Here is a advisory on the SSL/TLS attack that Juliano Rizzo presented at the ekoparty Security Conference. It appears that 99% of all secure websites in the world that contains a vulnerability that enables a hacker to to do a sucessfull man-in-the-middle attack. These websites are using SSL/TLS 1.0 TLS v1.1 and newer versions don’t have this vulnerability, but are hardly used. The attack is a new fast block-wise chosen-plaintext attack against SSL/TLS 1.0.
Even though it’s a few years since I wrote this article. The key principles of designing secure banking solutions haven’t changed, and are still relevant today. Trust will always be main priority, and the convenient solution wins in the long run. The challenge is to integrate trust and convenience.
‘Something you understand’
The new factor in online security
Online attacks have advanced significantly in recent years. Two-factor authentication, which is used to protect online banking users, has not evolved at the same pace, meaning that users are not sufficiently protected against these new and advanced attacks.
This raises an important question: is it possible to make online activities more secure for the user? More specifically, we want to understand whether it is possible to prevent online attacks by involving the user? In this paper, we elaborate principles for providing security in factor-based authentication. We propose a strategy using these principles to make online activities more secure.
This paper introduces Transaction Authentication – the new factor for factor-based authentication – as a way to establish informed consent in the authentication and authorisation process for online security. We show how the solution provides security while minimising user involvement, by balancing security and usability.
Read the paper here
Listen to Simon Sinek’s intersting and inspiring talk about WHY.
People don’t gather around people or products just because they provide certain qualities, they gather because they have a vision, and can realize their vision in their products.
I like Steve Jobs, he visited Xerox Corporation at their Palo Alto Research Center (PARC) in 1979, where he got his vision, that electronic systems must be user friendly. He understood the importance of anthroplogists and user interface researchers. Those who understand the vision is essential. His vision (WHY) have since then driven Apple. In fact Apple don’t compare with competition – they do what they think is right. iPhone was the first handset in which you could use the browser, and where people actually cold purchase items on. That they have application facism have only helped them establish trust.
When it comes to online banking and online shopping, the vision is to make it easy for the user, convenience always wins in the long term. But it cannot only be convenient, it must also have trust as that feeds the limbic brain, and tells the customer that it’s safe to do banking. To not make it cumbersome you need to balance usability with security, as there is always a tradeoff.
If there is a risky transaction, such as paying a high amount to a new beneficiary, any customer would feel uncomfortable doing that without having a security technology in place. Making this correct, it’s possible to bring alot of convenience, and stop risky transactions, by introducing increased security, when needed.
Forwarding a post from Karlstad University mailing list:
[Humanit-listan] HumanIT doktorander
From: Jakob Svensson <Jakob.Svensson@kau.se>
Date: 23 Sep 2010 – 13:50
We at HumanIT are very happy to fund and welcome PhD student Julio Angulo to Karlstad University.
Julio will deal with the UI aspects of security on online banking and the concepts of anonymous credentials and data minimizationt in collaboration with Gemalto and Nordea. Julio is also involved with OZLAB together with John Sören Pettersson and HCI aspects of the PrimeLife project together with Erik Wästlund and others. He is giving Usability advice to some of the interfaces being developed for handling privacy preferences and will do User-Test to evaluate the usability of such interfaces.
Julio has a B.Sc. on Computer Science from the University of British Columbia, and a M.Sc. on Computer Science with emphasis on Ubiquitous Computing from Blekinge Tekniska Högskola, as well a Masters from Lund University on Interaction Design. Julio has worked for the mobile industry as an Interaction Designer in companies like UIQ Technology AB and STEricsson.
Before moving to Karlstad Julio was doing an Internship as a Software programmer and UI Designer on a small company that delivered logistic solutions to hospitals around Skåne.
Jakob Svensson, Ph. D.
Director HumanIT (www.kau.se/en/humanit [http://www.kau.se/en/humanit])
Ass. Prof. in Media and Communication Studies
65188 Karlstad – Sweden
+ 46 (0) 54 700 1893
Humanit-listan mailing list
Was on sitting on a small café in central Gothenburg the other day, where I started looking at the wall, and found a blackboard full of names and numbers. They told that the café act as a bank “doppio bank” – but with a small twist.
They had one wall with their entire customer base written on it, with the balance of each customer printed on the wall, and some of the customers also had brought their own photos. During my short visit to the café, I saw two persons actually paying with their balance, and the coffee-man changed their balance on the wall.
I wonder how they identity their customers, and also how they authenticate them. Maybe there is a need for an identification solution here J.
Well the sad part is that they have to close the bank, it’s not allowed to be a bank, no matter how big in Sweden, unless you have a banking license, so their banking activity will cease end of the year. I will return before they close, because I made a deposit of 1€ and want to get a coffee for that.
Cambridge researcher Saar Drimer recently demonstrated in German TV how easy it is to bypass the PIN verification at an EMV POS-terminal (http://blog.br-online.de/report-muenchen/2010/09/03/neue-chips-im-visier-der-kreditkartenmafia.html). Saar equipped himself with a modified credit card having a cable linked to a computer in his backpack. He then makes a credit card transaction, where he enters the PIN ‘0000’, and demonstrates how the transaction is approved even though the PIN was fake and the receipt tells the cafe-owner that transaction was approved. Saar together with Steven Murdoch and Ross Andersson some time ago released the report “Chip and PIN is Broken”, explaining a serious flaw in the EMV chip that enables an attacker to completely bypass the PIN-verification on the chip card, and was covered in an earlier post.
In the TV-report, Ross Andersson and Steven Murdoch further explain the complexity of EMV, indicating it’s to complex to be verified. Something one could consider would be to make it formally verifiable, which effectively would reduce the specification to few pages.
The advanced digital life is still in its infancy, we are just starting discovering what it takes for a cardholder, citizen or a facebooker to stay safe online. What really matters is to understand that a person is acting with multiple personalities online, often without reflecting.
Most people are concerned, but do not really grasp the concept of security and privacy and do not have a clear strategy on how to act in order to protect their different persona online. When being asked, some customers care, but most don’t, until they’re asked if it would be OK if they had their health-records posted on Facebook for anyone to see.
Privacy and Security is something that most people only will request after they experienced it. A good example is the comparison with the seat-belt, a Swedish innovation that is today used in every corner in the world. Once understood, a customer don’t want anything less.
The real challenge is to gain knowledge and provide technology that enables the Internet to become a secure and trustworthy place for everyone, not only the brave. Everyone need to use the Internet, therefore it’s crucial that we take the emotional human into consideration, as he cannot objectively perceive ePrivacy or eSecurity.
Gemalto is doing an interesting coverage on Digital Sweden (www.gemalto.com/digital_sweden/index.html), where we are trying to describe why Sweden is far ahead in the digital service evolution. Martin Ogarp, a bright business developer working at Nordea is being interviewed trying to give a clear answer on Nordea philosophy (www.gemalto.com/financial/ebanking/sweden_banks_today.html).
“– Customers have come to expect online access to their bank, and it has to be a high quality service,” he says. “Our philosophy, and the starting point of Nordea’s eBanking initiative, is that all interactions with the bank should be able to be carried out however the customer chooses.”
Nordea is securing both eBanking and eCommerce transactions, making life more secure for their cardholders, using cutting edge technology from Gemalto.