Subversion Bug Tracking

CAN STRONG AUTHENTICATION SORT PHISHING AND THE FRAUD?

The organized criminals went counts (precisely because they are

organized) that the flight of phishing and identity can be executed

on an extended period, by piecing together the small bouts of

The news of the separated assaults for a final shot. For

the example, carrying out an entry procedure the usage of an authentication a symbolic will

neutralize password stealers, but the same presence of a brand

the authentication request can do an ideal relaxation for spyware,

especially if his objective is to develop a model of your online one

The behavior while checking your financial transactions.

This paper track the recent evolution of techniques of malware

in response to the changes technologicals in our security systems,

and proves again the old cliched that the liberty price

Is eternal vigilance. The Mean ones are outside to obtain us, and themselves they

can turn our defenses against us, even in the manner more insignificant,

Then they will do surely.

Q. Can the strong authentication sort phishing and the fraud?

Has. No.

Q. Hmm. Who does for a paper rather runs, you do not think?

Has. Yes.

Q. could You enter into a little more detail?

Has. These days, a lot of phishing is orchestrated, or at least

Helped, by the malicious code somewhere in the network. This

the means that resolve the problem of malware are efficiently one

The necessary party to resolve the problems of phishing and of fraud.

(When we say the "fraud" in this paper, we mean the online fraud

Against the users leader of the matters through their PCS. We do not do

the other average kinds of financial fraud as the abuse of card of credit or

Equiper).

But to resolve the problem of malware is hard ae" in fact, the this is

Undecidable. After all, the Problem Stopping says us that we

cannot write a program that reliably will determine it

the behavior of all others program possible:

'No program can say what another will do.

Now, I will not assert just that, I will prove it you: I will prove

who although you could work until you fall, you cannot predict

If a program will stop.

[. . .]

You never can discover mechanical means to predict the

The acts of data processing of the machines.

The this is something that cannot be done. If we the users must find

Our own insects; our computers are losers! [1]

This general result can be launched in the specific terms to show that

a program that infallibly will distinguish between malware

And non-malware cannot be done. The authors of Malware always obtain

a 'the next chance' to bypass the protection that we have currently

To his place [2].

Q. Nevertheless, that does not mean that the this always is easy for malware

The authors, or for phishers, go to the next level, isn't that right?

Has. No I was dramatic just. Nothing, if the this is

the authentication or other something, be able in fact resolve the

The problem of phishing, in a mathematical direction to resolve it. But

we can do phishing a lot of harder, and the authentication is

In fact one of the tools that we can use.

Q. To Remain on the subject of detection of malware for a moment,

how hard it east to produce malware ae" a new bank Trojan one, for

Does the example ae" that evade the detection?

Has. on one hand, it obtains harder. On modern PCS,

the software anti- virus can be a lot more computationnellement

Aggressive that the it was in the past. The generic techniques of detection

Wipe a lot of Trojan new proactivement. On the other hand, the this is

Obtain easier. You can be able even to precompute if

Your new malware will succeed.

To unique direction to do this is by an aimed assault, where you

write a Trojan one and the aims at a specific party of Internet, such

As an only business, of which the defensive posture is known to you.

The aimed assaults are not especially difficult to orchestrate, and

there is a paper to this lecture that this examines

The phenomenon [3].

Another manner is to use an online service to which can you

submit the samples of malware and of which will receive you

the automated responses saying that you which products detected it, and

What they called it.

Q. online services to help adjusts you your phishing

The Trojan ones?

Has. Who is not how they dispose themselves, of course. Several

such services exist, and some strongly are supported by the

Security industry. VirusTotal [4], for example, has the permission

To use about 25 different products to examine the files received.

In the return, the samples are sent to the salesmen that the lacks, thus

Help to improve the detection and the receptiveness.

Unfortunately, VirusTotal you allows keeping submissions

salesmen (although this is not the defect), that could be

said to play in the hands of organized crime and the

Against culture.

Q. If we to allow supposing that you can create a new Trojan phishing and

To target me and my business with that. How the authentication of can, or

Do not import what of other, to help me then?

