February 2010 (1)
September 2009 (1)
May 2009 (1)
April 2009 (1)
March 2009 (4)
January 2009 (3)
November 2008 (2)
October 2008 (2)
September 2008 (1)
August 2008 (5)
July 2008 (3)
June 2008 (1)
May 2008 (5)
April 2008 (8)
March 2008 (3)
February 2008 (1)
January 2008 (2)
December 2007 (2)
November 2007 (4)
October 2007 (17)
September 2007 (9)
Kiwibank’s KeepSafe feature, and ETAOIN SHRDLU
Friday, January 30 2009
Kiwibank have added a new step to their login process, called KeepSafe.
In this step, user knows the answer to a small range of questions they have selected, like “Where were you born” or “What’s your pet’s name?” And when they log in they are prompted with the questions and asked to select random letters from the answer (eg to select the 1st and 5th letters).
The aim is to defeat keyloggers. The user uses their mouse to select letters from a display of the alphabet, and they never type the whole answer, so an attacker who logged mouse clicks would have to capture multiple logins.
My guess is that password-stealing malware is common enough now that it poses a significant risk to banks.
Unfortunately for users, this system is quite inconvenient. It involves an unaccustomed degree of mental and physical dexterity to select the correct letters. It also is unaccessible for people with text only browsers, or who have Javascript turned off (ironically, the very people least likely to be vulnerable to malware).
A friend suggested that their Keepsafe answer would be “Keepsafe is bloody annoying”. This inspired me. I realise now that the savvier user will set all their Keepsafe answers to AAAAAAAAAAAA.
I also wonder whether it wouldn’t be reasonably easy to guess Keepsafe answers. If I were a wily hacker, I’d use my dictionary to compile stats of the most common letters in English words, by word length and position in the word. Let’s see.
#!/usr/bin/python
import string
f = file('/usr/share/dict/words')
counts = [{'all':0},{'all':0},{'all':0},{'all':0},{'all':0},{'all':0}]
# snag all 6 letter words
for line in [l.lower().strip() for l in f.readlines() if len(l) == 7]:
for i in range(6):
# count the letters in position i
letter = line[i]
counts[i][letter] = counts[i].get(letter, 0) + 1
# keep a total so we can compute a percentage easily
counts[i]['all'] = counts[i]['all'] + 1
for pos in range(6):
print "Position %d" % (pos + 1)
tops = {}
for letter in string.lowercase:
tops[letter] = counts[pos].get(letter,0)*100/counts[pos]['all']
# take the top ten most frequent letters
for pair in sorted(tops.iteritems(), key=lambda(k,v):(v,k), reverse=True)[0:9]:
print "%s %02.2f%%" % (pair[0], pair[1]),
Results:
Position 1
s 11.00% c 7.00% b 7.00% p 6.00% m 6.00% t 5.00% r 5.00% d 5.00% a 5.00%
Position 2
a 18.00% o 15.00% e 13.00% i 10.00% u 9.00% r 7.00% l 5.00% n 3.00% h 3.00%
Position 3
r 10.00% a 9.00% n 8.00% l 7.00% s 6.00% o 6.00% i 6.00% t 5.00% e 5.00%
Position 4
i 10.00% e 10.00% t 8.00% a 7.00% n 6.00% l 6.00% o 5.00% s 4.00% r 4.00%
Position 5
e 27.00% n 7.00% l 6.00% a 5.00% t 4.00% r 4.00% o 4.00% i 4.00% u 2.00%
Position 6
s 36.00% d 11.00% e 9.00% r 8.00% y 6.00% n 5.00% t 4.00% g 3.00% a 3.00%
The distribution of letters is quite skewed, and you get three goes with Keepsafe, so a patient intruder could probably guess a substantial minority of answers.
I’m not sure what the end of this arms race will be.
Tags: security ~ kiwibank ~ python
One the one hand, on the other hand
Wednesday, July 30 2008
The newest versions of Firefox and IE are sticklers when it comes to SSL, which is why right now this second, you’ll see this message if you use Kiwibank’s online banking:
Secure Connection Failed
An error occurred during a connection to www.kiwibank.co.nz.
Peer’s Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
Firefox is not very helpful at this point. With other SSL problems it will show you the certificate and how it was/was not verified. No such facility here.
According to the phone banking person I just talked to, the authority that issued their certificate assumed they were in the UK(!) and set various fields accordingly.
This is not good.
However, what was good was that my call was answered in about 30s, the person on the other end knew about the problem already, they had a reasonable explanation, and they had a suggested workaround. In these days of outsourced, scripted help desks, that’s pretty good indeed.
Tags: security ~ firefox ~ kiwibank ~ supportRendered at 2010-03-14 17:55:26