Wednesday, January 20, 2010

Do you have a spare $447,000 laying around?

Today's topic is not new news - the incident happened last July - but I've thought about it many times since hearing about it. This makes me ever more paranoid about doing any financial transactions online... I still do them just because it's so dang convenient, but I wonder how long the model that's in place (authenticated "secure" browser sessions) can continue to work.

Full details can be found in a Technology Review article, but the gist of this is that a construction company in Mountain View, California was liberated of $447K from its commercial bank account, while one of its employees was signed in to it.

You might think "oh someone got his password" - but the company had implemented what everyone thought was the Safe And Secure thing to do: the account was set up to not only require a normal password, but also a second, "one time" password that is generated by a small electronic device or card that the person logging in has to have in his or her physical possession (I have one that I use with my PayPal account).

Unfortunately, his system had been infected with a malware program that basically waited for him to sign into the commercial account, and then while he was signed in, perform transactions in the background to withdraw and transfer the loot to several Bad Guy Accounts.

So - what to do? I'm going to sound like one of those magical round plastic disc things that everyone used to have, that had music on them (I think they were called "phonograph records") - I've said most of this before... But I feel reasonably secure in doing these things on my systems:
  • keeping antivirus software updated (I'm now using Microsoft's new and free Security Essentials on almost all of my PCs)
  • making sure the web browser is up-to-date
  • disabling scripting (JavaScript and ActiveX) in the browser. I use NoScript in Firefox, which lets me selectively enable or disable scripts on a per-site basis
  • keeping browser plugins and standalone programs such as Adobe Acrobat and Flash updated
  • using a one-time password device on all financial accounts that support it, in order to have the magic that's called Dual Factor Authentication. Paypal and eBay, as well as many other banks/institutions support these, and sometimes a device that is obtained from one place can be used elsewhere - for instance, the Verisign device that I got from PayPal is supported by my credit union
I'll close by saying that I think some of my friends roll their eyes when I start yammering about these things - all I'll say is, "don't come cryin' to me when something very bad happens because you weren't taking precautions."

Hmmm, I think my Dad told me that, a long time ago.

Friday, January 1, 2010

GSM Phone Security - Not So Secure Anymore

Happy new year to everyone! Really. I would like to think it will be better than that last one!

This has been in the press recently: Although it's not trivial to do - a snoop needs about $1000 worth of equipment to accomplish it - but the security scheme that digital cell phones use - "GSM" - has been cracked. This means if you're an AT&T (don't get me started about that company!) or T-Mobile subscriber in the US, your calls can no longer be considered to be private. (Verizon, Sprint, etc. use CDMA technology, which is totally different than GSM.)

The researcher that published the technique is being lambasted quite a bit for doing it, but I believe his intentions are noble - as is so often the case in big business, companies are loathe to do anything that costs them money and prefer to ignore Elephants In The Living Room until they're forced to do something.

Now, another blogger asserts that there's nothing to worry about, and that the phone companies will move to the stronger 128-bit encryption protocol (the current protocol is "only" 64 bit) - but it could be said that the publication of the decryption technique will at least hurry them along a bit, and even with that, who knows when this will actually be 100% deployed across the country?


While we're on the subject - the cordless landline phones I use in my home are Panasonic "DECT 6.0" phones - I got them at Costco, but DECT 6.0 phones are sold "everywhere". In theory my phones provide secured communications that can't be monitored, but I have seen mention here and there that some phone manufacturers don't enable the encryption that DECT provides. So when I order a pizza (mmmmm, Fast Pizza Delivery pizza!) over the phone and give them my credit card information, I really have no idea whether that conversation could be monitored by some crook with a sophisticated radio receiver (e.g. GNU Radio).

So for the moment, since I'm stuck with AT&T Wireless for the time being, and because I use DECT 6.0 phones at home, I have no assurance that my conversations are secure. You might say "well who cares - I have nothing to hide!" - well, how many times do you use your cell or home wireless phone to perform financial transactions with your bank, broker, credit card company,...?