Tuesday, October 31, 2006

Good Bye Username and Password

There isn’t a damned thing safe anymore in cyberspace. Each day's news brings another horror story. Business and government are pushing aside the Russian mafia in efforts to remain #1 in giving away the secrets.

Halloween What more appropriate time to talk about the Trick or Treat of usernames and passwords than Halloween?
There isn’t a damned thing safe anymore in cyberspace. Each day's news brings another horror story. Business and government are pushing aside the Russian mafia in efforts to remain #1 in giving away the secrets.
Ellen Nakishima reports in the Washington Post
Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities.

E-Trade Financial Corp., the nation's fourth-largest online broker, said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone.
That’s just the losses in the online brokerage business and, if past experience is any indicator, the actual amount gone south is probably a multiple of that 18 mil. The banking industry won’t tell us what hacker access into private accounts costs, lest we send back those juicy and profitable credit-cards that access our bank accounts. Juicy as in 'juice,' the mobster moniker for excessive interest, but that’s another story.
Mastercard_1 Allowing the banking industry to charge 18 to 36% interest when the prime rate is 8.25% would presume, at the very least, a level of credit-card security that simply is not there. Nakishima further reveals

The scams typically begin with a hacker obtaining customer passwords and user names, experts said. One way is by placing keystroke-monitoring software on any public computer in a library, hotel business center or airport. With the software, all keystrokes entered on the computer can be recorded and e-mailed anywhere in the world.

Experts said all hackers have to do is wait until anyone types in the Web address of E-Trade, Ameritrade or another online broker, and then watch the next several dozen keystrokes, which are likely to include someone's password and login name.
The hardware we have come to depend upon, such as
  • Cell phones
  • BlackBerry type wireless communicators
  • Laptop computers
and a plethora of soon-to-be-announced extensions of our cyber-lives are putting us increasingly at risk. eWeek.com’s Special Report on Cyber Crime lists a dismaying number of subject titles
  • FBI: Companies Need to Report Cyber Attacks: An assistant director of the FBI's New York City bureau tells IT security professionals that more needs to be done to report hacking and other cyber-crimes.
  • Phishers Target Financial Institutions: Experts say phishing schemes remain an extremely troubling threat, specifically for financial services companies.
  • Is the Botnet Battle Already Lost?: Botnets have become a big underground business, and the security industry has few answers
  • Botnets Are Taking Over the World: In this eWEEK Podcast: Botnets are taking over the world; Microsoft shuffles Windows division deck and makes changes to Vista to appease the European Union and South Korea; Peter Coffee says some of the smartest people in the world are working for the Dark Side
  • Cyber-Thieves Targeting Smaller Retailers: As large c-commerce sites pour millions of dollars into security and enterprise-league hardened POS systems, cyber-crooks have been giving more attention to much smaller and less well-protected merchants.
  • Googling for ATM Master Passwords: Using clues obtained from a YouTube video and a simple four-word search engine query, a criminal can find step-by-step instructions on how to hack into and take control of thousands of cash-dispensing ATMs.
  • Hackers Hit AT&T System, Get Credit Card Info: About 19,000 customers of the telephone company's online store are affected by a weekend computer break-in.
None of which is likely to increase your degree of confidence.
Money_1 Usernames and passwords only suggest security and keep out the riff-raff. In the meanwhile, a multi-billion dollar worldwide theft business thrives that puts the old bank-robbers to shame. John Dillinger is famous for saying, when asked why he robs banks, “because that’s where the money is.” These days the money is elsewhere and can be taken without guns, getaway cars or even risk.
Googlecheckout There are solutions. Google Checkout has just introduced a secure method by which they keep your credit-card info and all their registrants need do is hit the Google Checkout logo to purchase safely from online retailers who offer the service.
Which is a sort of just-in-time solution for the more than 50% of web browsers who are afraid to actually buy online for fear of credit-card fraud. 
Other solutions are more disruptive, as well as expensive. It is possible to encrypt almost anything, including keyboards, so that keystrokes cannot be monitored. Passwords to boot up a laptop or PC can be encrypted as well. Thus a stolen or lost machine could (presumably) not be accessed, at least by casual means.
Ultimately we’re looking at the demise of usernames and passwords. The bigger question is how spectacular the losses must become before industries change or consumers junk it all and start to pay with cash.
The cashless society may not be as close as the banking industry would like.
____________________________________________________________
Other mentions of computer security;