ntouk.com - Jerry Fishenden's technology policy blog

It's not only the good side of the Web that reinvents itself of course: it's the dark side too. Every time someone improves security, new attack methods appear.

One of the most current annoyances is what I guess is called "real time man in the middle". Think about an online bank. To log in online to bank Websites these days, you need a whole host of different authenticating information. Usually things like account number, customer number and some memorable facts and dates. Often you get asked for some random digits from a memorable number - you know, give me the 1st, 4th and 5th numbers of your memorable number. The idea is that it makes phishing attacks harder - since a phishing site would not get all of your logon data in one go.

Well, that was the thinking. Except now there are phishing sites with real-time scripts talking to the genuine sites behind them. So you get asked to type into the phishing site exactly what the real site is asking. The phishing site sits between you and the real site, as a real time man in the middle, capturing your keystrokes and playing them back to the real site in real time. When the real site asks for the 1st, 4th and 5th numbers, so does the phishing site: they don't need to get your whole memorable number, just the bits the real site is asking for.

It's a clever, but obvious, move when you think about it. Reading reports about the new home Chip and PIN readers I wonder how they will avoid exactly the same issue. It's all very well having challenge keys, making your type numbers into your Chip and PIN reader and then key in the response to the Web site. But if it's a man in the middle site, what difference will it make? The underlying problem remains of never knowing exactly who you're dealing with on the Web.

Of course, this type of attack is also channel neutral. I gather the Chip and PIN readers may be used with call centres too. Well, there's no reason why the same tactic could not be used there: it could easily be a fake call centre playing the same kind of man in the middle game as the online phishing sites.

Online security is not as simple as some suppose. And the fixes aren't so simple too. But I can't help thinking that a more effective model may be found in the combination of Chip and PIN readers with the sort of identity protection that CardSpace and other identity selectors provide.

It'd be good to see some thinking put into this model - of how the two could be brought together into a system that would at least avoid some of these most obvious ways of underming the online model. Otherwise we seem fated to spend our lives in a fruitless game of catch-up in which the dark side seem to be making all the successful runs.

Technorati tags: security privacy cybercrime identity technology policyMicrosoft