Has. When you execute an online financial transaction,

there are several things that it pays you (literally and

figuratively) to verify:

aec that dependable software orchestra the transaction,

aec that it you is really you leader the transaction,

aec that you exchange really with the person or you maintain

foresee,

aec That the transaction details are correct.

The authentication, clearly, you can help with this.

Q. How? Be able begins you while me giving an example of the kind of

Can the authentication technology above which help with every item?

Has. of course. We to allow asking the questions that we want the one replied

By the one.

aec The just program does it the work? Some final point

the partitions adorns fire can help with this, for example while using

cryptographic checksums to regulate which applications

Can do which kinds of connection to that the waiters.

aec The this is really you kicking transaction? One to hand

authenticating it can guarantee that you use a new password

every time that you connect, that helps to prevent the repetition

the assaults where the beforehand stolen qualifications are the redutilisation

By someone of other.

aec Do You Connect to the just service? Numerical

the certificates can help to reassure you that you are not

Speak with an imposteur to the fine other.

aec Do You Execute the transaction wanted you?

Encrypting and the numerical signatures furnish the protection

against to expose the transaction details, and help

Prevent the transaction is impaired in the crossing.

The Partitions adorns fire of q., the brands, the certificates and encrypting. Be not these

Did the old technologies that we use for the ages? They are

The defect we?

Has. Yes and no there are three principal manners in which

the systems of related security fail, and these are reflected by the

The principal manners in that the cryptographic systems fail. This is

predictable, since the computer security heavily counts on

Cryptography. The things can do an error because:

aec the basic conception is damaged (for example a defective figure),

aec implementation is inexact (for example the insufficient key

equipment is used),

aec the system incorrectly is used (for example the users note their

EPINGLES).

In a paper determining failure of cryptosystems [5],

Beat up Anderson shows that the problems in implementation and

the usage seems to be the principal reasons for failure, instead of weak

Cryptography.

With the decline, this is maybe evident, since they are the two

the aspects in which these the human error is the most probable one and in which

The severe magazine of peer is the more lasts. In the last case, the human error

Efficiently can be guaranteed while cheating or cheat the users.

Of course, that this means is that the systems which can work

correctly we to furnish with sure online commerce be able fail in

Unforeseen manners.

Q. But if a system is vulnerable because it does not treat well

with involuntary or unforeseen usage, does that does not mean the

Is the conception wrong?

Has. Maybe it does. But the PC, and his operating system, is

conceived to be a flexible and universal tool that can be

adapted to a lot of tasks, as the word processing, grazing the

Internet, looking at films, doing the art, conceiving buildings

And look for extraterrestrial life. The users are generally free

to add and remove any software that they like at any moment in the order

To appreciate this flexibility.

When you execute online commerce, for example when

click on one [the Purchase now] the link, you need to turn your PC ae"

temporarily, and at short notice ae" in an assured cryptographic one

the device that uses an important component of the

Transaction.

If it astonishes scarcely that the conception of such a system

the certain brands assumptions of the state of the PC, and the

The conscience of the user. And it astonishes scarcely the PC,

Or the user, or the two, sometimes to lower the system.

Q. Is This really predictable? Do not do the banks have it we to

Do improve?

Has. This paper is not really social contract which

the banks do or have not with their customers, therefore we will look at just

Very quickly to the two sides of the argument.

The bank critics say that the banks do not do enough.

They say that the this is the banks that have the biggest interest in

The commerce of Internet, because it allows for them to close branches,

dismiss cashiers and front-of-the house personnel, and thus to save one

A lot of terrible monies. This money, they dispute themselves, already has

To used summer to do the bank operations of Internet a lot of surer than this is.

The banks, on the other hand, can dispute itself at least as raisonablement

this the popularity of online commerce drives the need

for the bank operations of Internet (eBay, QED). They can point out also

this their younger customers a lot prefer not only Internet

the bank operations but that they count this inexpensive, and easy being, and

Accessible of anywhere. If the bank cuts their Internet

the bank operations in the security interests, and demands to visit them one

the branch to sort possible problems (a reasonable one

the security precaution, you could think), this is looked at as an insect

In the system, not a characteristic.

