today?"   Earlster Supporter Username: Earlster Post Number: 1464 Registered: 8-2003 Posted on Tuesday, February 28, 2006 - 10:06 am:        Tarp, if you know of, or if you have invented an iris reader, that works from 40 feet throug glasses, give me a call. We will be rich! There are many issues with biometrics, but this isn't one. However, faces from 100 feet, is reasonably possible. With quite, the error rate however.   Gatica™ Citizen Username: Katracho Post Number: 284 Registered: 11-2002 Posted on Tuesday, February 28, 2006 - 10:29 am:        Tom, The problem I have with biometric "signatures" is that the best way for it to work is when the body is present to input the signature. The part that most concerns me about it is that, after the signature is entered, it is only bits flowing through the medium. Say we all get home fingerprint scanners to authenticate ourselves on our bank's website. Well, once you have scanned your fingerprint one time, those bits authenticate you on the website forevermore. OK, let's suppose someone intercepts those bits, either from your PC or from hacking into the bank’s website. The fingerprint scanner device is no longer needed if you have a device that will push those intercepted bits to the website. Then, it’ll be just like clear texting your SSN and DOB. It will no longet be private. Bottom line is, I don't trust the encryption algorithms or the banks to keep those bits 100%secure. I mean, they don't even know how to secure their data backups. Call me paranoid. I think am rambling.   Rastro Citizen Username: Rastro Post Number: 2414 Registered: 5-2004 Posted on Tuesday, February 28, 2006 - 10:50 am:        Tom, what one (or several) set(s) of ebay phishers were doing for a while (not sure if they still are) was actually authenticating the username and password in realtime. So you would type in your username and password on their fake page, and in the background it would attempt to log into ebay using it. If it came back incorrect from ebay, it would give you an error and ask you to re-enter it. Kinda slick. Gatica, exactly. If you are using a biometric to authenticate to a web site, the web site only sees the bitstream of your encoded signature (fingerprint, retinal scan, ear print [yes, ear prints are unique]) So if that bitstream is intercepted, it can be regnerated into an equivalent electronic signature. On a related note to my original post, my wife got a phish from the "IRS". It said that she was due a refund, and they just needed some personal info to confirm it.   Earlster Supporter Username: Earlster Post Number: 1465 Registered: 8-2003 Posted on Tuesday, February 28, 2006 - 12:42 pm:        Guys hold your horses, but FYI transmissions between your browser and web sites can be securly encripted. This is brand new technology, guess nobody really implemented this yet (oops, SSL?).   Eponymous Citizen Username: Eponymous Post Number: 116 Registered: 6-2004 Posted on Tuesday, February 28, 2006 - 1:05 pm:        Gatica, Say we all get home fingerprint scanners to authenticate ourselves on our bank's website. Well, once you have scanned your fingerprint one time, those bits authenticate you on the website forevermore. OK, let's suppose someone intercepts those bits, either from your PC or from hacking into the bank's website. The fingerprint scanner device is no longer needed if you have a device that will push those intercepted bits to the website. Then, it'll be just like clear texting your SSN and DOB. It will no longet be private. Worse, you can't get a new thumb or retina.   monster Supporter Username: Monster Post Number: 2244 Registered: 7-2002 Posted on Tuesday, February 28, 2006 - 1:10 pm:        Always ignore emails, they are all from the devil. Burn your eyes out, dip your fingers in acid, continously change your face with plastic surgery, take all your hair off with lasers, exfoliate vigouresly everyday and burn all the remnants or spray it with acid to destroy it, move to a shack in the woods that's off the grid, aaaahhhhhhh, aaaaaahhhhhhh, aaaaaahhhhhhhhhh excuse me, I was having a moment...   Rastro Citizen Username: Rastro Post Number: 2434 Registered: 5-2004 Posted on Tuesday, February 28, 2006 - 1:50 pm:        Eponymous, actually, IBM is working on an algorithm that would munge your fingerprint, and would allow for variants to be used for different purposes. So your fingerprint at your bank might not look the same as your fingerprint at your broker, or at the porn site that has your credit card on file. The idea is that if for some reason your biometric signature at one site was compromised, it would not affect the others, and you could simply create a new one for the compromised site. Earlster, the issue is not just being intercepted between your browser and the web site you're at. It could include an intermediary on your computer (similar to a keystroke logger) or the database that the signature is stored in at the company. Monster, you're starting to sound like Ligeti. Maybe it's time to go back to Bloo...   