back to article Brit firm PinPlus flogs another password 'n' PIN killer

The inventor who co-founded visual PIN company GrIDsure has become involved with another pattern-based authentication start-up in the hopes that the shoulder-surfer proof technology could replace two-factor authentication. His new company, PinPlus, does away with passwords and PINs by combining a method for securely delivering …

COMMENTS

This topic is closed for new posts.

the human factor

In a world where "password" and "123abc" are commonly used, perhaps PinPlus's advertising should be more along the lines of:

"Instead of remembering a password, you only have to remember to go straight across the top row of the grid"

7
0

Re: the human factor

I agree that people generally try to use really easily memorised passwords - and that has always been one of the problems with passwords. Another is that administrators have little real control over the strength of a password a user elects to use. Sure you can set up systems that insist on mixtures of characters, and you can also ban "dictionary" words, but you have little control over users who insist on having a password which say relates to them in some way that a hacker might guess, but the user has simply "disguised" it with 3s instead of Es etc. However the great advantage of a system like PinPlus (pin+) is that it can to a great extent police itself (you can set it to ban things like straight lines - which would prevent someone just choosing the top line) and it can guide the user to set up something really strong, yet easily remembered - because it's a brain-friendly shape or pattern.

0
0
Bronze badge
Thumb Up

Timeouts?

Given the number of times my RSA token code has expired by the time I've finished typing it in and the machine has spent a few round trips getting authenticated...

I hope this is not a time limited process.. OTOH it looks really good for things like ATMs

0
0
jai
Silver badge

Re: Timeouts?

ATMs? really?

i know people who have their ATM pin written down inside their purse/wallet. how do you explain to them that each time they use it, the numbers of the code are going to be different?

and sure only the simplest of patterns are going to be used. anything remotely complex is still too hard for the average person to remember (can you recall without looking the patten used in the example?)

1
0
Anonymous Coward

Re: Timeouts?

"Given the number of times my RSA token code has expired by the time I've finished typing it in and the machine has spent a few round trips getting authenticated..."

RSA tokens typically display 6 numbers, and take 60 seconds to cycle to the next code. They also show you how long there is till they change to the next code in a series of bars, each representing 10 seconds. So if there's 2 bars on screen, you've got 20 seconds before it moves to the next code.

How long does it take to copy 6 numbers?

1
0
Devil

Re: Timeouts?

"Given the number of times my RSA token code has expired by the time I've finished typing it in and the machine has spent a few round trips getting authenticated..."

Use an SID800 and plug the toekn into your usb port. hey presto all you need to enter is the token PIN the rest is taken care of.

This looks like a good system but what happens for the eventual... what was my pattern?

and obviously the patters drawn on a peice of paper under the keyboard.

I prefer the BOFH based idea, cattle prod attached to every phone, when I get a forgotten password/pin phone call they gt a shock, unfortunately my boss wont allow me implement it.

1
0
Paris Hilton

Never going to work..

The sad fact is, plebs have trouble remembering 4-digit PINs.

The great unwashed (girl with a croydon facelift??) are not going to be able to use this if it involves even the most miniscule amount of brain-work.

And many will complain "What's the point? Why can't I just use a password".

If a site like LinkedIn (their example) decided to use this, it'd be dead within weeks. Even I would complain that the login system was too convoluted and paranoid for its purpose.

The only organisation I could see adopting this would be something like MI5, where not understanding how to adopt a new authentication system is a sackable offence.. But one would hope they already have something even more convoluted and paranoid than this.

2
4
FAIL

I don't even know what my pin code is, my fingers follow a pattern that I can perform while very drunk and without my glasses. Online banking is a pain in the arse, because they jumble the numbers on the site.

Pattern recognition good idea, but if you watch the person put in the numbers I'm sure you could deduce which straight line or box of numbers they were picking from.

4
0

Guessing the pattern

guessing the correct pattern from one viewing is probably not easy given that the same number appears lots of times in the same grid.

The exception being ridiculosly simple patterns such as a straight lines, if the one time login comes out as 142432 and the top line reads 142432, then even if there are 12 other possible combinations on that grid attackers are going to try the straight line first.