Uri Rivner of RSA, that does and sells cryptographic

the solutions including authenticating them to hand, consents:

ae˜...[I]n it walked of authentication of online consumer, the usability

Is in a lot of cases of bigger importance than the security. The this is

true that some people [does] as to see changes in the

the procedures of security of the banks and [does] the appreciates if the

the financial institution transmitted them the devices of authentication or

To proposed the others measure visible securities.

But the other customers do not care for really of that all; they

demand the bank security, but all they want are really

to attain their account, their bills of salary and transfer money

Without any delay or without any additional challenge. ..'. [6]

Q. well, we to allow going return to the failure points above. Be able gives you

the historic examples of every kind of failure, paint a picture

Can kinds of thing that do an error? We to allow beginning with the

Most of exciter-semblant the one: a cryptosystem that was cracked.

Has. An example that a lot of persons probably know of Is Telegraphed

The equivalent intimacy (WEP), the authentication and encrypting

The system proposed at first for the network management without wire. WEP

count on a secret key, or 40 or 108 bits in the length; attain

And use the network, you need knowledge the key. (This, in the bend,

the means can read you the whole circulation on the network, just as if

You were on a local network).

As it arrives, the figure used by WEP has a defect statistics

Which affects the unpredictability of its first 8-bit bytes of production.

In a manner interesting, the figure, RC4, also is used in SSL (that we

will talk about later), but in a manner that does not cause the

The problems seen in WEP. Nevertheless, the defect exists in the

RC4 cryptosystem himself, or at least his planning of key

algorithm (KSA) [7], instead of simply in WEP

Implementation.

This defect statistics allows an aggressor to resume a key of WEP

While capturing and analyze some million packages without wire. If

there is not in a manner to repair WEP without changing it for something

Different. WEP irrevocably is broken.

Q. How of a system that was based on the sound

Cryptography but dangerous executed?

A simple example of a defect of implementation ae" a which

was repaired in concevoant an alternate but a compatible approach

ae" Is the manner the early systems of Unix stored their password file. All

the users and the programs must read the access to this file, as the this is

(among the something else) the data basis that does the card of the identifying,

As "fp", on the true names, as 'the Prefect of Ford'.

Nevertheless, early the implementations of Unix stored also every user

the password chopped in this file, therefore does not import that could retrieve the

The hachis and executes a dictionary assault against them out line.

This meant that the weak passwords quickly could be resumed

without leaving the proof of the assault of dictionary on the

Aimed system.

The behind compatible solution, used in Linux to this

the day, was to duplicate the password file, replace the

the hachis in the legible world-wide file with a defective entry, as "x",

and lectuant-prota¨ge the second copy of the file, called the

Spin the file.

The user programs worked exactly as before, except that they saw

defective the news for the password hachis, that they did not do

Need in any case. Only programs it login needed to change to use

The shadow file rather.

Q. And and a case where we used the security incorrectly

And did pay the price?

Maybe naturally, a lot of wants us to suppose that

whoever is prepared to confirm his identity has, ipso

The fact, be dependable. So when we fall on an unknown one

program that numerically is signed, we suppose sometimes that

the signature says us something of the morals and the

The signatory character, instead of simply of his name.

Then, for example, in late 2002, a lot of persons gladly

downloaded and installed software known as FriendGreetings

Of a business himself identifying as the Media of Permissioned [8].

These downloadings were in response to an e-mail, of ordinary one

received of a friend or of a knowledge, that promised a

The electronic cards of greetings.

FriendGreetings posted two Final Allowed Users Agreements

(EULAs), in the second of which it claimed the permission to

everyone to send by e-mail your Perspective Address notebook. Which, of

The course, it punctually did.

For the administrators of system and for those in your address notebook,

the secondary effects were different small of a virus mass sending

As LoveBug (VBS/LoveLet-A). The signatories, of

the course, claimed that the behavior virus affectiant of their software

was completely legal, as it asked the permission before to send

Any e-mail.

