Getting a Break in the Case Against Computer Crime
January 30, 2009
It’s an us-against-them time in IT security. The more bad economic news I see, the more I understand the Bad Guy’s motive. Hacking, once a sport for the well-educated and well-off, is now a desperate measure for financial gain.
How many IT folks have been laid off in the last few months? How many are worried and anxious? How many are really angry on top of it? Attacks have never been more sinister because they’re conducted by really skilled people, sometimes with insider knowledge. Identity theft, man-in-the-middle attacks, malware gone mad – the list is endless, and attacks are growing in number, not just in intensity.
Keeping ahead of these threats keeps many of us up at night. So, this blog and the new Internet Talk Radio Show by the same name, will focus on breaking open cases of data theft, network intrusion, and other attacks on the systems and information us security guys strive to protect. Each post will focus on a specific threat – looking at how it was (or could be) perpetrated, and how to protect against it.
About my approach: I’ve been blogging on-and-off for several years now while working on a two-factor authentication solution that I believe to be an incredibly powerful tool in the fight against data and identity theft. So as I map out an approach to thwart each attack, I will focus on authentication technologies and issues where applicable. That doesn’t mean I’ll limit which cases I takes on.
But two-factor authentication can do a lot, which is why I’ve continued to work with it, and I’m going to prove it. I love a good challenge. Here’s my two cents about two-factor authentication: Sometimes (incorrectly, IMO) called “strong authentication,” two-factor authentication requires items from two of the following three categories:
- Something you know;
- Something you have;
- Something you are.
Given the expense and complexity associated with biometrics, that means that, practically speaking, two-factor means “something you know” and “something you have.”
There’s a catch, though. The “something you have” must really act like something you have, and not like “something you know”, or the security degrades to several-of-one-factor, which is generally not as strong.
An example of something you have is a cell phone. Here’s an example of something you think is something you have, but is really something you know: magnetic stripe cards, such as credit cards, ATM cards, lots of driver’s licenses, hotel room keys, door lock systems, time tracking systems, and whatever else has that little brown/silver/whatever stripe on the back of the card.
Magnetic stripe cards fool you: While they look like something you have, they act like something you know! What does it mean to “act like” something you know? Well, what are the characteristics of knowledge vs. tangible property?
- You can write down or memorize “something you know”;
- In particular, Bad Guys can copy “something you know” without your, um, knowledge.
- You can easily make a copy of “something you know”;
Now, think again about the magnetic stripe card. While it may be hard for you to make a physical copy of an American Express card, that’s rarely the issue: There are a great many cases where the merchant doesn’t even see the card. (Ever wonder why photographs on credit cards didn’t take off?) Heck, at this point, most modern merchants never see the card at all, even in retail stores-Target, Costco, and most of the other places I shop fall into this category.
So, if the merchant doesn’t see the card, what is it interested in? That’s right, the information on the card-the stuff encoded in the magnetic stripe, the stuff you know. It is not something you have. Something you have can only be in one person’s possession at a time.
I used the all-too-popular, honestly scary magnetic stripe card for a reason. For our first case, we’ll look at a case of ATM fraud, how easy it was for a Bad Guy to siphon a checking account at a public ATM in broad daylight, and why PCI regulations won’t help at all. Stay tuned.
Let the investigation begin….
