[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] MachineID fingerprinting
- From: GadgetTrak <info@xxxxxxxxxxxxxxx>
- Subject: Re: [WEB SECURITY] MachineID fingerprinting
- Date: Wed, 8 Aug 2007 13:24:04 -0700
------=_Part_2109_1102973.1186604644467
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
As discussed on this forum quite a bit, IP address alone is not a good
parameter to use alone for authentication, Paul Syverson posted a great
paper to the list (http://portal.acm.org/ft_gateway.cfm?id=1241689&type=pdf)
on the topic which he co-wrote with Geoffrey Goodell . As I understand it
FFIEC regulations imposed last year require U.S. financial institutions that
offer products and services over the Internet use multi-factor
authentication.
I believe that the BofA is using an image based authentication product; ala,
pick the picture that you've established as your "special" 2nd factor
identifier. Device print multi-factor authentication solution is both more
transparent and certainly light-years more sophisticated. Using something
like ReputationShield's (iovation) deviceID as the 2nd factor identifying
the PC the end-user is logging in from. You can augment authentication
beyond the single factor of what the end-user knows e.g. username:passward
pair, but transparently identifying the PC the end-user is on
automatically. If the a phisher is trying to login to the end-user's
account from an unauthorized PC, the technology will alert the site and they
can subsequently block, challenge or redirect the end-user to authorize the
current PC. From there I would then recommend an out-of-band communication
channel back to the end-user, such sending a one-time authorization code
that we generate to the end user via SMS text message, or have them call
customer service, or mail it to an already confirmed email account.
On 8/8/07, robert.purvis@nhs.net < robert.purvis@nhs.net> wrote:
>
> A web server can identify the IP address of incoming requests - maybe that
>
> is what the Bank of America do. But this can easily be sidestepped if your
> request goes through a proxy.
>
>
> Robert Purvis
> Principal Technical Specialist
>
>
> Systems and Service Delivery
> NHS Connecting for Health
> 01392 206691
> robert.purvis@nhs.net
> www.connectingforhealth.nhs.uk
>
> -----Original Message-----
> From: robert@webappsec.org [mailto:robert@webappsec.org]
> Sent: 08 August 2007 05:24
> To: websecurity@webappsec.org
> Subject: [WEB SECURITY] MachineID fingerprinting
>
> Yo list!
>
> Has anyone had any experience with machineid technologies on the list?
> Specifically the ability to identify 1 machine and the ability to identify
> multiple users on the same machine either using javascript or via an
> installed application.
>
> For example Bank of america uses this technology to some exist to remember
> your machine and provide additional challenge responses if it doesn't
> recognize it. If you've evaluated a technology and found it to be
> worthless
> I am also interested in finding out why.
>
> Thanks
> - Robert
> http://www.webappsec.org/
> http://www.cgisecurity.com/
>
> ----------------------------------------------------------------------------
>
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
> **********************************************************************
> This message may contain confidential and privileged information.
> If you are not the intended recipient please accept our apologies.
> Please do not disclose, copy or distribute information in this e-mail
> or take any action in reliance on its contents: to do so is strictly
> prohibited and may be unlawful. Please inform us that this message has
> gone astray before deleting it. Thank you for your co-operation.
>
> NHSmail is used daily by over 100,000 staff in the NHS. Over a million
> messages are sent every day by the system. To find out why more and
> more NHS personnel are switching to this NHS Connecting for Health
> system please visit www.connectingforhealth.nhs.uk/nhsmail
> **********************************************************************
>
>
> ----------------------------------------------------------------------------
>
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
------=_Part_2109_1102973.1186604644467
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<br>As discussed on this forum quite a bit, IP address alone is not a good parameter to use alone for authentication, Paul Syverson posted a great paper to the list (<a href="http://portal.acm.org/ft_gateway.cfm?id=1241689&type=pdf";>
http://portal.acm.org/ft_gateway.cfm?id=1241689&type=pdf</a>) on the topic which he co-wrote with Geoffrey Goodell . As I understand it FFIEC regulations imposed last year require U.S. financial institutions that offer products and services over the Internet use multi-factor authentication.
