July, 2000 document. Stuff on TCPA (Remember, Gemplus is a member).
fipr.org
Client PC security
85 But even if banking computer systems were perfect, the majority of the computers used by customers for on-line banking will be home PCs that are most unlikely to meet any serious security requirements.
86 The difficulties that users have in managing PINs and passwords have already been discussed, but a number of further problems arise from the use of PCs. People tend to be very trusting of others and can often be persuaded to reveal their PINs and passwords when they should not do so. Many people have difficulty installing software on their PCs and find an "expert" neighbour or friend to help. It is not unusual to find that the helper will be given the codes needed to operate the service being installed, in order to check that it is working and to demonstrate its use to the real customer. Undoubtedly most helpers are honest but inevitably a few will use such knowledge for fraudulent personal gain.
87 A further concern is that typical PCs do not provide much real protection for PINs and passwords unless careful control is maintained over access to the PC as well as control over the software that is installed. PCs used for home banking will often be used by several family members for a wide range of different pursuits. It is not difficult for anyone who has ongoing access to install software that will capture sensitive account and password data entered by users for later collection. This could easily be achieved by another family member or by someone called in to maintain the machine.
88 Such attacks can be even easier to mount if the software used for online transactions is not very carefully designed. Most modern PC operating systems can appear to run several applications at once. They do this by temporarily moving
applications and the data they are using from memory on to files on disc called swap files. Such files will often hold sensitive data such as passwords or security keys themselves, and they can be read with utilities that are widely available. A knowledgeable programmer could easily write software that searches the swap file to find the information. Recent research has shown that some security information has characteristics that are easy to detect unless it has been deliberately disguised, and this makes such attacks all the easier to design. A computer maintainer armed with software of this kind could easily recover such information as a matter of routine.
89 Although these forms of attack are probably rare at present, this is not the result of any inherent technical difficulty but because the gains are limited while online banking is not yet widespread.
90 In addition to attacks requiring physical access, PCs used on the Internet are vulnerable to attacks in which software is remotely installed to capture and transmit a user’s keyboard data to a remote locations. Since users are routinely asked to install "add-ons" such as applets and active controls, most users accept this as routine and will not understand how easy it is for a fraudulent site to install an applet that appears to offer one service but in reality captures and transmits security data back to the site in question. It would also be perfectly feasible to modify and redistribute an honest applet from a reputable
company to do this. A number of cases have been reported recently in which commercial software has been found to provide its supplier with information about its user’s activities, without the user having been made aware of the fact.
91 An even more potent attack would be one based on a computer virus (software designed to transfer itself from one computer to another unknown to their users, either on diskettes or over the Internet, and capable of affecting the working of any computer it reaches). Current viruses exhibit a range of behaviours from benign (or even beneficial) effects through to those of a highly malicious character, designed to inflict substantial damage on a victim’s PC or the data it contains. But it is straightforward to write a virus that, once installed, looks for and captures PINs, passwords, account details and other sensitive data for transmission back to the virus writer when the victim next goes on line. By making such a virus covert – that
is, as silent as possible, so that a PC user is unaware of its presence – it could easily do its job over months or even years without being detected.
92 Although we are not aware of such viruses having been written or released, the steady growth of online banking and
electronic commerce will make the possibility a virtual certainty in the not too distant future. It is a threat against which many PCs have little defence. The BBC provided a vivid illustration of this type of attack on 22nd November 1999 in a programme in its Crime Squad series. A remote user was shown using the Internet to monitor a session in which a customer used an online banking service. The remote user was able to capture the security information necessary to carry out a successful subsequent transaction on the customer’s account. The basis of this attack was not explained in detail, but it could easily have been mounted by installing a special program (in this case probably not a spreading virus) using a macro contained in a document attached to an email message (like the Melissa virus but less visible in its effect). Such possibilities must be regarded as far from remote.
93 To counter attacks of these types, Microsoft has introduced a capability for software to be signed with a digital signature so that its origin can be checked. Such signatures allow the operating system to verify the signature on a piece of code before it is allowed to run. In an ideal world this would offer a meaningful improvement in security if customers were willing and able to use it; but even if all suppliers of software could be persuaded to offer signatures, the operating system has to be trusted to
carry out reliable checking of the signatures involved, and this is not as easy as it might seem.
