Monday, April 25, 2016

Compromise of,Credit Card Numbers

Recently FireEye published an intelligence report stating that a previously unknown cybercrime group has hacked into numerous organizations in the retail and hospitality sectors to steal an estimated 20 million payment cards, collectively worth an estimated $400 million on the "cybercrime" black market.

To a near approximation, all credit card numbers more than a few months old are,public. The market price has dropped to pennies. We are all equally targets of opportunity. That any one of us has not been a victim of fraud is mere chance. They have so many that they simply cannot get to us all.

The brands are at fault for marketing a broken system, one that relies upon the secrecy of credit card numbers but which passes them around and stores them in the clear. Their business model is at risk. They have technology, EMV, tokenization, and checkout proxies, but the first is too slow for many applications and they are not promoting the other two to merchants or consumers.

Issuers take much of the fraud risk. They are attempting, with some short run success, to push this to the merchants.  However, with merchants and consumers, they share in the risk of our broken system.

As the referenced report suggests, bricks and mortar merchants, particularly "big box" retailers and hospitality,  are finding that both issuers and consumers are blaming them for the disclosure of the numbers. Issuers are charging back fraudulent transactions. and suing merchants for the expense of issuing new cards after a breach. Their systems are being penetrated and numbers ex-filtrated wholesale. Point of sale devices are being compromised, or even replaced, to capture debit card numbers and PINs. These are used to produce counterfeit cards.  Some of these are used to,purchase gift cards or get cash at ATMs. Merchant brands have been badly damaged by bad publicity surrounding breaches. While most of these merchants can resist compromise, there are more than enough to guarantee that some will fall. Merchants can reduce fraudulent transactions by preferring mobile, EMV cards, and by checking cards, signatures, and IDs but all but the first slow the transaction and inconvenience the customer.

Online merchants are the target of all kinds of "card not present" scams and take the full cost of the fraud. While it will not stop the fraud, the online merchants can both protect themselves and speed up the transaction by not accepting credit cards and using only proxies like PayPal, Visa Checkout, Apple Pay, and Amazon.

While, at least by default, consumers are protected from financial loss from credit card fraud, the system relies heavily upon them to be embarrassed by it.  At least on court has agreed to hear evidence as to whether or not consumers as a class are otherwise damaged when their card numbers are leaked to the black market.

All this is by way of saying that as long as anyone accepts credit card numbers in the clear, we will be vulnerable to their fraudulent use. There are now alternatives and we need to promote them, not simply tolerate them. Think numberless, card-less, and contact-less.

Monday, February 29, 2016

Encryption and National Security versus Liberty

In the 1990s, in what might be called the first battle of the Crypto War, the government classified encryption as a munition and restricted its export.  While opposing export in general, the government was licensing the export of implementations that were restricted to a forty bit key.  Of course, 56 bit was then the norm and, at the time, expensive for the NSA to crack.  

IBM had just purchased Lotus Notes and wanted to,export it.  In order to get a license, they negotiated an agreement under which they would encrypt 16 bits of the 56 bit message key under a public key provided by the government and attach it to the message or object.  This would mean that while the work factor anyone else would be 56 bits, for the government it would be only 40 bits.

Viewed today, 40 bit encryption is trivial; twenty years ago it was strong enough that, while the government could read any message that it wanted to, it could not read every message that it wanted to.  Said another way, it would be able to do intelligence, or even investigation, but it still would not be able to engage in mass surveillance.  

Moreover, we believed that the NSA only collected,traffic that crossed our borders, that it could not be used against citizens.  We believed that the government could keep,their private key secure. Of course, post "warrant-less surveillance," the routine breaches of government computers, including those of the NSA,and the exponential growth of computing power over a generation, this all seems very naive.  

However, I like,to think that it illustrates that it is possible to craft solutions that grant authorized access to the government, with a work factor measured in weeks to months per message, file, device or key, while presenting all,others with a cost of attack measured in decades or even centuries.   

It also illustrates the fundamental, application, and implementation-induced limitations of any such scheme, limitations that would have to be compensated for.  No such scheme will be fool-proof, nor need it be.  Like our other institutions and tools, it need only work well enough for each intended application and environment. 

Monday, February 22, 2016

US v. Apple

SUNDAY: Comey tries to downplay the dispute, arguing in his new statement that no precedent would be set if Apple would just go along.
"I hope folks will take a deep breath and stop saying the world is ending, but instead use that breath to talk to each other," he said.
"Although this case is about the innocents attacked in San Bernardino, it does highlight that we have awesome new technology that creates a serious tension between two values we all treasure — privacy and safety," he said, adding:
"We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly."
This sounds like capitulation to me. If this is now about the "victims," then the government made a serious mis-step in attacking Apple in the first place. However, the government's current position does not support a charge of "government over reach."
The issue of how far the government may go in coercing the unwilling and the un-involved to assist them in recovering evidence that they are otherwise entitled to is important and needs to be litigated. We should be glad that Apple is prepared to fight it. Perhaps not since Runnymede has the King had a more formidable adversary. However, this is not the right case to fight it on.
There is ample precedent for un-involved citizens to voluntarily assist the government. It would not be precedent setting for Apple to voluntarily assist with this one mobile in this one case. Apple should "declare victory and go home." It should do here what it can do and fight the government over reach issue when the government is more certainly guilty of it.

