Re: the personal data theft pandemic continues
- From: Anne & Lynn Wheeler <lynn@xxxxxxxxxx>
- Date: Sun, 13 Aug 2006 10:23:19 -0600
ref:
http://www.garlic.com/~lynn/2006o.html#35 the personal data theft pandemic continues
http://www.garlic.com/~lynn/2006o.html#38 the personal data theft pandemic continues
for some additional drift related to being able to harvest personal
information and whether or not it represents a vulnerability, risk,
threat, and/or fraud potential.
here is a lot of past postings on account number harvesting
http://www.garlic.com/~lynn/subpubkey.html#harvest
and even more posts on general fraud
http://www.garlic.com/~lynn/subpubkey.html#fraud
.... basically being able to harvest (static) information and perform
fraudulent activities ... frequently as some form of replay-attack.
x9.59 included countermeasure to simple replay-attack ... i.e. simple
skimming/harvesting of readily available information and using it for
fraudulent transactions
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959
another example is the recent news articles about cloning e-passport chips
http://www.garlic.com/~lynn/aadsm25.htm#9 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm25.htm#11 And another cloning tale
where there have been subsequent comments that e-passport cloning
doesn't represent a vulnerability (i.e. personal information may be
captured, but it supposedly isn't subject to exploits).
this is somewhat in light of recent items about similar cloning of
financial payment chip cards ... and "yes card" vulnerability
first a quicky comment about 3-factor authentication model
http://www.garlic.com/~lynn/subpubkey.html#3factor
* something you have
* something you know
* something you are
in the "yes card" vulnerability, the chip card represented "something
you have" authentication. it contained static information that is very
similar to what is found on a magstripe ... and the chip is
vulnerable to some of the same techniques used to harvest magstripe
information. then a counterfeit "yes card" chip card is built in
manner similar to creating a counterfeit magstripe card. presenting a
supposedly valid card is then a form of "something you have"
authentication.
supposedly the e-passport can be considered a form of electronic
surrogate passport. there can be a digital image, a name and a
passport number ... supposedly all protected from modification by some
form of cryptographic technique or secure hash.
if the threat model is the stealing and use of electronic passport
then the e-passport is a failure ... since it is easier to copy/steal
the e-passport information (compared to physical passport). furthermore,
the theft of a physical passport is frequently noticed and reported
.... while the "theft" of e-passport may not even be noticed.
however, the e-passport does provide a countermeasure to modification
threat model (i.e. altering information/picture on valid passport
and/or creating purely counterfeit passport with false information).
the lack of vulnerability, somewhat supposes that there is a (trusted)
human in the loop that reads the electronic information, looks at the digital picture and compares it against the person standing in front of them (basically a form of "something you are" or biometric
authentication).
the issue with the "yes card", was that the card represented purely
"something you have" authentication (whoever possesses the object is authenticated). it does require a PIN ("something you know" authentication) for supposedly multi-factor authentication
and as a countermeasure to lost/stolen cards.
however, a fault in the "yes card" scenario was that the terminal
would authenticate the (potentially counterfeit) card (with static
data vulnerable to replay attacks) and then asked the card if the
correct PIN was entered. the counterfeit "yes cards" were programmed
to always respond "YES", that the correct pin was entered. Slight
additional digression on "yes card" and multi-factor authentication,
supposedly multi-factor authentication is considered more secure based
on the different authentication factors having independent threats and
vulnerabilities (which isn't valid if they have common threat/attack).
supposedly the countermeasure to the "yes card" "replay attack"
exploit (using static data authentication) is to convert to dynamic
data authentication (DDA; i.e. changes on every use). However, there
may still be a man-in-the-middle vulnerability (MITM-attack)
http://www.garlic.com/~lynn/subpubkey.html#mitm
where a counterfeit "yes card" is paired with some valid card, the
counterfeit "yes card" transparently passes the authentication
operation to a valid card ... but then takes control of the remaining
interactions. as an aside, this somewhat was the motivation for the
"naked transaction" thread mentioned earlier (i.e. straight forward
"something you have" card authentication separate from the actual
transactions and business processes opening gaps for MITM-attacks).
a few recent posts discussing "yes card" vulnerability, chip cloning, etc:
http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#39 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm23.htm#20 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#25 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#27 Chip-and-Pin terminals were replaced by "repairworkers"?
http://www.garlic.com/~lynn/aadsm23.htm#30 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#55 UK Detects Chip-And-PIN Security Flaw
http://www.garlic.com/~lynn/aadsm24.htm#0 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm24.htm#1 UK Detects Chip-And-PIN Security Flaw
http://www.garlic.com/~lynn/aadsm24.htm#2 UK Banks Expected To Move To DDA EMV Cards
http://www.garlic.com/~lynn/aadsm24.htm#27 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#29 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#30 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#31 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#43 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm25.htm#4 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#9 DDA cards may address the UK Chip&Pin woes
.
- Follow-Ups:
- Re: the personal data theft pandemic continues
- From: Anne & Lynn Wheeler
- Re: the personal data theft pandemic continues
- References:
- Re: the personal data theft pandemic continues
- From: Ed Finnell
- Re: the personal data theft pandemic continues
- From: Anne & Lynn Wheeler
- Re: the personal data theft pandemic continues
- Prev by Date: SMP/E RESTORE Wish (was: Vendor JCL)
- Next by Date: Re: Two TSO TRANSMIT (XMIT) questions
- Previous by thread: Re: the personal data theft pandemic continues
- Next by thread: Re: the personal data theft pandemic continues
- Index(es):
Relevant Pages
|