TarPit Coder Citizen Username: Tarpitcoder Post Number: 44 Registered: 12-2004 Posted on Tuesday, February 28, 2006 - 2:08 pm:        You just use a standard challenge response so the clear bits aren't flowing thru the network. Or more concretely: Host sends reader host cryptogram (let's say random number for our purposes) Biometric reader takes biometric measurement and uses it as a hash / polynomial factors to encrypt host cryptogram and sends back encrypted host cryptogram. (You could encrypt with your private key if you wanted too) Server takes biometric reading, uses public key in database to decrypt. Compares decrypted value with original challenge. If a match then your OK You don't obviously need to throw Public/Private keypairs in the mix but you get the idea. Eponymous - Trick question what's the difference between performing an iris scan from 30 inches vs 300 inches vs 3000 inches. Considering: αR = 1.22λ / D As for glasses - tougher but in question form: Are they opaque at all wavelengths ? ;-) --Tarp   Rastro Citizen Username: Rastro Post Number: 2438 Registered: 5-2004 Posted on Tuesday, February 28, 2006 - 2:20 pm:        Tarpit, regarding reading irises through glasses (actually, it's usually retinas), the preicision required to scan a retina at a distance would make it tough to discern whose retina is being scanned. As for glasses, I could see a large market for glasses with programmable retinal patterns embedded in them, opaque (or translucent/reflective) to the wavelength of the scanning laser.   monster Supporter Username: Monster Post Number: 2259 Registered: 7-2002 Posted on Tuesday, February 28, 2006 - 2:33 pm:        I can follow all of that perfectly well, except the trick question, does it have anything to do with geometrical and wavelength optics?   TarPit Coder Citizen Username: Tarpitcoder Post Number: 45 Registered: 12-2004 Posted on Tuesday, February 28, 2006 - 2:41 pm:        Rastro, It's kinda tough to read newspapers 50 feet away with the naked eye too. Not that I'm saying it's easy or the optics are cheap - but neither were the optics for oxcart or corona. --Tarp   Rastro Citizen Username: Rastro Post Number: 2445 Registered: 5-2004 Posted on Tuesday, February 28, 2006 - 2:54 pm:        Ugh.. I used to know the formalae for what is essentially the smallest resolvable "line" at a given distance, for a given wavelength. All my classical optics, out of my head and replaced by the theme from the Brady Bunch.   TarPit Coder Citizen Username: Tarpitcoder Post Number: 46 Registered: 12-2004 Posted on Tuesday, February 28, 2006 - 2:54 pm:        Monster yeah It got munged up in the paste. I was refering to the angular resolution of your telescope. our aR = 1.22 lambda / D. Where aR is radians, lambda is the wavelength your using and D is your aperture. I was *really* saying - It depends how good your optics are. I've heard that if you can afford decent optics then you can actually do this pretty well - and there are a lot of bucks being thrown at this kinda stuff in the current environment. --Tarp   TarPit Coder Citizen Username: Tarpitcoder Post Number: 47 Registered: 12-2004 Posted on Tuesday, February 28, 2006 - 2:58 pm:        I should probably qualify all the above with 'I've heard'. I'm (obviously) not an expert in Iris scanning. I've got no idea how much power they use and if atmospheric lensing causes problems. I do wonder if they can do it passively tho. ;-) Tarp   Rastro Citizen Username: Rastro Post Number: 2447 Registered: 5-2004 Posted on Tuesday, February 28, 2006 - 3:13 pm:        There are theoretical limits on what can be resolved at what distance (thanks TPC, that's what I was forgetting - good thing I have that degree in Optics) For example, no matter what people think, you cannot read a newspaper from a geostationary satellite. No way. It violates some basic laws of physics. And don't get me started on those "let me clean up the image" things that they do on TV all the time? Horse Hockey. You cannot get more information from a pixel than what is in that pixel and the surrounding ones. To increase resolvability, you typically need to increase the size of your optics (as per the formula TPC posted). You'll hit the diffractive limit for the optics, and the only way to get past that it to use bigger lenses or mirrors, or to do some computational heavy lifting with multiple scans of the same image. All this reminds me of a bad physics joke. "Gravity. It's not just a good idea. It's the law."   Eponymous Citizen Username: Eponymous Post Number: 118 Registered: 6-2004 Posted on Tuesday, February 28, 2006 - 5:55 pm:        Rastro, The problem remains (and I like Bruce Schneier on this) that if you rely on some bio-related key, what happens if that is cracked?   