Personally I would hope patterns like that would be blocked by the application when first setting up the pattern.

0
0
Silver badge

At least 15 years ago

there was a story (Tomorrows World) about a system using faces. The touchscreen shows a grid of (say) 9 faces. Your "PIN" is 4 of them. Of course each selection of 9 is different each time - including placement.

Given the low cost of screens nowadays, this is much more viable. To make it easier, maybe customers could supply their own pics ?

However as long as banks can palm losses off on customers, there's little incentive to change.

0
0

Re: At least 15 years ago

I remember the show, the original idea (IIRC) was that you would supply 4 face shots of people you know and the system would use image recognition to find photos others had submitted which were as close to your four pictures as possible (a nan who was a white women with blue tinged hair would be shown with 8 other old white women with blue tinged hair etc).

When you enter your PIN, you had to choose the right four faces one after the other each presented with 8 other similar faces where the correct face was in a random position each time. It worked on the idea that we are keyed to recognise a face we know very quickly, far faster than someone could memorize the right picture of in a grid of nine similar faces.

I suspect the problem was as you mention, partly screen technology and cost but also bandwith/storage, if you had to deliver 36 faces (9 faces x 4) everytime someone needed to use a PIN you would have had to have sent those images via the network since at the time we were all using magstrip cards which meant no offline transactions, or even transactions in places with limited bandwith or high latency. These days I suppose you could store the images on the chip.

0
0

Re: At least 15 years ago

Still going strong in the US; see http://www.passfaces.com/personal/index.htm and for corporate stuff, here: http://www.realuser.com

Invented by a Welshman, originally funded by JCB (yep, that JCB), and allegedly used by the US Senate for high security stuff

0
0
Silver badge

Re: At least 15 years ago

On another forum I use there's someone from Denmark (I think) who posted a pic of a system they use.

You've got a 9 x 9 grid with thicker bars marking out 3 x 3 boxes (like Sudoku) and you write your PIN in four of these, then fill in the empty squares with the numbers 1-9. All you have to remember is that your PIN is eg the top left numbers in boxes 1, 2, 3 and 4 or the four corners of the middle box or the first four digits, reversed on the bottom row or...

0
0
Thumb Down

Re: At least 15 years ago

Well, I've just tried the demo available at www.realuser.com. I hope a real system isn't like the demo 'cos it's rubbish. I tried logging in several times and every time my browser sent the same data to the server ... the number 000600100019.

The JavaScript doesn't even send the position of the pictures (which will change each time). This dumb application merely replaces digits with pictures. While this may be easier to remember, it is vulnerable to a replay attack as it's the same data every time.

0
0
Gold badge

There seem to be a lot of grumpy old sceptics on here. Battle-scarred troops from the trenches of IT no doubt...

However this looks like quite a nice idea to me. People find it hard to remember numbers, but with this, the bit they have to remember could be a smiley face, the letter J or a random squiggle - depending on taste. Whether you can manage to explain how it works to users is another matter of course. But at least it's something that's trying to be user-friendly, rather than relying on increasingly complicated strings for people to write down remember.

0
0
Silver badge

Yes, it sounds good.

I just had the shudder moment at the statement of "four patents pending". Yes, we get it. Seems to be today's version of "Endorsed by the secretary of $DICTATOR". You must have it.

0
0
Gold badge

When I see the phrase 'patent pending' in marketing stuff it always screams 'amateur' to me. We sell a product that's 10 years old, and the datasheet still claims that it's patent pending. Perhaps they're sometimes really really lazy down at the patent office? Or perhaps it's time to take that sad line out of your PR, that your customers really don't give a stuff about.

0
0

The problem is multiple PIN numbers

I have three credit/debit cards that require PIN numbers (most people I know have more). It seems insecure to use the same number for all of them, so I have three different 4-digit numbers to not only remember, but also to allocate.

So I did what probably everyone else does: I put them in my phone's Contacts carefully disguised as innocent phone numbers for the appropriate banks (just focusing on the last four digits). I ended up realising that this wasn't going to fool a halfway intelligent thief, so now I just put it in 1Password on my phone.