But that never had heard about the Media of Permissioned Inc. of Sun

The turns, First Office of Floor #39, Before. Ricardo J. Alfaro,

Panama City, El Dorado Shingles 6, Panama? And why they did

Proud this unknown business with their notebook of addresses e-mail?

Q. That was in 2002. Did the users obtain more intelligent since?

Has. FriendGreetings was a problem for the system administrators,

Because of the superfluous e-mail that it produced. The it was one

The boredom for the users, for the same reason. The application also

had the painful secondary effect to prevent from the programs of

appear in the taskbar, that interfered with the correct usage

Of an affected PC until it correctly was cleaned. But

FriendGreetings did not expose to fly the news that are able

is used to pillage your account in bank or execute

Transactions frauduleuses.

Phishing student the bar in the risk terms that every user,

And every organization of the user, does facing malicious code. This,

in the bend, student the worry and the conscience of malware

And the importance to prevent it. If this counts as one

money clothing to the cloud that organized the crime brought

in the scene of malware is not clear, but an optimist would say

This it has.

Q. Who Is an interesting observation, but I notice has you

Skirted the question. Did the users obtain more intelligent since 2002?

The experts of Security of has. always are on a slope slipping when

comment on on the knowledge, or the lack of him, showed by

Users. Descend so strong against the users seems arrogant,

but to vindicate them any responsibility for their clean one

PC are to suppose that the technology can resolve all security

the problems, that, as showed us enjouedment to the

The beginning, it do not can.

Nevertheless, the recent research executed in the WORE [9] paints one

the rather gloomy picture of levels of common sense among

Users. (More precisely, it paints a gloomy picture of a very

the small sample of personnel and them academic students to a prestigious one

American university. The remainder of we could support themselves to

Rather to improve, but the results are interesting nevertheless).

In this study, 22 participants were sent to 19 different one

the sites internet belonging predtendument to a bank range known

and the other businesses associated with financial online

Transactions. Of these, seven were true and 12 were spoofed.

The objective was to identify which one was false. Only the one

Place (a true the one) correctly was identified by all 22 participants.

All the others sites, true and false, obtained a response mixture.

Eight of the sites (including six one of spoofed) were

Misidentified by 11 (50%) or more participants. In the

worse two results, more than 80% of the participants said that

A false site was true.

The study explains these results completely clearly. The this is the value

repeat the explanation (or, as the study more

the calls conservatively, a hypothesis) because it underlines

what it is hard for us to be conscious of all we need to take

in the account while doing the judgements of online value, and

the spectacles that it is easy for phishers and the other online swindlers

to exploit this:

ae˜...Participants did inexact judg [e] ments because they

the missed knowledge of how the computer systems worked and

had not a comprehension of systems of security and

Informers. The more experienced participants were stumbled in top

by the visual deception, for example when the address was spoofed or

when the pictures of the navigator [the interface user] with the security

The informers were copied in the content of site internet. The study also

the revealed problems that we did not foresee [...] :

aec Some users do not know that the sites internet of spoofing are

Possible. Without the conscience [that] phishing is possible,

Some users do not question simply the legitimacy of site internet.

aec Some users have false ideas of that the site internet

The characteristics indicate the security. For example, the participants

supposed that if the sites internet contained professional looking at

the pictures, the organizations, and the announcements, [then] the sites were

Legitimate. ..'

If the users can obtain more intelligent, but there always is a lot that

They need to learn and know.

Q. If we become aware of which this study calls 'the security

Can informers and use them reliably, isn't that right sure? Can

Does the padlock of SSL save the day?

Has. Obtains Sockets Dispose put to bed some (SSL) is very principally the fabric of

Online commerce today. But most of the people suppose that the this is

simply that it says: to obtain, that means that the too confidence

often is placed in the padlock that most of the navigators post

When the protocol of SSL is in the usage. After all, the padlock means

SSL, and the means of SSL obtain.

