[ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system

To: Lauren Weinstein <lauren@vortex.com>
Subject: [ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system
From: Richard Clayton <richard@highwayman.com>
Date: Fri, 29 Jan 2010 13:33:10 +0000
Cc: nnsquad@nnsquad.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <20100128204341.GA6159@vortex.com>, Lauren Weinstein
<lauren@vortex.com> writes
>
>Researchers fault 3-D Secure (3DS) online credit card system
>
>http://bit.ly/a1ygc6  (PC World)
>
>I have never been a fan of birthday-based and "secret-question"-based
>systems.  Birthday data is widely available, and many "secret"
>questions tend to have answers that are more widely available than
>one might think.

in point of fact, one of the other University of Cambridge Security
Group papers at the same (FC10) conference was:

  http://www.cl.cam.ac.uk/~jcb82/doc/fc2010_name_guessing.pdf

  Joseph Bonneau, Mike Just, Greg Matthews: What's in a Name? Evaluating
  Statistical Attacks on Personal Knowledge Questions 

      Abstract. We study the efficiency of statistical attacks on human
      authentication systems relying on personal knowledge questions. We
      adapt techniques from guessing theory to measure security against
      a trawling attacker attempting to compromise a large number of
      strangers' accounts. We then examine a diverse corpus of real-
      world statistical distributions for likely answer categories such
      as the names of people, pets, and places and find that personal
      knowledge questions are significantly less secure than graphical
      or textual passwords. We also demonstrate that statistics can be
      used to increase security by proactively shaping the answer
      distribution to lower the prevalence of common responses.

>I usually suggest that when there's a concern, secret questions
>should be answered with anything memorable other than the
>"real" answer.

Indeed so, setting your mother's maiden name to 6fdg$Gk4 will improve
your security posture considerably

- -- 
Dr Richard Clayton                         <richard.clayton@cl.cam.ac.uk>
                                  tel: 01223 763570, mobile: 07887 794090
                    Computer Laboratory, University of Cambridge, CB3 0FD

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBS2LjlpoAxkTY1oPiEQJKtACeMBKnOquMSimum1V77Gbf0soCsXYAoMqU
s1fcqrpp83nNpFczzFAzEV//
=qwVC
-----END PGP SIGNATURE-----

Follow-Ups:
- [ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system
  - From: Lauren Weinstein <lauren@vortex.com>

References:
- [ NNSquad ] Researchers fault 3-D Secure (3DS) online credit card system
  - From: Lauren Weinstein <lauren@vortex.com>

Prev by Date: [ NNSquad ] Re: Privacy issues in proposed DNS protocol extension
Next by Date: [ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit
Previous by thread: [ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system
Next by thread: [ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system
Index(es):
- Date
- Thread