Monday, November 23, 2015

  • Recently the media has reported that, as the result of a gross failure of security at the U.S.  Office of Personnel Management, the service and security records of twenty-seven million Americans have been compromised, likely by a foreign power. The compromise of these records has broken faith with these brave Americans and put them at risk of every thing from credit fraud to coercion, blackmail, and extortion, More recently the reports have noted that these records include the fingerprints of the subjects of the compromised records and have speculated wildly about the risk that result from that.  

  • The real risk here is not that these fingerprint records can be used for impersonation but that they might be used for identification (for example of covert operatives) (from latent prints). Impersonating someone from a picture of their fingerprints is similar to impersonating them from a photo,of their face. Possession of such an image is useful but far from sufficient. 


      • The real risk here is not that these fingerprint records can be used for impersonation but that they might be used for identification (for example of covert operatives) (from latent prints). Impersonating someone from a picture of their fingerprints is similar to impersonating them from a photo,of their face. Possession of such an image is useful but far from sufficient.


          • We use four kinds of evidence to authenticate a claim of identity, something only one person knows, e.g., pass-phrase, is, e.g., visage, fingerprint, has i.e., custody, e.g., unique keys, tokens, or can do, e.g. speech, signature dynamics. Since all of these have fundamental limitations, we use them in combination such that one compensates for the limitations of another
        • We use four kinof evidence to authenticate a claim of identity, something only one person knows, e.g., pass-phrase, is, e.g., visage, fingerprint, has i.e., custody, e.g., unique keys, tokens, or can do, e.g. speech, signature dynamics. Since all of these have fundamental limitations, we use them in combination such that one compensates for the limitations of another.While it is somewhat counter-intuitive, biometrics are no less limited than the the other three Their fundamental limitation is that they can be copied and fraudulently re-used. We use them more for convenience than security. We use them in combination with other mechanisms in systems of strong authentication.
          Such demonstrations, in and of themselves, do not represent a risk. I am confident that no one is using such an attack against my mobile because I have custody of it. Touch ID, much like the PIN for which it may substitute, is used to resist the fraudulent use of the lost or stolen mobile only for,the short time until its loss is noticed and the phone disabled.
          Note that an attacker only gets five chances to spoof Touch ID and ten to,guess the PIN. Then my mobile erases,itself
          .

        • For example, while the ability to spoof Touch ID might be useful in gaining access to,the content and capabilities of my mobile, it is far from sufficient. First one must have the phone. While there have been demonstrations of retrieving latent prints using gelatin and using them to fool biometric system, that is an easier problem than trying to go from a paper record.

        On Resisting Payment Fraud

        A recent report suggested that credit card numbers captured by malware installed on point of sale devices at hospitality sites, including twenty at  Starwood Property Group hotels, are being used in fraudulent transactions.  The Verizon Data Breach Incident Report (DBIR) confirms that point of sale devices at hospitality sites frequently leak credit card numbers.

        But there is no shortage of compromised credit card numbers; their street price is approaching a dime a dozen. It is too late to address fraud by  keeping credit card numbers secret. We need a new strategy, similar to those being promoted by American Express and described by Ken Chenault at President Obama's Conference at Stanford University.

        Chenault told the conference that by confirming every card transaction to the customer's mobile, they are able to detect fraudulent transactions within sixty seconds. This is just one example of how we can use the mobile to resist fraud.

        American Express also confirms transactions by e-mall. In order not to overwhelm the mailbox, the customer can set thresholds. One switch is the "card not present" switch. If as expected mobile transactions and EMV cards drive fraud to CNP then the ability to detect fraud early, for example, before goods are shipped, will be key to,resisting fraud.

        We need a strategy that relies not on secrecy but on feedback. The default should be that the subject of a record be notified of any change or query to that record, that the owner of every account be notified of every transaction. The digital,networks not only make this possible but cheap enough to be efficient.

        Needless to say, the lobby of the credit reporting industry that is empowered by law to charge the consumer for telling him about the content of and activity to,his record will resist this strategy. Legislation will be required to change this but it is essential to to resisting application fraud.

        On the other hand, American Express and its competitors are embracing it. Even bankers are embracing it. My little three branch community bank uses SMS to notify me intra-day of all large (as defined by me) transactions to my account.

