-={The World Through The Looking Glass}=-

Latest

Thoughts on Phishing

Similar to the theme of my previous post (one year ago, shame on me), I felt that the world had moved on to what I’d call second generation Phishing. Phishing 2.0?

Previous iteration of Phishing had victims visiting bogus websites but the 2.0 version acts as a proxy so that your first transaction does go through (say if you want to check your bank balances). What it does then is to silently steal your login & password. No word if any malware boasts that they are successful (Ha! In your face! Victim!) 

TAC messages are used by some banks to prevent this but nothing solid is really in place to prevent a proxy Phisher from asking for it anyway. When the malware / Phishing website has your trust, nothing will stop it.

See: Zitmo (Zeus In The Mobile)

So it occurs to me that Phishing extends to mobile apps as well. Speaking to industry players in the mobile app development world and IT Security guys, it seems seldom does a company (banks, cinemas, airlines etc) implement mechanisms to identify the integrity of the mobile app talking to their servers.

We have seen SecureWords (those little pictures or words you select during registration) that pops up before you login, to tell you the company is trusted and is not someone else. But nothing to tell the company that the application is their own.

In my ramblings to my colleagues I always challenge why is it so hard to develop some hashing functions that gets passed along to the server to say “yep, I’ve not been modified or imitation in any way” (simplifying it greatly just to prove a point, the detailed steps is probably too technical).

I feel there’s lots more that can be done both on education and technical implementation to deter Phishing, but I’m from the camp that believe that even if a user is not educated (I always use my grandma in presentations, sorry Grams), the technical controls should prevent it. That’s called serving the 18 to the 80.

Just to share something recent: When I was registering this address, I was also paying my income tax. The first website I went to was htp://www.lhdn.gov.my. Now imagine my surprise that it’s actually for sale. The official site is http://www.hasil.gov.my. Now it’s income tax filing season, if I can make that mistake, what is there to stop me from registering the site and use it to Phish for login credentials?

Fingerprint as login is not a bad idea, but current implementation is

Today’s news has been about how bad an idea was to use fingerprint as a login mechanism (Ars Technica). Apple’s iPhone had a similar mechanism and it was broken in 48 hours by someone swiping a lifted fingerprint (Ars Technica, again). Mythbuster had an episode whereby the latest in fingerprint locks (fingerprint+pulse+heat+skin conductivity) was broken by having someone lick a plastic mold of a fingerprint

In short: Passwords can be changed, fingerprints can’t.

But I disagree that fingerprints can’t be used as a convenient way to grant authorized access. It’s only the current implementation made it simple and easy to break. Sure you leave fingerprints all over the place, and once someone has your prints it becomes impossible to change it. But no one say it has to be just 1 print per scan. 

A better way would be to adopt common good password practices, instead this time we apply it to number of fingerprint swipes.

  • Password length = fingerprint swipes
  • Password complexity = random fingers (we have 10, take a pick)
  • Password history = length + complexity combo history
  • Example: Fingerprint password of 3 length + complexity = Left Thumb -> Left Middle -> Left Pinky finger. 3 swipes.

This way even when someone has your prints they have no idea which finger you use, for how many swipes, or in what combination.

Problem solved.

Can you hear the echo in here?

Here is a blog that had existed when blogging was cool, having your own domain name is to rise up to the rank of God himself and everyone drools for a dSLR.

A blog that had existed for this long carries with it a load of emotional weight that I want to be rid of and thus a spring cleaning is in order.

I was lucky these are all in digital; imagine if they were in aged rubber band bound diaries and the only satisfying way of ‘deleting’ them involves a bottle of kerosene, a match and an escape plan for the inevitable fire in my backyard.

I’m not holding a sentimental value to each blog post, although I do find a gem here and there as I select them for purgatory. Mostly old chain emails and jokes and some thoughts I had pen down during my uni years (no such luck finding rough scribbles for facebook-social-network); most of which can now be realized as dreams of better role models / entrepreneurs and for the rest of old jokes, Googled.

There’s no archived old post section and it’s a waste of time anyway as my blog view are not as high as before so all those posts are gone. I feel lighter already!

So anyway this is a brand new post for a brand new start, new tags, new categories, new everything! It may also be a way for me to clear the room full of junk before I shut it down, who knows… let’s see if there’s a next post after this.

Follow

Get every new post delivered to your Inbox.