<br><br>I believe that the BofA is using an image based authentication product; ala, pick the picture that you've established as your "special" 2nd factor identifier. Device print multi-factor authentication solution is both more transparent and certainly light-years more sophisticated. Using something like ReputationShield's (iovation) deviceID as the 2nd factor identifying the PC the end-user is logging in from. You can augment authentication beyond the single factor of what the end-user knows
e.g. username:passward pair, but transparently identifying the PC the end-user is on automatically. If the a phisher is trying to login to the end-user's account from an unauthorized PC, the technology will alert the site and they can subsequently block, challenge or redirect the end-user to authorize the current PC. From there I would then recommend an out-of-band communication channel back to the end-user, such sending a one-time authorization code that we generate to the end user via SMS text message, or have them call customer service, or mail it to an already confirmed email account.
<br><br><br><br><br><div><span class="gmail_quote">On 8/8/07, <b class="gmail_sendername"><a href="mailto:robert.purvis@nhs.net"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">robert.purvis@nhs.net
</a></b> <<a href="mailto:robert.purvis@nhs.net"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
robert.purvis@nhs.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">A web server can identify the IP address of incoming requests - maybe that
<br>is what the Bank of America do. But this can easily be sidestepped if your<br>request goes through a proxy.<br><br><br>Robert Purvis<br>Principal Technical Specialist<br><br><br>Systems and Service Delivery<br>NHS Connecting for Health
<br>01392 206691<br><a href="mailto:robert.purvis@nhs.net"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">robert.purvis@nhs.net</a><br><a href="http://www.connectingforhealth.nhs.uk"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
www.connectingforhealth.nhs.uk</a><br><br>-----Original Message-----<br>From: <a href="mailto:robert@webappsec.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
robert@webappsec.org</a> [mailto:<a href="mailto:robert@webappsec.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">robert@webappsec.org</a>]<br>Sent: 08 August 2007 05:24<br>To: <a href="mailto:websecurity@webappsec.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
websecurity@webappsec.org</a><br>Subject: [WEB SECURITY] MachineID fingerprinting
<br><br>Yo list!<br><br>Has anyone had any experience with machineid technologies on the list?<br>Specifically the ability to identify 1 machine and the ability to identify<br>multiple users on the same machine either using javascript or via an
<br>installed application.<br><br>For example Bank of america uses this technology to some exist to remember<br>your machine and provide additional challenge responses if it doesn't<br>recognize it. If you've evaluated a technology and found it to be worthless
<br>I am also interested in finding out why.<br><br>Thanks<br>- Robert<br><a href="http://www.webappsec.org/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.webappsec.org/</a><br><a href="http://www.cgisecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.cgisecurity.com/</a><br><br>----------------------------------------------------------------------------
<br>Join us on IRC: <a href="http://irc.freenode.net"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:
<br><a href="http://www.webappsec.org/lists/websecurity/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.webappsec.org/lists/websecurity/
</a><br><br>Subscribe via RSS:<br><a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>
<br><br><br>**********************************************************************
<br>This message may contain confidential and privileged information.<br>If you are not the intended recipient please accept our apologies.<br>Please do not disclose, copy or distribute information in this e-mail
<br>or take any action in reliance on its contents: to do so is strictly<br>prohibited and may be unlawful. Please inform us that this message has<br>gone astray before deleting it. Thank you for your co-operation.
<br><br>NHSmail is used daily by over 100,000 staff in the NHS. Over a million<br>messages are sent every day by the system. To find out why more and<br>more NHS personnel are switching to this NHS Connecting for Health
<br>system please visit <a href="http://www.connectingforhealth.nhs.uk/nhsmail"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.connectingforhealth.nhs.uk/nhsmail</a><br>**********************************************************************
<br><br><br>----------------------------------------------------------------------------
<br>Join us on IRC: <a href="http://irc.freenode.net"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:
<br><a href="http://www.webappsec.org/lists/websecurity/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.webappsec.org/lists/websecurity/
</a><br><br>Subscribe via RSS:<br><a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>
<br></blockquote></div><br><br clear="all">
------=_Part_2109_1102973.1186604644467--
Brought to you by http://www.webappsec.org
Search this site
|