There isn't any single solution to this, of course. However, the sooner there is a tex/email notification of money withdrawal/spending on a card the better. Shops should like it because they can send email receipts thus getting the customer's email address, while customers will appreciate getting an email receipt (like in Apple stores) rather than a useless bit of paper.

0
0
Thumb Up

Re: The problem is multiple PIN numbers

I've got it even worse, as I have to know my wife's cards as well I have 5 PINs to deal with.

I've found this amazing new way to deal with the issue though, I "re"-"mem"-"ber" them.

People should give it a try, it's fucking awesome!

It also works for the log in details to various online banking services; 8 or 10 different sets of numbers and all I have to do is put in a tiny bit of effort!

0
3

Re: The problem is multiple PIN numbers - words easier?

As long as you can change the pin you can use a word to remember it, if you know your texting 12 key alphabet.

If you can't change it maybe you can reverse a word out of it?

3283 - DAVE

5646 - JOHN

2273 - CARD

7460 - PIN_

0
0
Anonymous Coward

um winfrasoft pingrid

Whoops,

see winfrasoft and their pingrid tokens

looks like we have two companies punting the same idea which one has the rights to the technology??

0
0
Silver badge

Re: um winfrasoft pingrid

PATENT FIGHT!

0
0
Happy

Re: um winfrasoft pingrid

hehe! Lawyers will be getting paid. winfrasoft show they actually have a patent so my money is on them

0
0
Anonymous Coward

flawed if delivered via webpages ?

The grids presented via a web page can be scraped from the website during the login process and when compared to the responses given over a period of time using differential analysis it is possible to easily discern the pattern the target is using.

it is i suppose better than passwords in that it takes a concerted effort to discern the pattern but worse than proper 2FA.

it is worth noting though this problem goes away if the grid is presented using a token or on a mobile phone, but then why would you use this instead of RSA or equivalent ?

0
0
Silver badge

Re: flawed if delivered via webpages ?

?or on a mobile phone?

No, it just means you have to scrape it from a different device.

0
0

Re: flawed if delivered via webpages ?

pin+ is intended to raise the bar over passwords or PINs, and we believe it's vastly superior to ordinary fixed user-IDs (which are of course "gone" the moment a hacker sees it or captures them) when used on web portals. If a user needs more security, he/she can always use pin+ on a separate device (phone?).

0
0
Anonymous Coward

Where is the code shown?

If it's just presented on the browser logon form when the user goes to a protected site / SSL VPN logon etc, then this IS NOT TWO FACTOR and should never be considered as a replacement for two-factor, because it's just "Something you know", and there's no "Something you own" involved.

1
0
Anonymous Coward

Re: Where is the code shown?

Looked at GrIDsure a while back. They don't call this particular approach "two factor authentication", but STRONG authentication.

0
0
Anonymous Coward

Re: Where is the code shown?

From the article:

"...in the hopes that the shoulder-surfer proof technology could replace two-factor authentication."

0
0

Re: Where is the code shown?

Is it perhaps time we moved on from the old idea of "two factor" - as let's be realistic, people don't like having to carry things with them, or even if they do, there usually comes a time when they've left the token or phone or whatever back at the office or in the wife's/husband's car. Perhaps the term "too fagged to.." authentication might be better? As in "I was too fagged to carry a hard token"? Also think about it - any secondary device which says "I'm me" can be stolen and the thief can pretend to be you. OK say it's a token with a 4-digit PIN. If that's key-logged and the token stolen, the thief can impersonate you. Similarly with a phone showing an SMS-transmitted one-time code in plain text. For a colleague who knows how to partly log in to your account, this could be a God-send if you leave your phone unattended on your desk. He starts to log in, using your email (which he knows) and gets the code showing up on the phone. What we really need is something less hardware based, like passwords, only better?

0
0

Possible attack?

