Get Adobe Flash player
Search
Home Dan's Blog The Best Security Policy: Logic

The Best Security Policy: Logic

PostAuthorIconWritten by Dan Schaefer
Though I don’t consider myself an expert on network security, I have learned a lot over the years, and I have come to appreciate the essential role that simple logic plays in security. For example, you wouldn’t lock a door and then hang the key on a string tied to the doorknob, would you? It doesn’t make sense; therefore, it is bad security policy.

I found a good example of how a failure in basic logic resulted in an online theft of nearly a million dollars. For more details, you can see the blog on Krebs Security. Basically, it all boiled down to a bank customer who had a password that was broken. Breaking passwords is a full-time occupation for lots of criminals, because it pays so well. In this particular case, a password to an online bank account was broken, and the cyber thief proceeded to get money from the account.

Unfortunately for the cyber thief, the bank would not transfer money based only on a broken password. The bank needed to make sure that the transfer actually originated from a specific IP address that was known to be in operation by the client.

To quote a paragraph from the bank’s memo that documented the theft:

In order to access the Internet Banking system, a user must not only enter a username and password but they must also register their computer. This is known as multifactor authentication. The process of registering a computer to be used in conjunction with the specific login credentials involves receiving a secure access code, which is delivered to a specified email or phone number tied to the user account.

In any critical situation, the overall structure is only as strong as the weakest link. In this case, the weakest link is email. The cyber thief, operating from a location in Italy (the victim account was based in Texas) simply made a request from an Earthlink account, using the compromised password. The bank then sent the secure access code to the email address, and it was subsequently used to qualify IP addresses in Romania. From there, you can guess what happened.

You might argue that the bank customer may have been partially at fault for choosing a password that was easily compromised. This argument has some merit, but consider that once you deposit money into a bank account, the bank now owns security for that money, and thus they are liable for it. They should thus invest some brain power into helping you choose a good password. In fact, there are a number of password-cracking programs that banks can use to try and break their own customers’ passwords. Once a password is broken, the associated account can be frozen until the customer chooses a better password.

Perhaps the bank in this case did take this step, but judging from their weak secondary security perimeter, which depended on sending out a secure access code over ordinary email, it’s doubtful that their initial security policy was much better.

Bottom line is to scrutinize your bank’s security policies and look for simple flaws in its logic. This is not difficult to do, as I pointed out in a previous blog. Your online bank normally publishes their security policies online, and you may want to get familiar with them. Furthermore, for gosh-sakes, choose a good password! Don’t use the name of your pet, your children, your birth date, etc. These types of passwords can be broken in no time.

Best,

Dan

Trackback(0)
Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 
Advertisements

Artisteer - CMS Template Generator

Copyright © 2010.
All Rights (and some on the Left) Reserved.

Designed by Ruysdael Design.