94 The inherent difficulties involved in computer security are discussed in The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, a paper by scientists from the US National Security Agency [Loscocco98]. That agency is responsible for the security of US Government communications and for monitoring and deciphering foreign communications for intelligence purposes. Any paper by the NSA on computer system security carries very high weight indeed. The thrust of this paper’s argument is that it is unrealistic to expect that security mechanisms can be implemented in software without computer operating systems that offer effective security features of a kind that do not exist in current products.
95 Although purely software based PC banking procedures seem acceptable now, for reasons such as those discussed it is
hard to believe they will continue to be seen as a robust online banking solution for the longer term. Although the use of signature keys based on public key cryptography can greatly reduce the risks presented by the use of PINs, passwords and other shared secrets, even then the customer is dependant on keeping the private key secret despite the need to use it in a PC. In such an environment the customer is exposed to risks of the private key being compromised without having any means of detecting the compromise until fraudulent use comes to light. A sophisticated attack might leave no evidence of how it occurred, and the customer is therefore weakly placed to resist an assertion by the bank that the transaction must have been authorised.
Hardware based solutions
96 The unavoidable security limitations of software have led many to look for hardware solutions, such as those based on
smart cards. Although software is easy to modify and hence subvert, this is less true of hardware, which makes it attractive for implementing security critical features. While hardware solutions offer better security assurance than software, they are also more expensive. As a result such solutions are likely to be advocated not just for online banking but in the wider context of online electronic commerce. The discussion that follows will therefore consider this wider context.
97 If secret data can be held in hardware, for example in smart cards, it is much less vulnerable to being discovered by an attacker. Smart cards are vulnerable to a number of forms of attack, but much less so than software since the expertise required is more specialised and the tools needed are less commonly available. But expertise in microelectronics is not rare, and many laboratories will have the necessary equipment. Several techniques have been developed to discover the internal secrets of smart cards, and some of these have been shown to be very successful for particular cards [Kömmerling99].
98 Such attacks have already become a serious problem for the purveyors of pay-per-view TV. At one point, Sky TV
reckoned that smartcard forgery was costing in excess of 5% of its turnover. Once they are widely introduced, banking
smartcards will clearly present an even more attractive target. Some attacks on cash dispenser cards have involved
sophisticated and expensive techniques to deceive customers into giving their PIN to a fake machine, and recent research has shown that many smartcards are vulnerable to a fake machine extracting their secrets by observing the power they consume while calculating a digital signature. Organised crime will certainly be able to obtain the means to attack smart cards when the rewards justify the effort.
99 Moreover, the undoubted advantages of smart cards when compared with security mechanisms based on software are not
as easy to harness as they seem. First, where smart cards are used to hold secret information, it makes little sense to transfer this information into a PC for use, since this will remove the very protection that the smart card is intended to provide. So in order to maintain the security of the information, it has to be used on the card itself, and this is likely to require the card to have very powerful processing capability of its own. There are obvious cost implications. Secondly, at a practical level, almost no mass market PCs come with smart card readers, and this seems unlikely to change unless the need is widely recognised and the costs involved are small.
100 Thirdly, a PIN or a password will be used to activate the card in order to guard against the fraudulent use of lost or stolen cards. If this is entered through the PC’s keyboard it will be vulnerable to all the attacks discussed earlier. In this case it can be argued that the loss of the PIN is not so serious since fraud will require both the card and the PIN. Although this is true, if an attack has been mounted on a PC through a virus as described earlier, it would not be hard to extend the virus to use captured password data with the smart card the next time it is inserted by the user. [they've clearly not heard of Embassy!]
101 These points are not made in order to deny the value of smart cards, but simply to point out that while they will offer big improvements when compared purely with software, they are not a perfect solution.
