We have been working on a security application for mobile devices and stumbled upon something that I feel I should get out. Now before you go running off to read something else - this effects every user of every computer that I know of today.
There is a fundamental flaw in how every user, computer system, and software package authenticate users.
Think about how you enter your bank account information physically at your local bank machine. You go to a location you know is your bank, which is Step 1, you authenticating the bank as legitimate, because they have a store front with their name on it. You also trust their bank machines, because they too have their name on them.
You then enter the bank and enter your personal information and card, which is Step 2, them authenticating you.
Even a simple task like that simplified only to terms of security creates a mutual authentication, creating trust between them and you. You can proceed with your transaction because you feel safe, and they are happy and know which account you belong to and they feel safe.
Ok, now what about when you enter an online banking password. The chain is actually quite large, and most often broken in one or more places. Let's walk it backwards from the perspective of a person in a home doing online banking:
-
You trust their online banking site probably because they offer the service online and they wouldn't if it was risky.
-
You see a secured connection, which they say is secure. You therefore have no choice but to trust their network too.
-
You trust your ISP. You believe they are sending your information to the real bank's site and not someone else's (
See DNS vulnerability)
-
Then comes your network, which you possibly believe to be secure because nobody is hiding in your closet and connected to your network (that you know of.)
-
The next item down the chain is your browser. You have to trust that it isn't sending things like the password and card number that you just entered to other people, (or you possibly never thought of it doing that.)
-
You then trust your operating system. Surely it wouldn't pass the information on to some non-trustworthy person at the support or statistics/metrics department or something like that.
-
What about the junk software... (Let's leave this for now.)
There are a ton of holes in the above alone, but one thing is clear. If I can trick you at any point, and without you knowing - both you and the bank haven't a clue that something went wrong. If I manage to trick you at any point, I have enough bank information to do you damage.
So what about #7?
The item that we haven't covered in both the real-world bank visit and the home computer visit involves privacy. At the bank, you know when someone walks towards the particular bank machine that you are using, and that you should protect your transaction, or even cancel, grab your card and leave if you feel your privacy is being compromised.
How about on your home computer? We have outlined that you probably trust at least 6 things, or you wouldn't online bank using it. Now, let's introduce that 7th item...
7. You have to know without mistake that any software tool installed on your computer now, or in the past has not added anything that is now "listening" to what you type in your browser, OS and ultimately the bank. A.K.A, You have to trust that all the items in the above list are not voilating your privacy.
If you are like most people, you probably have installed "the tool of the day" based on the advice of a friend. Whatever that tools is for, your friend was thinking that it will be useful for a purpose and that you may like to run it. This may be a game, it may be a graphic editing tool, a web toolbar, a communications tool, it may even be the remote you purchased that you program to control your devices with your computer.
So how does this effect #7?
Simple. There is no visible way for you to identify what is watching what you type, and then what it may do with that information, because you can't see it happen and therefore walk away.
Anything installed on your computer that wants to get information from you will. Most of them without you ever knowing.
How do you protect against this on your day-to-day machine? The real answer is that you can't today on a machine used for doing anything. If you install software that can't be trusted, your computer can't be trusted and you are potentially vulnerable.
Unfortunately, Even fingerprint (biometrics) or smart-card authentication can fall prey to this. When you scan your print or insert your card, how can you be assured the information is only being applied to the app you want it to go to?