They seem to be claiming that from the grid and the entered code you can't work out the pattern - this is true if the grid is a suitably randomised set of numbers with numbers occurring multiple times in different places etc, however surely all a MITM attacker needs to do to get the pattern, is display a grid with numbers set up such that you can identify which ones were selected (with 10 digits and the grid the size they suggest you'd need to do this 2-3 times, but that's probably not a big deal), and then you have the pattern...

1
0
Silver badge

Re: Possible attack?

They wouldn't need to display their own grid. If you can shoulder surf the grid and the input digits, you'd only need to capture a person's login a few times (maybe 3 or 4 at a guess) to deduce the pattern

0
0
Stop

Re: Possible attack?

Actually, a MITM attack works first time. The stupid JavaScript doesn't send the position of the pictures selected it sends the number assigned to each picture. When I tried it at www.realuser.com my browser always sent 000600100019.

0
0

Re: Possible attack?

pin+ only used six digits 0-5. No solution is going to be unhackable, but we reckon this makes life a lot more difficult for a hacker.

0
0

Five words

Man in the middle attack.

1
0
Thumb Up

Re: Five words

True, big issue as in Operation High-roller but reading Winfrasoft's solution they have a transaction verification which seems to solve this.

0
0
Anonymous Coward

The problem is paying out for PIN-related losses may be cheaper, both financially and in customer headache, than implementing another new system, especially as one which, on the face of it, is as complicated as this to the average Joe.

To gain market acceptance across the board, a new system needs to be:

1. No more complex to use than a 4 digit PIN

2. Significantly more secure than 4 digit PIN

3. Easy/cheap to adapt existing systems

4. Adopted by everyone

If it doesn't offer #1-3, it won't get #4, and so companies will put up with the accepted losses in the existing PIN system.

0
0
Anonymous Coward

Yes...

Witness how hard it's been / is being to make the American banks adopt Chip and PIN.

0
0
Anonymous Coward

Re: Yes...

Witness how hard it's been / is being to make the American banks adopt Chip and PIN

Actually slightly ironic, given that behind it was the biggest con job in card history. Chip & PIN isn't just about replacing the mag swipe with a chip, it also contains an interesting change of responsibility in payment authorisation, typically hidden in the 3 point sized light grey text on white background at the end of your contract.

Before Chip & PIN, the credit issuer was responsible for checking correct authorisation, which meant someone was supposed to actually look at the signature at the point of sale. In other words, the card issuer was responsible for the quality of the verification, so if the card got stolen it wasn't your problem legally.

After Chip & PIN, the card holder has to prove it was NOT them who provided a PIN or CCV number to confirm a transaction. In other words, if a card is lost or stolen you better notice it quickly, because it's only the bad press that stops a card issuer from refunding the stolen amounts. Contractually you're no longer in a good position, and given that you're the weak party to start with that is not exactly a positive development.

3
0
Anonymous Coward

Re: Yes...

@AC 13:15 - It's written into law that banks have to prove that the customer is liable for giving away their PIN, this doesn't mean that if their pin was used they are automatically assumed to have given it away, the banks have to prove it.

Strange that you don't see the obvious rebuttal in your conspiracy theory: Do you think that the banks in America would have fallen on this if it was about putting liability onto the customer, rather than actually being about security?

0
1
Silver badge

Re: Yes...

@AC 13:15 - One thing you can do to help yourself is to obliterate the CVV number as soon as you get a new card (after memorising it first ;) ). And watch out for any cashier who notices it's not there.

0
0
Anonymous Coward

Hmm...

Looks like a nice enough idea, but doesn't work if you're blind or partially sighted, so it's never going to be used. This is because an alternative will have to be offered (good old PIN pads), in order to comply with the disability discrimination act and no-one is going to support two separate authentication systems.

As an aside, it won't allow offline authentication, which would also be an issue.

1
0
Anonymous Coward

Also, maybe my maths is a bit rusty,

but if it's 6 digits each of which can only be one of 6 values, then were talking 6^6 combinations for the resulting passcode? = 46656 ?? Are they serious? They want to replace two-factor with a one-factor solution that could be brute-forced in next to no time?