Indeed, there are a lot of problems with SSL, although

fortunately these not to seem of not to be of the 'damaged

Cryptography' sorts. The problems are a little to do with

implementation (or at least with the deployment) and a lot to do

With the usage.

In same general rule, SSL furnishes three principal opportunities for

the assured communications of canvas:

aec the exchange of numerical certificates, allowing fine every

link to establish something of the identity of

the fine other,

aec the assured exchange of keys of meeting holding the account of

the encrypting without the need to divide equipment key in

the advance,

aec data encrypting in every meeting, using the keys

Echanged above.

When we contain online, encrypting is important,

because we do not want to be able others to sniff our account

the numbers, or learn how much money let us spend us with

Who. But the first step, the authentication mutual insurance company, is in a lot

The more important manners. Without him, we easily can be cheated in

engage in an encrypted conversation with a suit

Unknown.

Unfortunately, there is a lot in a manner in which ones this

The authentication can be corrupt, or can do an error. Phishers

know this, and therefore can succeed despite, or even because

of, the presence of connections of SSL and the padlock in your

Navigator.

Q. But if a connection is assured and authenticated, how the strength

Is corrupt?

Has. There are several different manners in which ones you can be

cheated or cheated while doing the connections of SSL, for example:

aec By the falsified informers of security. A site internet false can serve

on the pages that return in your navigator for that they

Suggest an assured connection. Falsification can spread

insignificant one, as to post a picture of a padlock

somewhere on the page, to the artificial one, where

the manuscripts in the page rewrite elements of the user of the navigator

The interface to simulate an encrypted site.

aec By the usage of a certificate illegally obtain. This is

Rare, but not unknown. For example, in 2001, the

most transmitting biggest world of certificates of SSL, Verisign,

distributed and signed a certificate in the "Microsoft" of name to

An individual unassociated with the software giant [10].

aec By a certificate without value. The it is easy to produce one

To signed automatically the certificate of SSL. In this case, you use your

possess authority to certify, instead of pay one known

The third to do this work for you.

aec By a certificate of low quality. Some certification

authorities (CALIFORNIA) the problem certificates good walked s, or the process

the certificates, that it do easy for the smallest salesmen to

Enter the market. In some cases the checks of identity

executed before to distribute these certificates are superficial

and almost instantaneous, therefore the certificates have little

Estimate for the authentication.

aec By active malware on your PC. Malware can eliminate

the security errors, create the informers of falsified security, paint

on the data forms to capture or modify your data

before it is encrypted by SSL, or otherwise you to cheat

In how your PC or your navigator behaves.

aec By to get used to to begin the assured connections

Fragile pages. Numerous online legitimate

the financial sites [11] invites you to the login of their principal one

(http) the page, then you to take to write it the scenario of their

Obtain (https) the site. In a lot of cases these fragile pages

include the padlock pictures, lending the credibility to spoofed

The sites that does it same.

Q. So how it you out turn such deception?

Has. Fortunately, A LOT OF turns of phishing are evident once you

Know what to look for. In particular, you should familiarize

You with the certificates of SSL and how to verify them. If you

know that your bank himself identifies of ordinary one you, for

the example, then you easily will be able to execute more

'The negative authentication' when you need at.

Site http://whichssl.com/, although not as independent as his

the name could imply (it is carried by a certification authority),

Offer a practice 'to try your own site now' the link. This takes you to

a site of https of your choice while explaining, in an adjacent one

the window of navigator, how to use your navigator to verify the SSL

The certificate furnished by this site.

Most of the navigators do an effort to warn you when doubtful

the certificates were presented, but (as [9] suggests) a lot

the users clink by these warnings without giving the the

The attention that they deserve. It does not help that the legitimate sites

frequently to allow the to the certificates to expire, or publish certificates

on a site internet distributed in the name of another, or use

the certificates that provoke the warnings of navigator that are able without accident

Is neglected. This reinforces just the risky behavior.

Q. You mentioned 'the negative authentication'. Be able do not let us run us

the bases of data of based community, as the pad in real time enumerates (RBLs)

For the spam, that helps us to identify online swindlers?

