OT: Public WIFI security?

How safe is using public WIFI to say buy items on ebay where a password is required? I have no virus protection or other security programs installed. I only use this basic machine to browse the net without ever entering any sensitive data. It works well on WIFI at 24 megabits, so I was wondering which can of worms might cause problems.

-Bill

Reply to
Bill Bowden
Loading thread data ...

Don't do it. People can snoop on your traffic. With eBay you're probably using SSL which lowers the risk. But SSL certificates can be spoofed.

Reply to
M. Hamed

Also cookies can be sniffed which allows hijacking your already logged in session.

Reply to
M. Hamed

Well just how exactly do you know that wifi hot spot you are using is not monitoring your traffic? AKA the man in the middle attack.

If you use a VPN, you are probably fine. If I need to do something secure while mobile, I go to the cell tower rather than wifi and I'm on a blackberry which is just like having a VPN.

VPNs are cheap these days. Will $5 a month break the bank?

Needless to say, your device needs to run a firewall.

Reply to
miso

Get a Security Key or use the program made for smartphones: $30/ea. I have two that I use for eBay and Paypal. I could give you my login and password, and you still wouldn't be able to buy anything without the Security Key.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Well you would think so. However, prior to some recent security changes, you could get past the two factor authentification. For instance, prior to these latest security change, if you had the full credit card information for a card on file on the account in question, you could get past the Verisign RSA code generator.

Basically two factor authentification requires (gasp) actually using two factor authentification. If the system doesn't require it under all circumstances, you can get around it. In fact, I misplaced my RSA device once and was still able to get into my account. That may not be true anymore.

Under the new security procedure, if you have a RSA device and phone Paypal from the phone on record, the computer voice will ask you to enter the current code.

If you use the smartphone app, you need to make sure you phone clock is set to the network. These on time passwords expire in 30 seconds.

The computer program is open source. In fact, it is on sourceforge. The Google and MS versions use the same standard. But the computer generated code is only as secure as your phone. But we know all the IOS and Android exploits in the past. There may be more. There were 9 million Android devices that got malware to call one of those phone numbers that charge you money if you call it. What happened was the initial code from

4 different vendors was virus free. Then they rolled out an update with the virus. Google wasn't checking updates for malware.

Thus my conclusion today is get the Verisign RSA keycode generator. It is "air gapped." The iphone and android have both been hacked to get past the lock screen. Now Apple has an excuse in that it doesn't have a FIPS140-2 rating. But Android does, so their FIPS rating seems totally bogus to me.

Samsung has had some many hacks that they are working on their own secure version of Android. They want the government and enterprise customers, which is what Blackberry survives on. Samsung is the Borg!

formatting link

"The Defense Department has approved the Android Knox smartphone made by Samsung and new BlackBerry smartphones and tablets running Enterprise Service 10 software for use on its networks."

Plain Android and IOS? Well good luck with that. You can stuff your phone with software from Good, but in my opinion the OS itself needs to be secure.

Reply to
miso

I wasn't talking about hacking the account. I was talking about securing the transaction over an insecure (wireless) connection. What the rolling code card does is add an extra layer of protection, that prevents coffee shop sniffing from becoming a financial problem.

Not really. I previous thread that started in this newsgroup covered how the card works, and its limitations. Since the credit card and dongle rolling code devices do NOT have a real time clock, the window has to be much larger. My guess(tm) is about 15 minutes. I've recorded a series of codes from my card, and used them about 10 minutes later without difficulty. However, you're correct that since a smartphone has an RTC, it could be time synced. However, to prevent the small errors and user delays from causing a failure, my guess is that they would allow at least +/- one window width tolerance, which would be 60 or 90 seconds. I'll try it next time I buy something on eBay and see what happens.

Incidentally, if you want a nightmare come true, I once suggested that it would be easy enough to build a keyed encryption app on an Android phone emulator, complete with a cloned serial number. Just install the RSA app and it thinks you're using the other persons phone. There was a flurry of activity, some management types running in circles, and then nobody would talk to me. Hopefully, that's fixed.

You're preaching to the choir. However, it will never happen. Rapid progress and slow bug fixes will insure that anything you buy will have bugs, holes, problems, etc. Like flies at a picnic, I consider bugs and security holes to be part of the environment.

Drivel: Yesterday, I was having an overpriced hot chocolate at the local coffee dive with a friend. He was having problems logging into Paypal (which apparently was down for a short while at about 4:30PM) through a VPN. I was trying to help, but I also had my Droid X phone surreptitiously recording his keystrokes. When Paypal finally came back from the dead, he successfully was able to complete the transaction. Later, I played back the recording and extracted his login and password. I'll tell him sometime later today. If I disappear from Usenet, you'll know what happened.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Ok, so I'm ignorant enough about how this might have happened. Was he communicating over an encrypted connection, and you were still able to read his keystrokes? That would be worrisome. Otherwise he was being dumb...