0
0

Re: Also, maybe my maths is a bit rusty,

No brute force in next to no time if you get an account (permanently) locked after 3 attempts (like any debit/credit card) or temporary locked out like AD authentication.

The idea is good, better protection than 4 digit, not as good as 2 factors but as mentioned with 3 try, thieves will try first line, first row and top left to bottom right diag and will probably get throu half of the time.

If you enforce no-easy guess option, idiots will block their card 3 times a week...

The only way around it is to improve/upgrade the user :-(

0
0
Anonymous Coward

Re: Also, maybe my maths is a bit rusty,

The numbers in each grid are unique to each grid presented, the grid regenerates every 60 or so secs, so there is no 'direct' brute force method available, you have to use an MITM attack and grab the responses and the grids to extract the pattern.

0
0

Re: Also, maybe my maths is a bit rusty,

http://www.winfrasoft.com/ has been doing this for the past 2 years or so.

It strikes me as odd, he couldn't get Gridsure to work, but he expects to succeed with the same technology.

You cannot put a patent on a bleeding pattern. This is ultimately what killed off Gridsure because any man and his dog with a clue about coding and security could develop the same technology.

The pattern system itself is referred to as 1.5 factor authentication. Winfrasoft has some options in their portfolio that can make it 2 factor such as delivering grids to smart phones or texts to phones (i.e. Swivel).

0
0
FAIL

"GrIDsure simply didn’t have the right team ..."

How magnanimous of him. Of course it's was the "team's" failing.

3
0
Bronze badge

The approach also attempts to tackle the problem of hackers stealing large files of passwords or password hashes from insecure websites,

How? Surely it now has to store the pattern instead, so you just pick up the patterns from the insecure websites instead, and work from there.

1
0
Holmes

Great article

Thanks for the article. I looked into gridsure a while back but they didnt really have a product that we could use but we had to make our own. Looks like pinplus are trying the same thing, "here is a pretty picture, just spend 1 year of coding to make it work". Interesting business model, my bet it ll be as successful as gridsure.

Looking at winfrasoft though, they seem to have sdks, products and proper 2FA ready and waiting with a patent for whats its worth. Worth reading what they - they even have a token for my dodgy nokia from days of yore.

0
0
Happy

Input from Winfrasoft

Hi all forum users. The thread following that article has been interesting, especially as we were brought into it. This is not a product plug at all - this isn't the place, but we would like to clarify a few points.

We do have a product in the market which uses pattern based authentication via a grid/matrix which is available for use today; unlike other companies with just seemingly great aspirations. Our IP has had a patent pending which was filed in 2011 and is quite different to what GrIDsure had at the time; unfortunately the patent office isn't fast and these things take time! Our IP did underpin PinPlus until a year ago, however we would have to assume they have something of their own by now.

Our solution delivers:

- Proper grid pattern based 2FA via SMS or a soft token (on 6 app stores to date)

- OATH strength crypto and logic underneath the grid security

- Transaction signing / verification to thwart man-in-the-middle (SC Mag 2013 award finalist for this)

- Enterprise class authentication server which caters for things like account lockout, brute force protection, complex pattern security levels etc. The patterns are even stored as hashes in the DB to help maintain their integrity.

- The something you know AND the something you have are used together to produce a One Time Code, instead of entering the two factors separately.

FACT: Grid based authentication on a web page can never be as secure as 2FA. A reasonably determined attack can reverse a pattern given enough scrapes of the grid and a valid code (5 or 6 attempts generally). This is why in our implementation we call this feature 1.5FA so it is clear; it's better than just a 1FA password, but not as good as proper 2FA. However, for some situations it is more than good enough and we price it accordingly too.

Feedback from our customers is that their users find the system quite easy to use, even those with a “special class of user” (in their opinion). Simply put, humans find working with patterns easy and remembering passwords / PINs is difficult. Give it a try yourself, we have a demo site at https://www.winfrasoftbank.com/. Also feel free to check out our microsite for the technology at http://pingrid.org. feedback is always welcome too at info@winfrasoft.com.

0
0
This topic is closed for new posts.

Forums