Has. Several such arrangements exist. Netcraft, for example [12]

offer an addition of bar of tools of navigator by which can retrieve you

And identify online phishers. Netcraft allows the DOES,

the organizations and the something else as that to use his basis of data of known

The doubtful locations on Internet.

This can be useful in to soften the communications towards the interior

which addresses these sites, as the e-mail that tries to

you to persuade to visit a site internet of spoofed, or download a

The piece of malware that the phisher can return you against later.

The this is so useful in the locking connections going out of the city that are

Aimed at these sites. The locking can be done by a canvas filter,

a partition adorns fire of not at all final, a routeur to the organization border,

Or in the navigator of the user.

Microsoft offered an additional filter of phishing [13] for someone

time; this became a characteristic integrated in Searching internet 7,

Currently in his Silly one 2 intermissions.

If the lists of pad of based community can help, and it is suggested

what they can be very sensitive if the community is big

And shed. (So just a person in the entire world

retrieve a site of phishing, all the others can take advantage of this

Knowledge).

But the criminals of phishing can react nimbly, also. For

the example, using a network of botnet-infected PC, the this would be

a simple question for "to retrieve" that a slowed down legitimate sites were

False. Correct the errors of this kind could take the

the parties laws durable of the community a long time, and return

The list of unusable pad until it is sorted. As alternate, the

the community could need to do it harder to obtain an Internet

The site added to the list, withstand positive false. This does

Return the less sensitive service.

Q. You mentioned botnets above, that brings to have objections

Keylogging and the other common turns employees by malware.

How do we against these threats?

Has. A Trojan one on your PC can succeed without corrupting your

The connection to an online service. Indeed, a lot

bank Trojan related operations you distrust in particular to do

A legitimate connection to your bank. (In this case, it can,

ironically, be at the advantage of the Trojan one that you examine the

the certificate of SSL of the bank, thus guaranteeing closely that you are

Connected correctly. If a Trojan one wants to handle the

the contents of a transaction, there is not of not at all in to do so when

the victim does not connect to the bank but to a "service"

Worked by a criminal worry rival)!

At first, the assault of the PC more common BASIS against the bank operations

Etait in fact the keylogger. The concept is simple: the watch for one

the bank transaction, record the keys typed (with hope

including the account number, the password or other personally

the news identifiables) and passes later these strikes to

Someone outside.

A first response to keyloggers was the so-called true one

the keyboard, a based manuscript or image-based system which

Demand to click you on pictures of keys using the mouse.

Often, the letters or numbers on the movement of true keyboard

around at random every time visit you the site, for that the

The location of the movements of mouse cannot be replayed. A lot

the banks always use this system, believing that it furnishes

Additional security.

The authors of Malware were quick to reply, covering with paint of the data

the forms and returning the fakers of true keyboard which

captured your details before to dispatch the to the bank (or,

to simplify the national program, before to fake an error and

force you to begin again, this time with to allow it Trojan

Your connection to proceed normally).

We can foresee this race kind to the armaments to continue.

Unfortunately, the phishers is more nimble than the banks. It

could take a bank more than a year to introduce all nine

the canvas programing and the access check in their online one

Systems. After all, the change check, the exactness and the quality are

An important party of a bank IT philosophy.

The criminals have no such constraints ae" and they do not do

especially the care if the this is their first one, tenth or a Trojan hundredth one

Again kind that succeeds. The cost of 99 programmatic

failures are without importance to them; the bank, on the other

The hand, must succeed in the first attempt.

Q. The malware that you treat above counts on to capture

The news that can be the redutilisation later. Do not do the to hand

Authenticating it, or the brand, do that impossible?

Has. No Or, more precisely, not completely. Which brands are

wanted to do is to introduce a variable value impredvisible

in the authentication process, instead of a conventional one

Password. This means that any password captured by a Trojan one

cannot be the redutilisation, because every password is conceived to be

Used once, and only once.

This does, in fact, return a lot of powerless current malware.

