After a long delay due to various matters it is high time for an article on what I would term "fashionable security".
Like many others in the world I am a user of various Internet Banking services and I continuously compare and contrast the security measures between them. One service in particular struck me as being particularly well designed. What struck me though was the original version, not the latest fashionable incarnation.
The version which I found well-designed was based upon three-way authentication: username, password and one-time pad. You would enter your username and password (both secret) and then select the next four-digit number from the one-time pad. The pad contained 80 four-digit numbers and a new one would be automatically sent to you as you exhausted the current list.
The beauty of the above system is that you could use it in all safety in unsafe locations (e.g. your PC at work) because at worst the attacker would have username and password but would not be able to reproduce the next four-digit number in the sequence. All you needed to do is jot down the next couple of numbers from the one-time pad before going into work in the morning if you thought you needed to e-bank.
Then they decided that it simply wasn't "cool" enough for their high-profile clients and switched over to the new system.
This "new" system is based upon your username, password, a token calculator and an "e-banking card": you enter your username, then place the e-banking card into the calculator, unlock it with the password, type the challenge from the website into the calculator and enter the response as the authentication token on the website.
Sounds sexy doesn't it? Pity that you now have to carry around a calculator and an e-banking card (which no doubt the vast majority of people leave in the obvious location: the token calculator) and the security of your account relies exclusively in your password. If your calculator is stolen after your password has been shoulder-surfed (along with your username) then your account is wide open.
So here you have an inifintely more fashionable gadget-based authentication which looks like RSA SecurID but isn't.
You now have to carry a bulky and eminently visible calculator (it is rather hard to disguise a calculator in a bag in comparison to four digit groups in a phonebook...) with a card which looks like an ATM card sticking out of it, just in case the opportunistic thief hadn't spotted the unique-looking calculator. The uneducated user thinks "wow, cool, a special calculator and a secret-agent procedure to get in" and the thief thinks "wow, thank you very much, no need to find the one-time pad now!".
Hence we have a perfect example of "fashionable security" or "how to reduce security by making it look sexy for users".
Posted by arrigo at January 4, 2004 03:43 PM