Mr Laurie – Don’t do that
Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:”
Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s absolutely no way to know whether you are being phished or not. Even more astonishing is that this seen as a benefit!
Ben’s analysis seems pretty good, except for one thing–he doesn’t say anything about what to do. Right now, we can see that organizations are flailing around, trying to address the problem. And pointing out problems can be helpful, “you’re wrong” is a pet peeve of mine. (While, Michael Howard’s really, but I’ve adopted it.)
So Mr Laurie, don’t do that. Don’t just say what not to do. Say what to do.
The security engineering community needs to come together and speak out on what the right design is. I’m going to ask Ben, Gunnar Peterson, Rich Mogull and Mike Dahn to ask what should we do? Can the four of you come to agreement on what to recommend?
(My recommendation, incidentally, stands from August 2005, in the essay “Preserving the Internet Channel Against Phishers.” Short version: bookmarks, although I need to add, empower people to use the bookmarks by giving them a list of pending actions from the login landing page.)
Photo: “The Matt Malone experience”
[Update: edited title. Thanks, @mortman. Update 2: Fixed Mike Dahn’s URL; Firefox still not happy, I don’t think I can fix the post URL.]
A very curious post… why not walk down the hall to the IE team and ask them to turn on the strong authentication that was designed into the browser, way back when? For this problem? You know, the old SSL model where the site tells the client software who it is, and the client software tells the user who it is talking to?
Bhe “bookmarks” idea is partly coded up in a thing called Petnames, which allows the first visit to be recorded in the bookmarks with an user-memorable nickname (petname) and the cert.
Iang,
I’m not sure what you’re asking me to ask of IE. IE supports client auth, but there are a number of issues. The first issues are the business ones of who trusts whom to issue certs. Secondarily, who gets paid by whom for that. And then there’s the whole question of protecting a cert from a breakin. I think Windows is pretty decent here–there’s support for certs on smartcards, but again the question of who pays for a reader and supports it. (Physically cheap, but when I last dug deep into this a decade ago before USB, support-wise expensive and complex.)
You haven’t convinced me that pointing out bad behaviour is wrong when/if you haven’t got a better method handy. You seem to be arguing that because he hasn’t got some nifty solution, Ben shouldn’t call out this very lame blame-shifting exercise.
In other words: you’re wrong.
I agree entirely. I think that folks in the security world are particularly likely to adopt a curmudgeonly attitude — “you’re wrong,” “how can they be so stupid,” “we security folks are so wise” — which does little to advance the discussion. I’m not sure what the roots of that are — but I’d bet there’s a good essay on the topic just waiting to be written. Simple BOFHism? Side-effect of focus on exploit research rather than defense research? After-effect of an earlier time, when most security pros were consultants rather than in-house?
(For the record, I also happen to think that VbV is a step — however small and annoying — in the right direction. I commented on Ben’s blog to that effect just now…)
As to your recommendation, though — I’m tempted to say “you’re wrong.” 🙂 Do you think that never sending HTML emails is still an option, four years after you wrote that?
(Interestingly, the video in your link refuses to play over https, at least for me (OS X, Safari 4) — but works fine if I rewrite the link to http.)
-sq
Paypal has a good solution for this. Unfortunately, they have it buried so well, that most people don’t use it.
You can have you Paypal account setup to use a security fob, which they will sell you for $10. OR, you can have them text a random 6 digit number to your cell phone each time you log in, after supplying the username and password.
Without these three bits, you don’t make it into the site. Having an out-of-band or OTP solution really helps prevent phishing.
You can get a token, or enable texting to a cell phone here
One simple move to reduce the risk from CNP fraud would be to restrict the delivery address to either the cardholder’s address only (as many sites do for initial orders), or to a small number of addresses (e.g. home, work) verified by offline processes. Of course you still have the problem of how to do the verification, but at the moment it’s often simple to get your goods delivered to an arbitrary address as long as your cardholder address is correctly presented.
Most people don’t want delivery to arbitrary addresses, so the additional one-off effort of verifying the address would not be too onerous for the consumer.