* Posts by Andrew Churchill

7 publicly visible posts • joined 14 Aug 2008

ZeuS trojan attacks bank's 2-factor authentication

Andrew Churchill
FAIL

Fail for Bank & Criminal

So they get Zeus on your PC to get the online banking number and static passwords, then con you into infecting your mobile with another Zeus variant. But why bother?

As you're typing the OTP mTAN into the infected PC anyway, the extra step is pointless (and requires an additional risk that the element of social engineering alerts the user).

Bank 3/10 - poor security, which fails to understand the point of out of band security

Criminal 6/10 - potentially successful, but fail to understand they're messing up their own attack

Home Office reaches half-way hash in secure data handling

Andrew Churchill
Unhappy

@ Adrian Bridgett

2nd class won't do - by the time it's recevied the covertime of the algorithm wil have expired!

On which note, why is everyone so concerned about HMRC sending out Child benefit data in the clear. By the time my kids are old enough for their details to be used in fraud (they're 1 and 3, meaning they can't be used finanicially for 17/15 years) - anyone like to name an encryption with a cover time they could have used that would do?

The real scandal is that they let some muppet have a 'copy to disc' function for the entire nation's details.

Andrew Churchill
Unhappy

Hash?

I take it you don't mean hash in a cryptographic sense!

Hello this is the Home Office Crypotgraphic centre, we've just got your email/CD. Can I have the passphrase please.

Thank you.

Not much better than writing it on the disc really is it.

And why is it that after seeking "expert advice (probably from GCHQ's CESG)" the Home Office develops a policy "that falls below best practice in sectors such as banking"!! As El Reg has pointed out over recent days the banking sector is bad enough, but if central Government can't be bothered to implement proper controls it hardly serves as a good example of data handling.

Now I must dig out that consultation on the transposition of 2006/24/EC ....

Judge refuses to lift order squelching students' subway card hack

Andrew Churchill

So?

Will that be the same Charliecard using Mifare classic as Oyster?

So this time it's been broken by undergrads not postgrads, but that's the only news in this story.

Cybercrime bust highlights PIN terminal insecurity

Andrew Churchill

@ er, me

Responding to my own point, but to answer Aimee's query, on SSL, as regular Reg readers will know, even the extended SSL HSBC put out is readily circumvented (http://www.theregister.co.uk/2008/06/25/hsbc_scripting_flaws/).

I've already agreed with Brent Gardner's earlier post that a mobile probably provides the answer. I wrote an article for Fraud Intelligence a few months back arguing that multi-factor was of no use if you have a single channel for confirming transactions as what you know, what you are and what you have get short-circuited to 'what you intercept'. Multi-factor still has to be included but if you combine multi-factor with multi-channel the intercept becomes far far harder.

Andrew Churchill

@ Brent Gardner

Absolutely, but if you've got NFC on the mobile (or cell for our international commentators) you can use it for far more than just confirming card transactions. Transport for London set up a trial of Barclaycard/Oyster on an NFC Nokia in December to act as an NFC wallet (akin to Paypass et al) as well as for ticketing. I'm not sure how that went, and when I tried to get hold of one of the Nokias to play with the kit last month I couldn't find one.

Anyone else aware of what happened with that?

Andrew Churchill
Paris Hilton

@ xwave not the answer

Not a crtiique of your header (which is absolutely correct, xwave is just plain nonsense (but a good laugh that someone thought to patent it!!)) but you've a few errors in the underlying text. Card not present fraud is not mostly conducted outside the UK (well, if we take APACS figures, which admittedly underreport the problem, though not as much as some make out in my opinion).

We know a lot of copied cards are used overseas to exploit the fact that they don't need chip and PIN. We also know that CNP fraud has risen dramatically because they don't need chip and PIN. Why bother using CNP overseas when you could just walk up to a cashpoint and take the cash? It just increases the risks. So the vast majority of CNP fraud should be in the UK.

And your point @ Aimee may be their justification, to combat phishing, but it doesn't work. If I send you a phishing email (and your stupid enough to respond) if you log on to my spoofed site then you're expecting it to be the real one. So I'll have to send you a challenge so that you can enter it to your reader, enter your PIN and give me the response. So whilst you log onto my spoofed site, I'll log onto the real one to get a real challenge, to relay to you so you can give me a real response, so that I can pass it back to the real site to gain access. Then I can give you your real information (as I'm now logged on as you (and I definitely am you as I've got your valid response, so I must be you)) so you can see your live info, including the curry from last night so you're confident you're on the real site, and I'm confident I've just emptied your account (and with faster payments off it goes round the world 1000 times a day until I've laundered it enough).

Now try proving that you didn't do it :)!

I agree with you on the default decline overseas though (with a facility to unblock for specified countries when you know that you (the real you) are abroad).

Paris because she's the only one open to more abuse than the banking system.