Reply to
Frank Miles

Sorry, I wasn't being very clear on what I did. I used my smartphone camera to make an HD video recording of his fingers typing his login and password on his laptop keyboard in the coffee shop. I later played back the video in slow motion to extract the keystrokes. There is nothing elaborate, magic, or encrypted about "finger hacking".

I'm not very good at doing this without an autofocus camera to record the keystrokes. However, a former neighbor, when he was about 15, was amazing. I could type on my keyboard, with him watching, and he would read back all my keystrokes. Same with pass codes on push button phones and banking machines.

In the distant past, I did some security checks for a major corporation. Instead of a smartphone, I used the security camera in the server room, and later stole the VCR tape. The recorder would record at about one frame every 15 seconds if there was no motion, but speed up to 30fps when motion was detected. That was good enough to play back the keystrokes.

Hint: I like to use passwords that can be easily typed with one hand. I cover my keystrokes with my other hand if a jacket, book, or towel is not available.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

[snip]

Funny! 55+ years ago, while in high school, a buddy of mine and I used to play a game of rapidly spitting out a list of numbers and seeing if the other could repeat it exactly.

I could.

So we evolved the game into not only reciting the number list but also adding them up in your head (five 2-digit numbers) >:-}

Same here. Plus I've developed a really obscure way of typing passwords "interleaved" ;-) ...Jim Thompson

--
| James E.Thompson                                 |    mens     | 
| Analog Innovations                               |     et      | 
 Click to see the full signature
Reply to
Jim Thompson

You missed the point completely. If they get your username and password, they can circumvent the two factor authentification if Paypal has poor security. I repeat again, your account in the past (and it may be true today) password can be changed if the thief has the full credit card information.

For two factor (or in general multi-factor) authentification, you need to actually use it. If you provide any means to bypass it, that is the weakpoint.

Yes, really. Listen to Steve Gibson's "Security Now" podcast. The phone apps need tight timing. And not all phones use the network time by default. You don't need NTP accuracy, but you do need to be good to a few seconds.

Further, Verisign knows the drift of your dongle. Each time you use it, it goes in a profile. Again, this has been covered on "Security Now." Steve routinely pops a code and lets his webcam capture it. I would never do that, but Gibson trusts the scheme.

This is the open source mobile one time pass page on sourceforge. If your java has poor garbage collection, i.e. you are on android, I sort of have my doubts about how secure it is. I have my blackberry set up for periodic memory wipes, just in the event an app escapes the sandbox. The memory wipe is in the OS, so it can't be hacked.

Reply to
miso

Shoulder surfing.

Most of my gear is set up for smartcards, but you can't get the consumer internet companies to get with the program.

I don't know who coined this, but basically multifactor authentification should depend on something you know, something you own, and something about you. You know the password. You carry the smartcard. Unless you are ex-mafioso that etched off his fingerprints with acid, you have a thumbprint.

There are devices that combine the thumbprint reader with the smartcard (CAC). The device reads your thumbprint, then activates the smartcard, which you slap against the reader on your notebook. [There are also usb readers.]

The problem is reading and verifying thumbprints will err on the side of loose security. Nobody wants to be shutdown because the damn thumbprint reader sucks. You can surf the net to see how these fingerprint readers have been faked out with gumdrops.

Biometrics (used for 3 factor authentification) comes and goes over the years. Iris reader, thumbprints, voice recognition basically suck to some degree. It is all a matter of how much security you place on the football or smartcard. For a lot of corporations, the smartcard is your badge. So you always have it with you. That is a bit much for the home user. Then again, the "kids" these days have all sorts of crap on their wrists.

Windows phone and Blackberry have badge holders that will bluetooth to your phone the smartcard credentials.

I've used some secure internet interfaces where the website will phone you and provide the secondary password. This is also done with SMS, but SMS can be hacked.

Reply to
miso

Now you know why I hate computer security discussions. There are no right answers.

Apple got caught with that problem and fixed it. I guess eBay and Paypal need to have a problem before they'll fix it. This isn't very impressive security: The login name is suppose to be publicly accessible. Only the password (and security questions) need to be secret. Kinda looks like a balancing act between convenience and security. Too much security, and nobody will use it. Too much convenience, and anyone can break in.