Under some circumstances nevertheless a Trojan one can take advantage always

to capture a password to unique usage, for example if it can

Capture the password before it is used. This can be possible

The usage which is called one homme-dans-le-l'assaut of environment. A practice

the illustrated summary of a range of such assaults can be found

In [14].

Q. Be able gives you a quick description of how such an assault

The works?

Has. imagines itself that you have game failures against two

Big masters. (This supposes that you are not a first failures

The player you). There is a manner in which can guarantee you

do not be cunning blows by the two players, provided that you play

the the two simultaneously, and that you allowed playing

The white one in a game, and Black in the other.

All that you done is awaits your White opponent to move itself. Then

Do this movement against your Black opponent. When the Black one

The opponent replies, repeats this movement against the White player.

The two big masters play themselves efficiently. You,

l'homme-dans-le-le environment, are simply relaying of the movements enters

the, although you turn these movements in what look at

As two separated games.

A similar principle applies with a homme-dans-le-le environment Trojan.

The idea is simple, although implementation can be

Complex. The Trojan one awaits you to begin that you believe

to be a transaction with the bank, although you are in fact

Do with the Trojan one. This means that you by error

authenticate against the Trojan one, and the Trojan one uses it

the news that you furnish ae" including the password to unique usage

you type carefully of your brand ae" himself to authenticate

With the bank.

The Trojan one is then free (at least in the certain parameters) to

change various aspects of the transaction, as the quantity,

The destination account, or no other details of his to choose.

Q. Are there already Trojan that can execute this kind of

The assault?

Has. Not again. The principal reason is almost certainly this brand

the authentication is not very common in the bank operations of Internet

World. This is partially because the expenditure and the complexity of

to introduce it to every customer is not very appealing to the banks,

and partially because the need to carry and use a brand is calm

Unpopular with a lot of customers. If there was the small need

for the organized crime to take the try writing this more

The difficult kind of Trojan one.

Q. When the criminals are forced to confront stronger

The authentication, how will hard they find it?

The criminals cannot need to corrupt the authentication

Treat of the all. Rather, they can propose simply new

The manners to cheat you of your money. The spammeurs, for

the example, already to know to direct the online fraud without

The taken one obtaining from your number of account or of your password. A lot

the spammeurs work while persuading you to direct a transaction

and ouvertement, using gladly your authenticating to hand if

you the one have, and furnishing then items of inferior quality, or

Nothing of the all, in the return.

Now to imagine the this how much easier one would be for the criminals to

you to seduce in the false transactions themselves they had a suit

The picture of your habits of expenditures. For example, themselves they knew

you paid rent on the seventh one of every month, and which

the agency you paid it to, they could attempt to phish you in

Pay it in a different account. And before you reply by

the word, 'but the this is a such big step to begin bills pay to a new one

the profitable one, for that simply travaillerait never', to remember that it

the sounds just as removed far to believe that the users do gladly

go and type their personal bank qualifications in one

the site internet unknown on the word if of an e-mail that could have

Come from anywhere, and did probably.

The technology to allow the to the foreigners to keep the detailed track of

your online assured activities, including all you buy,

And when, and where, already exist.

An example is the application Marketscore, created by the

business of study of market comScore Forms a network, Inc. In the return

for a modest payment for participation, the users joined the

'The Panel of Marketscore' and installed the Marketscore

Application. Among the characteristic others, Marketscore

incorporated which is efficiently a homme-dans-le-le environment SSL

the proxy that aimed to crack open and check all your

obtain from the online transactions, sending data of all you

Bought, and how much you paid it, of return to comScore.

Q. Would not surely a legitimate application go completely this far?

Has. ComScore no longer is the distribution Marketscore, maybe

because of advertising it received when some American

the universities decided to block it absolute, despite the strongly

The tradition held liberty of teaching on their networks [15].

But here that comScore itself [16] published

of his behavior:

ae˜...[C]omScore recruited for the Panel of Marketscore on

one and a half members of opte-dans of million that accepted

have their Internet behavio [u] r confidentially checked

And captured on a totally anonymous basis. These members

give explicit comScore, the opte-dans permission to confidentially

check their online activities in the return for the valid advantages

[...].