Earlster Supporter Username: Earlster Post Number: 1466 Registered: 8-2003 Posted on Tuesday, February 28, 2006 - 9:13 pm:        There are both technologies out there, retinal scanning and iris scanning. Retinal is very rare, iris is reasonably common, and will be a lot more wide spread as soon as some patent expiration issues are resolved. Retinal scanning can only be done at very close distance for the simple fact that you have to look through the pupil (kind of like a pinhole lens). I have worked with iris cameras that did a really good job at up to 15 feet without glasses, and a little closer with glasses. Those were very expensive cameras. Most iris cameras work at rather short distances (less then 5 feet). Resoloution is certainly an issue here, but with a very good lens, good lighting and a good imaging sensor I'm sure 30 - 50 feet will be possible. I don't think more will make any sense. For long range automatic surveillance there will be other biometrics used, like face and gait. However at those distances it will always be possible to disguise yourself enough to make face and iris not work anymore. 'Stealing' once biometric is a topic that is pretty heavily discussed in biometrics circles and their is a lot of work done, so that the original biometric image will not be transfered over the wire anymore. As for some trojan horse like stuff, that will always be a possibility for some of the cheaper systems, but the really good systems will hopefully not even store the biometric on your computer, but only on the device itself. Think biometric smart card.   Eponymous Citizen Username: Eponymous Post Number: 120 Registered: 6-2004 Posted on Tuesday, February 28, 2006 - 11:44 pm:        Earlster, Have you read Schneier's stuff?   Rastro Citizen Username: Rastro Post Number: 2456 Registered: 5-2004 Posted on Wednesday, March 1, 2006 - 12:16 am:        Eponymous, the point of IBM's research is that your bio data is munged at your end, sent over the wire, then "de-munged" on the other end. If it gets compromised, it's like your password getting compromised. You have to change it. But unlike normal biometrics, you CAN change it if it gets compromised. That's the point of the research.   Earlster Supporter Username: Earlster Post Number: 1468 Registered: 8-2003 Posted on Wednesday, March 1, 2006 - 7:59 am:        Scneiers most important observation is, that biometrics are not secrets, they are out there written right on your face, and you leave your fingerprint anytime you touch a glass of water. However some of his other points regarding where to store the biometric verification template, compromising it, etc. Are a little outdated by now and people have found ways to solve some of the important points that he mentioned. This article is 7 years old, when the biometrics industry and the whole computer security, PKI etc. industry was in it's infancy.   Eponymous Citizen Username: Eponymous Post Number: 122 Registered: 6-2004 Posted on Wednesday, March 1, 2006 - 8:33 am:        Rastro, Don't many uses of biometrics rely on scanning the appropriate part of one's body? If so, once an evil-doer has the scan, why does the munging matter?   Rastro Citizen Username: Rastro Post Number: 2461 Registered: 5-2004 Posted on Wednesday, March 1, 2006 - 10:04 am:        Eponymous, the point of munging is not to make your fingerprint tougher to steal. As Earlster says, it's out there on everything you touch. The point is that if it is stolen for your bank, your account is no less secure at your broker, or any other place you use it. And unlike a fingerprint, which you cannot change, if the bitstream is copied, you can genreate a new one for the account that was compromised.   Rastro Citizen Username: Rastro Post Number: 2462 Registered: 5-2004 Posted on Wednesday, March 1, 2006 - 10:06 am:        What I probably did not make clear is that the post-munged bitstream is different for each account you use your biometric for. So the pattern for your bank might be very different from the pattern for another account.   TarPit Coder Citizen Username: Tarpitcoder Post Number: 48 Registered: 12-2004 Posted on Wednesday, March 1, 2006 - 12:02 pm:        Rastro, I don't quite get this IBM bit munging. If I just use a standard smartcard style challenge response protocol, how does the bad guy get my key? It doesn't ever leave my card. The badguy could do differential power analysis to extract the bits from the card, but they shouldn't be able to snoop it out of the air (hopefully). --Tarp   Rastro Citizen Username: Rastro Post Number: 2472 Registered: 5-2004 Posted on Wednesday, March 1, 2006 - 2:09 pm:        TarPit, I agree. And the fact that I have three different SecurID devices (including one for my broker!) tells me this is where most practical people put value. For some reason, people think a fingerprint or other biometric signature is "more secure" because they don't think it can be stolen.