        Eventually competition and efficiency will force most enterprises to adopt these tactics. You can make it strategic rather than merely tactical

        Monday, November 16, 2015

        Lessons From the J P Morgan Chase Breach

        A recent report suggested that the J P Morgan Chase breach teaches us the importance of encryption.

        We know that information was recovered in the clear. What we do not know is whether encryption would have been effective in protecting it or even whether it was used but was not effective.

        What we do know is that the credentials of authorized users were compromised and used to access the data. Authorization to the data includes the ability to see it in clear text even though it might be stored in encrypted form.

        Encryption is not magic. It is a tool. Government propaganda to the contrary not withstanding, it is no more perfect security for the bank, than it is for the criminal.

        Encryption is used to restrict access to data at rest, for example on file servers, from those who do not have credentials to access the server. It is used to protect data in transit, for example user credentials, as they cross networks. Properly used, it is very powerful. It is not effective against those with the credentials, the authorization, whether legitimate or otherwise, to access the data.

        Are there many banks that are storing information in the clear that should be encrypted? Yes. Was JPMorganChase one of these? We do not know; that information has not been disclosed. Should all banks take to heart the lesson that they should be using encryption to protect data at rest? Yes. Does that lesson flow from the "breach" of JPMorganChase? No, but it does flow from the "attacks."

        What we do know is that of the thousands of applications and servers at JPMorganChase, fewer than a hundred were compromised and none of those were using strong authentication. So, the first lesson that I want banks to take from the JPMorganChase breach is to use strong authentication, particularly for privileged users of applications, databases, and servers. Without this, encryption is not likely to be effective.

        Strong authentication is policy at JPMorganChase and appears to have been effective where used.

        Security of the Internet of Things (Part III)

        As we said in Part I, "While the conversion of 'things' to malicious purposes makes for dramatic Hollywood scenarios,  most devices will not be vulnerable to either takeover or malicious use, much less both.  However, all those that are vulnerable to takeover can be exploited for their computer function or capacity. This function and capacity can be compromised and turned against the host network for a variety of attacks ranging from simple,spoofing through denial of service to brute attacks against passwords and cryptographic keys.  Moreover, the sheer number of things will dwarf the number of general.purpose computers. It is this that we will argue is the most serious risk."

        This risk results in part from the generality and flexibility of the "chips" used to implement the "things," the appliances.  Much of the design and implementation of the appliance will involve stripping away and hiding this gratuitous capability.

        It will result in part from the method chosen for installation, setup, initialization, administration, or to deal with implementation induced flaws or vulnerabilities. We have already seen a number of cases where the appliance itself, e.g., medication dispenser, worked as intended but the administration capability, dosage setting, was vulnerable to takeover.  The appliance function was purpose-built but the administration was done via capabilities, e.g., Telnet, ftp, optionally included in the underlying operating system.  This kind of gratuitous functionality, often included without proper consideration of its security or its impact on the security of its environment, the Internet, will dramatically weaken the Internet.

        This functionality will be used to mount denial of service attacks, spam, and brute force attacks against passwords and cryptographic keys. This is not speculation on my part; this vulnerability has been demonstrated and the attacks reported. This functionality will be included, in part, because developers and vendors are reluctant to give up control, realize that problems will arise in the future because consumers may look to them for remedies, and because it is cheap to do.  If the problem is in the software, we may just fix the software just like we have been doing in information technology for two generations.

        This is very different from the way that we have dealt with problems in traditional purpose built hardware-only appliances.  By default we have dealt with safety flaws in traditional appliances and other products with product "recalls,"sometimes by repair but even more often with replacement.  Often we have done this even where computer chips have been used.  We have simply replaced the chip.  We have not attempted to patch the software, either locally or remotely.  However, as "chips" have become cheaper and more powerful, we have succumbed to the temptation to treat them like personal computers.

        One must act locally but should think globally.  If one wishes to use the Internet, one should do so responsibly.  That includes not attaching weak, vulnerable, or even gratuitous capability to the Internet.  Problems will arise and we must deal with them but we should do so in the most conservative possible manner.  Consider the following strategies for fixing problems:

        • Replace hardware and software.
        • Replace all software and data (like iOS apps) from a secure server, recognized (VPN, public key) by the device.
        • Replace software only, retain data.
        • Patch software using a secure server.
        • Patch using remote control of function on the device.
        • Make patch available to owner to apply at his discretion.

        These are equal in terms of their ability to fix the problem. They vary in their economics.  However, they vary considerably in their security.  Even if the problem is limited to the software, in a world of cheap chips, replacing both as a package may be the most efficient way to repair it.  Moreover, as a strategy it can reduce the attack surface of the device to the minimum.