From: Shachar Shemesh (linux-il_at_nonexisting.hamakor.org.il)
Date: Tue 30 Dec 2003 - 08:30:31 IST
Arik Baratz wrote:
>I wish to comment about the stupid/lacking security.
>
>First, a description.
>
>3. To unlock the teller's terminal, you have to answer a
> challange provided by the terminal. The teller aids you
> by reading the challange to you and typing your vocal
> reply into the terminal. The challange is derived from
> a one-time-pad that you have filled out during your
>
>
This is not a one time pad. For one thing, it's not one time. This can
be more correctly called "broken zero knowledge proof". You must admit
that it does provide SOME protection from replay attacks.
Other than the name this analysis is, more or less, correct.
>1. Replay attack - the "1 time pad" I filled upon signup is
> 5x8=40 characters. Authentication is done based on the
> first few letters of the one time pad (I was never asked
> to provide a char farther than 5th) so it is 25 possible
> characters. If someone has been listening to 10 random
> calls they have a 33% chance of making it in the 1st try
> and 56% on both attempts, without guessing.
>
>
>
I'm not sure that part is correct. Did you take into account the chances
that some of those 10 calls I listened on will not yeild me new questions?
>2. The users are asked to choose hebrew names for the OTP.
> This increases the chance of success considerably. If the
> evesdropper can pick out enough characters they can guess
> at the responses, without resorting to social engineering
> notwithstanding. Some of the questions are damn right easy
> to guess - name of the city you were born? from a 26**8 =
> 2e11 possibilities this field is now only the number of
> cities in Israel (less than 1000, I think), with some
> large cities with a higher probability. Names are not
> much better. IMHO the strongest question is the name of
> the school attended, which is usualy not mentioned and
> doesn't follow any pattern, except the word "IRONI" (עירוני)
>
>
>
That's where the implementation is broken beyond the chosen security
level. This security is a constant tradeoff between needing the human to
remember the passwords and securing the authentication. I don't really
care about that level, because I'm not the one taking responsibility for
it. Everything I do over the phone is insured against identity theft.
A while back, however, I noticed that I get asked ONLY THE SAME 4
LETTERS THE WHOLE TIME!!!!!! This means that if I listen in to a single
call, and then call you ONCE, I have a 50% chance of breaking the
system. Like I wrote in the fax, I never got around to actually telling
anyone about it. I even worked out a scheme where I can do this
practically using only a cell-phone frequency scanner. I feel this
problem has been fixed, since.
The problem I have today is not that bad, but still negligant. When I
have to answer a question with one of the final letters, I have to
specifically say whether it's a final form or not. This gives Eve more
information about the word in question than intended.
>3. Sometimes they call you back. When they do, THEY ask YOU
> to identify yourself to THEM. Hilarious! When I demanded
> that they first prove to me that they are indeed the Y1,
> they put me on hold SO I CAN LISTEN TO THE HOLD MUSIC!!!
> which is very vulnerable to a replay attack.
>
>I think the system is not bad to begin with. If you are not
>paranoid enough to suspect a wiretap, you can disregard #1,
>although the size of the OTP is really small. I'd be happy
>with a longer one, from which you have to reply with 4-5
>letters. Even replying with two letters reduces the chance
>of a random attack from 9% to below 0.5%. The chance of
>someone reaching that stage is low, because they have to
>guess the 6-digit password first.
>
>
>
Answering two questions is a nice idea! I'll suggest it if/when someone
gets back to me. Increasing the size of the shared secret (that's what
it is) is nice.
>To counter point #2, you obviously have to disregard the
>stupid questions they ask you and invent your own scheme
>for filling up the OTP with random or pseudo-random data.
>My OTP does NOT have any hebrew words in it.
>
>
>
Please remember that humans are notorious for not remembering important
stuff.
Maybe you can remember a random sequence of characters, but most can't.
>And the 3rd point can be countered by refusing to supply
>the teller (or imposter) with any details that can aid in
>a MitM attack. Demand that they supply you with verifyable
>information. Put them on hold while you call and verify.
>I had them tell me the last two digits of my balance, which
>I could verify by calling back.
>
>
>
I usually force out of them the general reason for their call, and then
say "I'll call you back". It gets worse with their calling from a
blocked ID number, and not having a direct line to call back to. Someone
defenitely didn't get it on this one.
Shachar
-- Shachar Shemesh Open Source integration & consulting Home page & resume - http://www.shemesh.biz/ ================================================================= To unsubscribe, send mail to linux-il-request_at_linux.org.il with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Tue 30 Dec 2003 - 08:40:36 IST