I don't worry much about someone getting my passwords. What worries me is my email address. As you mentioned, most sites have a convenient way to recover passwords. Go to the "lost password" page, punch in your email address, and you'll get either a temporary password or recovery procedure via email. All it will take is for someone to hack my email account and I'm potentially screwed. For accounts that point directly to my bank and brokerage accounts, I use a security key device. Not the total answer, but better than nothing.

Agreed. Yet, convenience demands that there be a password bypass and recovery, so it's not going to go away. How well do you thing a smartphone or laptop would sell if you have to toss the device if you forget your password? Toshiba did that on a small scale with the BIOS password on some of their older laptops. Extreme measures were required to clear the password in the flash bios. Toshiba never did that again. Security, or convenience, pick one.

Care to take a bet that they'll loosen the timing requirement after they have a few dozen complaints?

Verisign estimates the drift. If they knew it exactly, they wouldn't need an approx 30 window for the cards.

Looks like S/Key revisited. I'll dig deeper and see what they're doing.

I have a memory cleaner app on my Droid X. It's in user space so it can be attacked. It was also not intended to improve security, just clean up the mess left by sloppy programs. More important is a remote wipe program and a program that wipes the SD card and main memory after several failed password attempts. Unfortunately, I found a bypass trick, so it's not totally secure.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

I don't like remote wipe. Mostly I'm afraid it will be hacked. Better not to lose your phone, and encrypt what needs to be encrypted.

The MOTP is supposedly what Microsoft and Google are using. They just do their own GUI.

Steve Gibson has some app showing all his time varying codes. Yep, he puts it out over the video stream. I don't like playing with fire.

Regarding credit cards, depending on the hack, the hacker might just change your credit card number on Paypal to lock out your ability to use that back door. For instance, let's say you hack paypal accounts for a living. Just how much crap do you want delivered to your house in Nigeria? Maybe it is better to hijack the account and stuff it with different credit card numbers to lock out the true owner. Then instead of ordering crap via paypal, you sell hacked accounts to street criminals. That creates a cut out between you and the fraud.

But would you put a good credit card number into the personal data on the paypal account. Hell no. You want to park it and sell it, so no use risking a good credit card number in the account itself. Certianly not the one the true owner knows. Rather you sell the paypal acount with the "parking" credit card number in it and the good credit card number discretely to the street criminal.

But where do you get a number to park on the account? Easy. Paypal doesn't check to see if the number is any good at the time you enter it. Rather, they just use a hash to see if the number is actually a credit card number. That is, you entered a number that fits a formula. It could even be a credit card number that is known to be fraudulent. The only time these companies check the number is when you actually make a purchase.

From the Wired article: "(Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry?s published self-check algorithm.)"

Conclusion: For two factor authentication to work, you must use it.

No open doors! No back doors. Trust no one.

Reply to
miso

session.

Well, I'm not versed in all the details, but I understand a secure connection involves encryption where the local computer uses a public (well known) key to encode data which can only be decoded with a different private key known only to the website where the data is sent. So, I don't see how an attacker can ever gain knowledge of the private key, since it's only used at the website where the transaction is taking place, and never transmitted anywhere. Or, do I miss something?

-Bill

Reply to
Bill Bowden

Don't listen to the ignorant nonsense spouted by some others here. If your computer itself is uncompromised, and you are using an SSL connection, the only thing a man-in-the-middle can do is find out who you're connecting to. Your data and cookies remain safe. You do need to check that the site you think you're connecting to appears in the URL bar with the security padlock or whatever.

Clifford Heath (who's built SSL-based online banking for European banks, before web browsers could do it safely)

Reply to
Clifford Heath

Ahem:

I can see who you are connected to with kismet and wireshark WITHOUT being in the middle. You need to instruct kismet not to scan but rather park on your wifi channel. It might take a bit of work to figure out who is who on that channel.

Reply to
miso

Check out this page. It is Steve Gibson's scheme to see if the certificate you receive matches the certificate he receives. It is a simple check to catch certificate spoofing.

Reply to
miso

The fundamental risk is that someone can eavesdrop your password. Are you very sure that the link is end to end encrypted. There are man-in-the-middle and sniffing attacks to get your session key at the outset and thus everything sent or received.

?-)

Reply to
josephkk

in session.

May have been thinking of the once well bally-hoo'd PKCS such as RSA. That is not quite what is going on with SSL or TLS. Rather than try to explain it myself, please see:

formatting link

or

formatting link

0521

Which, unsurprisingly reads almost exactly the same.

However neither of these sites discuss vulnerabilities.

For that see:

formatting link

formatting link

-attacks-experts-warn/

or

formatting link
rability-found/221600478

?-)

Reply to
josephkk

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.