102 In order to overcome one of these vulnerabilities, at least one smart card manufacturer is now offering a secure smart card reader with a small keypad for the entry of the PIN. This avoids the use of the PC for PIN entry, but it remains vulnerable to an attack in which a fraudulent application running on the PC (or a point of sale terminal) displays one transaction to the user while asking the inserted smart card to authorise a completely different one. For example, a personal signature card used to sign credit card transactions is vulnerable to an attacker who presents a point of sale terminal to the user which purports to perform a genuine transaction but simultaneously authorises another transaction that is seriously to the user’s detriment – examples might range from another credit card transaction for a large amount up to a re-mortgage of the
user’s home.
103 Smart cards are often seen as the perfect answer for implementing digital signatures, because signature keys kept on such cards can in principle have values not even known by their owners. This can prevent an owner from repudiating a genuine signature by publishing the key and claiming it to have been compromised before the transaction.
104 But providing a useful identity based signature which cannot be repudiated by this means remains very difficult, because (1) in order to ensure that the signature key is secret it must be generated on the card; (2) for the same reason it must never leave the card, and this requires that the transaction or document to be signed must be imported on to the card, with the signature process be performed by the card; and (3) the card has to export a verification key that allows the signature to be verified and associated with a person authorised to perform the transaction.
105 As already indicated, meeting requirements (1) and (2) currently requires relatively expensive "state of the art" hardware solutions, while meeting requirement (3) turns out to be difficult because it raises social and legal issues about how a person can be identified in a unique way.
106 A person’s name alone is clearly not sufficient since names are not unique; but neither are names with birthdays or names with addresses (which can in any case change frequently). The use of verifiable biometric data – for example, fingerprints, iris or retinal scans or DNA data – offers a more robust solution but will be expensive. Use of such data also raises a number of ethical and privacy concerns such as those that come to the fore when identity cards are mooted: there are many circumstances where an individual may legitimately wish to use a pseudonym which has no link to any other name the individual uses. Moreover, while the costs might be contemplated for use with cash dispensers or point of sale terminals, it is less obvious that the cost of secure biometric data collection devices will soon become low enough for them to become "commodity" peripherals for home PCs. For this reason their value in the foreseeable future for online banking and electronic
commerce by consumers is somewhat uncertain.
107 It is worth noting that major computer and software suppliers are aware of the need to improve the security of current PCs to meet electronic commerce and related needs. This was illustrated in October last year with the announcement of the formation of the Trusted Computing Platform Alliance in the following terms:
"Compaq, Hewlett Packard, IBM, Intel, and Microsoft today announced the formation of the Trusted
Computing Platform Alliance (TCPA), an industry group focused on building confidence and trust of computing
platforms in e-business transactions by creating an industry standard for security technologies in personal
computing environments."
108 In many respects typical PCs offer far more performance than is necessary for controlling the transactions involved in online banking and electronic commerce. They are designed for high levels of functional performance, but their resulting complexity makes the achievement of security objectives much more difficult. In many respects the ideal vehicle for online banking and electronic commerce is a small self-contained computer system such as a palmtop with a small keyboard, a screen and (possibly) an infrared port to enable it to communicate with a home PC, a bank’s or a merchant’s computer system, or a point of sale terminal. By keeping this device simple, and by having a keyboard, a screen, a processor and secure storage in one small self-contained unit, it would be possible to have a highly assured capability for signing transactions without being dependent on other devices such as PCs or point of sale terminals.
109 Still further security could be achieved by having the secure storage for such a device implemented on a plug-in smart card. It is possible to envisage a secure device with an integral keypad, screen, smart card reader, PC interface and biometric input such as a fingerprint reader. If such a device could be manufactured at reasonable cost it could serve both as a point of sale terminal in a merchant environment and as a PC peripheral at home. In practice the merchant terminal would have to be more robust physically, but the two devices could share much of their security design in common. We think that one essential element in achieving public confidence in such a design will be its openness to scrutiny by independent experts, and the
abandonment of "security through obscurity".
110 Devices of this kind will nevertheless be expensive. We do not think they will come into widespread use without being subsidised by banks and others who benefit from the growth of electronic commerce and have the skills to collaborate in their design. The most certain way to ensure that the banks have the necessary incentive to pursue this programme is to ensure that they carry the risks of the fraud that the programme would help to prevent. Such a programme is not without precedent: the spread of mobile telephony depends on large subsidies by network service providers to reduce the cost to users of buying mobile telephones. |
