14 posts • joined 19 Apr 2007
Still using Passwords!
Electronic eavesdropping negates the security of any fixed password, or Pa55wordz, so why bother? Until we use one time codes, ideally wihtout hardware at all, like GrIDsure, we are going to be fighting a useless, losing battle!
But it has to be free to the end user, so someone has to pay for a secure solution, somewhere along the line.
Now that's something...
I would buy for a dollar.
Still using Username & Password?
Come on folks.
The hallowed pages of our Register have already hosted articles on alternative, mush stronger methods of authentication - GrIDsure for example.
Why start off trying to make life easier & safer, then not do the homework? Fixed passwords & PINs are finished, they are dinosaurs. We are on the slope towards the second decade of the 21st Century, lets use something better. Even Paris could work that out.
Imagine this leak after the Biometric ID is in place...
So if the govt goes ahead and creates the National ID scheme, including Biometric details of each of us, they would have to be stored in a database, probably beside our names, or National Insurance numbers, or bank details, or the names of our children, or our addresses.
Then someone asks for a copy and it goes missing.
The Chancellor & APACs say not to worry, meanwhile I am cutting off my own fingers and gouging out my eye!
Not only is this a disaster, but further ID card schemes, especially Biometrics will only add to the problem.
Biometrics are just big fixed passwords that you can't change...
and are only ever as good as the security on the database which holds them. Break into that, and everything you are is gone - owned by the thief for ever. BECAUSE YOU CAN'T CHANGE IT.
This is a disaster waiting to happen.
Why the bank paid up
Of course the bank paid up.
It cost them a few grand - and the PR gets all of us saying, "Well that's OK then, nothing to worry about, I'm safe because the bank will give me my money back."
ID fraud and its results are being hidden behind a screen of PR like this. The banks will never tell us how much is being stolen because that would be admiting that there is a problem and they haven't done much to stop it.
Actually they should get real systems in place to stop ID theft and the resultant fraud. But that might cost them more in the short term.
Biometrics are just big fixed passwords that you can't change...
and as such they are only as strong as the database that holds them.
An OTP would be better but suffers from carrying around the hardware token, or the soft token on a mobile device. But if you use the GrIDsure technique, then you have no hardware cost, OTP and strong security. Just got to find out where I can get it.
I wondered about usability too
I have a number of comments to make, the first is that the Masabi application creates a reactive, transaction specific, out-of-band application for Authentication. That's a step up.
The second is that it has still has strength even if both the computer and the phone are infected - nothing else can do that.
Thirdly, we now have a working demonstration of the GrID being spoken to the user, as the RNIB advised.
Fourthly, I too wondered about the usability of GrIDsure. So I explained the idea to my God Daughter, she is five years old. I made it a simple game for her, "Can you tell me the right numbers from that grid according to your pattern?"
She had no problem with it at all and ten minutes later explained it to her parents. When I saw her again last month, she was still able to use the same pattern that she had chosen a month before.
It is easier than you give it credit. Try it yourself a few times, you'll see it on the demo on the website.
Finally, GrIDsure is not a perfect solution, it's a technology which can be applied to solutions to make them easier to use & stronger. The job now is for the industry to find applications for the technology, so that we can all have easier, safer lives.
Bringing the problem into the light
The majority of our population do not think about the problems associated with ID cards or the potential of safe banking if money was spent - BECAUSE THEY HAVEN'T BEEN TOLD ABOUT THEM!
I can only hope that if a Tsar is appointed, the issue is shown to be the problem that it is, the public is informed and demands action.
As far as credit card fraud is concerned - have a look at the article on GrIDsure, also in this wonderful Register of ours. It takes a lot of the expense out of the equation.
Mobile Phone & Text Message
There are two ways that GrIDsure could be used for these auth's, including a mobile device. The first would be simply a time-sync with host and an applet on the mobile, so you open the app & a grid is on the mobile screen, then key in the digits into the ATM or PoS device. That would be like using a secure OTP Token, but even better, as even if the phone is stolen, the grid shown gives nothing to the thief.
The second would be to use transaction details sent to the mobile, which would wake the app, then be asked if the transaction is one you would like to carry out - are you really trying to buy this item from this vendor for this much? - If you say Yes, the transaction details can be used to seed the algorithm to generate the grid numbers. Then you take the numbers and key them into the browser.
That creates a reactive, transaction specific, out-of-band authentication. It also means that both the phone and the PC can have spyware and the system still has an amount of security.
What do you think?
Gentlemen, the mathamatical study was carried out by Prof. Richard Weber, the Director of Cambridge Universities Statistics Laboratory. The maths is sound.
The numerics 0-9 are placed into a 5x5 grid, therefore 25 cells, 2.5 repititions of each digit. The PIP is selected by choosing 4+ cells, OR the same cell 4 times if you wanted.
Each time a challenge grid is shown to the user, he has a new sequence of numbers, which corespond to his PIP, the constant pattern.
There is always a chance of guessing the PIN of 1 in 10,000, if 4 digits are used. But it will be useless next time.
Duplication of digits & the partially sighted
the reason for multiple repititions of the digits is to stop a shoulder surfer being able to get the pattern. If a 4 digit PIP is still used, then there would still be a 1 in 10,000 chance of guessing the PIN, but not the PIP.
The conversations have been had with the RNIB to get GrIDsure into formats capable for the partially sighted. Bloor have put out an article on just this subject.
The card is a way of remembering your PIN, GrIDsure is a means of creating a new PIN each time, just like using a token, but no additional hardware. You don't have a PIN anymore, just a shape to remember.
One Time passwords
The answer might be to generate one time PINs or Passwords.
If we don't exchange the shared secret, that would enable us to lower the number of PINs / passwords, make them easier to remember, and stronger. At present we are all relying on tokens, but there is an idea & company that can do it without additional hardware. One factor authentication could be viable again.
Has anyone else seen GrIDsure? They have a means of generating a one-time pass-code, without hardware, that can also be used as a means of reverse authentication.