What the Analyst said ....Why LiveEnsure and SiteKey/SitePass are not the same.

 So there I was on the phone to an Analyst today explaining (at a fairly high level )  some of the basic features of LiveEnsureTM  when he says – “  ahh – I get it – this is identical to Bank of America’s SiteKey/Site Pass system.”   Not having the details of said banks system at my fingertips – I was unable to correct the Analyst on his incorrect conclusion with any hard science.   We were also running out of time,  it was a bad line and…all I could say was – it is not the same – there is much,  much more going on under the hood with LiveEnsureTM.   

So why is BofA’s SiteKeyTM / Site PassTM authentication system NOT identical to LiveEnsureTM  ?

·                Device ID.   Although both ostensibly have a ‘hardware device recognition’ component – the BofA solution relies upon the re-referencing of a cookie (downloaded at registration – a simple subset of browser-aware attributes) by the Banks’ site to determine the ‘identity’ of the device.   This cookie resides on the users device and hence is stateful and hackable.   Even if hardware recognition fails, users are pushed through to a pass phrase - which essentially renders the hardware step useless if so easily by-passed.     LiveEnsureTM device recognition algorithm relies upon a patent pending approach of recognizing the digital fingerprint of the device through its unique “ accoustic “ signature.  The device is ‘challenged’  uniquely every-time an authentication takes place.  Nothing is seeded onto the device that could be re-referenced.   The applet recognizes the Device’s fingerprint and if the correct one – it then renders a pop-up on the screen outside of the browsers control when the user is then asked a challenge question. 

Credentials are presented serially ( in sequence ) in the BofA solution.  This means that a hacker can brute force hack – (through “ trial and error’ ) the users’ credentials.  In LiveEnsureTM if authentication fails there is no opportunity to re-try.   The user has to go back to the beginning – the user does not know what credentials were wrong.   (LE features a random rotation of challenges - not the same “phrase” each time).  Also the visual Passmark is easy to shoulder surf;   and all of the credentials are passed through the browser (web channel – even if SSL ) – which makes it vulnerable to MiTM and MiTB attacks.  The LiveEnsureTM solution does not allow any literal information to be trafficked over the secondary (SmartTM ) channel let alone over the browser.    The fundamental problem with this and all traditional 2FA solutions is that the second password/challenge question/OTP is entered into the browser – in sequence.  Before the browser has even been confirmed to be secure.   Doesn’t make sense does it ? 

Article from CafeID “The SiteKeyTM system fails, according to IT Security Architect Doug Ross (http://directorblue.blogspot.com/2005/06/making-phishers- solve-captcha-problem.html), to address the fundamental problem of phishing because it leaves the customer susceptible to the classic "Man in the Middle" false- storefront attack. Since there's no way to distinguish the customer's virgin computer from a phisher-person's "malicious, zombie PC", according to Ross, "the zombie PC could present a false BofA store-front to the victim and proxy login in- formation from the user to the bank and any resulting pages and images from the bank to the victim." …” also the SiteKey approach still relies on the storage of images and so on in your personal records on the merchant's database. Compromise of this data would leave you just as vulnerable as you'd be if your login and password were obtained.” 
Trevor Bauknight, (http://www.hillsorient.com/articles/2005/07/372.html

Comments

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

CAPITALISM – no longer fit for purpose ?

Image
The vast majority of humanity survive on a few dollars a day.    The economic boom of the last fifty years has benefited a relatively small elite. The fossil fuel driven economy has devastated the planet. Capitalism is the most efficient creator of wealth but it has been derailed and it has led to inequality and environmental degradation on a global scale. Global warming and capitalism’s favourite progeny – globalisation – has triggered social movements,   political discontent and massive migration.    There are more economic and political migrants seeking greener pastures than at any time in history. Increased Government participation in the economy both directly and through regulation is required to temper the excesses of laissez-faire capitalism. Degrowth means uncoupling the link between growth and prosperity.        Adam Smith’s ‘invisible hand’ has been the single biggest driver of the phenomenal economic growth enjoyed globally over the last two hundred years
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more