These individuals that choose to be part of the Marketscore

The panel [..] downloads the technology of comScore to their

the navigator where it directs discretment the member

The connection of Internet by the network of comScore of

Waiters [...]. The technology allows comScore to capture

the complete detail of the whole communication to and of

every computer of the individual ae" on a specific site,

Specific individual basis. The news captured on one

the individual basis of member includes visited every site, the page

looked at, the announcement seen, the promotion used, the product or the service

Bought, and the price paid.

[..]

It challenges extremely, even with one chooses in consumer

the permission, capture communicated the news to and

of a navigator in an assured meeting (for example any purchase

Transaction). To do this with success, the technology is

Demanded that "checks assuredly an assured connection".

[C] omScore' s technology patent in expectation does this to no

The cumulative cost to comScore or risks to the guests. ..'

As doubtful as this can seem, recalls this some security

the products furnish the tools of based door to open and examine

The connections of SSL of a network. While this culturally is

rather different to place a walked SSL oriented by research

The proxy on every PC, the this is technically and functionally similar.

As a lot of technologies, if the it is good or devilish depends on

How it is used, and that it uses.

Q. We Allow of return to where we began, to know the subversion of

the final point through malware and potentially superfluous

Applications. Will do the improvements in the security of operating system

The assistance prevents from the users are "marketscored" by the criminals?

Has. There is a long response thereto, in which could look at us

certain of the new characteristics of The windows Perspective, as the User

The access Check, that tries to limit the subversive usage of

the account of administrator, and to the characteristics of SELinux,

which does far with the idea of an omnipotent account

Completely.

The short response points out that works systems are

become more resistant to the insignificant exploitation, but we recall

all that there always are two important vectors of risk:

aec The Users and the administrators that do the errors of judgement,

and that executes completely authenticated installations of

Risky or inopportune software. Perspective' the s warning that 'this

the operation demands the elevation', and his prudent exposition of one

the numerical certificate of the program (or the lack of him), for example,

can be undone with an only click of mouse to authorize the

Operation offending.

aec Organized the crime and the against culture, that showed

a kindness to invest considerable quantities of time in

probe even the systems more assured for the small fissures in

Which they can drive a subversive corner. What's more,

they are rather nimble to reply to technological

the changes, as their subversion of true keyboards, in

the weeks or same the days, a luxury that security

Trade people cannot allow themselves.

Q. If can we win? And is the authentication the component key to

remain forward of the phishers, although it cannot resolve the

The entire problem?

Has. Someone say that we can, and the this is. For example, the researchers

of a financial institution and of Swiss IBM [17] has

proposed an authentication bank online system which

The very assured sounds.

Briefly summarized, the system counts on an external intelligent one

Reading unity, with a paved numerical one and a small exposition. The

the cryptographic calculations for the authentication and the security

between the navigator of the user and the bank are unloaded to the

the intelligent card (that is resistant key and contains one

the operating system and the software of his clean one); the entry of

the passwords and the codes to unique usage are unloaded to the card

the numerical keyboard of the reader (where they cannot be sniffed or can be changed); and

every transaction cryptographic is confirmed after his

the details are showed on the exposition of the unity of reading (where they are

not the subject to the manipulation by the writing of malware on the data

On the screen).

Of course, this system is complex, that means that the this will be

strong to execute correctly; the is comparatively dear,

which will slow down his adoption by the banks; and the this is

Inopportune, that will slow down his acceptance by the users.

Also, phishers target currently our bank qualifications for that

They can mask themselves later as us to raid our accounts.

They do this because they are able, because the it is easy, and because

It works. As saw us, doing this harder one, or even

Impossible, is not very probable to stop phishing. The will of phishers

reply while attacking and corrupt the somewhere else of our online one

Life method.

This does not mean that we should neglect technological

the advances in the computer security, more than we have

throw outside the seat belts, the airbags and crumples it zones

Of the car modern one. But it means that we need

to keep us current and vigilant when we spend

online money, just as we encouraged to be surer and

The more responsible drivers on the road.