Not logged in
Log in now
Create an account
Subscribe to LWN
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
For what it's worth, these are all things we "have" - knowledge, objects, body parts, and unfortunately each of them may be maliciously replicated.
Google Authenticator for multi-factor authentication
Posted Dec 7, 2011 15:11 UTC (Wed) by jzbiciak (✭ supporter ✭, #5246)
I don't think you can collapse these so readily. The three categories have rather different properties.
Still, nobody's arguing security can be made perfect, multifactor or otherwise. But, the more (and more varied) the factors are, the higher the bar gets raised. It requires an attacker to compromise more than one path before they achieve their goal, at a minimum reducing the probability of success to the product of the probabilities of compromising either factor. There's also the increased likelihood of detection, which potentially reduces the probability of success further.
So, I wouldn't be so quick to poo-poo multifactor authentication.
Posted Dec 7, 2011 17:42 UTC (Wed) by erwbgy (subscriber, #4104)
Excellent description. It is also worth noting that biometrics are hard to forge but are not secrets and can be easily stolen
Posted Dec 15, 2011 14:18 UTC (Thu) by gvy (guest, #11981)
Posted Dec 16, 2011 16:54 UTC (Fri) by mpr22 (subscriber, #60784)
Nuremberg process ruled out that enumeration of people is a non-expiring crime against humanity.
I'm having trouble parsing that, since the grammatical inconsistency is such as to make it impossible for me to tell what the intended meaning is. (And what does "enumeration of people" mean, beyond "assigning unique numbers to all members of a group of people"?)
Posted Dec 7, 2011 19:03 UTC (Wed) by jimparis (subscriber, #38647)
Posted Dec 13, 2011 3:09 UTC (Tue) by ghane (subscriber, #1805)
Does it have to be a working eyeball?
Posted Dec 7, 2011 15:22 UTC (Wed) by jubal (subscriber, #67202)
(also, it's different in various languages.)
Posted Dec 8, 2011 13:53 UTC (Thu) by nix (subscriber, #2304)
Posted Dec 9, 2011 11:08 UTC (Fri) by sdalley (subscriber, #18550)
Posted Dec 7, 2011 16:43 UTC (Wed) by iabervon (subscriber, #722)
Posted Dec 8, 2011 11:52 UTC (Thu) by ekj (guest, #1524)
Card-number (embossed on card) expiry-date (embossed on card) CVC (printed on card) owner name (printed on card).
Posted Dec 8, 2011 13:41 UTC (Thu) by epa (subscriber, #39769)
Posted Dec 9, 2011 15:53 UTC (Fri) by skitt (subscriber, #5367)
Wikipedia is your friend...
Posted Dec 9, 2011 16:04 UTC (Fri) by khim (subscriber, #9252)
It all explained in much details where usually such things are explained.
Wikipedia is your friend... or foe
Posted Dec 15, 2011 14:24 UTC (Thu) by gvy (guest, #11981)
Posted Dec 9, 2011 16:26 UTC (Fri) by dlang (✭ supporter ✭, #313)
Posted Dec 12, 2011 19:00 UTC (Mon) by BenHutchings (subscriber, #37955)
Posted Dec 13, 2011 7:10 UTC (Tue) by paulj (subscriber, #341)
I don't know if there's causation, but after a couple of times of doing this, I now no longer get prompted at all anymore for a VbV password. ;)
Posted Dec 8, 2011 16:21 UTC (Thu) by jwarnica (subscriber, #27492)
Back in the physical swipe days, the embossing of the card and carbon paper made an imprint. The imprint was not just the card number, but demonstration that the card was actually there when the imprint happened.
"Track 2" data is similar; I dunno what it contains, but provides similar evidence that the actual card was actually used.
Expiry date help for phone or internet transactions, as does the CCV2 codes; just more evidence that someone has the card in hand.
Generally, the theory was that it is hard/impossible to copy two of these at the same time. Signature and CC # embossing are on the opposite side of the card. CCV2 # and CC#, opposite sides (for most cards), etc.
Obviously, as time has moved on, the effort/gain ratio of each of these has been overcome, and thus the introduction of more things.
Google Authenticator for multi-factor authentication - credit cards
Posted Dec 9, 2011 17:05 UTC (Fri) by giraffedata (subscriber, #1954)
Expiration date is not normally an authenticating factor. I used to successfully submit charges all the time with made up expiration dates. The reason the rules require the merchant to provide that is to prevent the merchant from neglecting to check the expiration date.
The key value of the card verification code (the few digits printed somewhere on the card, aka CCV2 et al) is that it isn't recorded and transmitted all around, like the card account number obviously is. Anyone involved in accounting can see your card account number, but few people ever see your card verification code.
In the original design, secrecy of the card account number wasn't considered a security feature at all. It was public knowledge and security was provided by physical presence of the card and a signature alone. As telephone ordering became more important, banks started trying to keep the account numbers secret as a security measure, but that's obviously pretty weak. Likewise, even secrecy of checking account numbers is now considered a security measure.
This is strange...
Posted Dec 10, 2011 6:51 UTC (Sat) by khim (subscriber, #9252)
I used to successfully submit charges all the time with made up expiration dates.
How can you do that? I've had card from a few banks, but they all reject transactions with incorrect expiration dates (at least electronic ones). This is PITA when card expires: if order is placed with old expiration date and is not shipped before it's annulled and new one is issued then you need to go to the web site and change the data. And not all sites provide nice interface to do that...
Posted Dec 10, 2011 15:16 UTC (Sat) by corbet (editor, #1)
expiration date in credit card authentication
Posted Dec 10, 2011 18:02 UTC (Sat) by giraffedata (subscriber, #1954)
It doesn't surprise me that for some charges the expiration date has to be right. There's a lot of diversity in this area.
But I know that traditionally, the expiration date wasn't part of authentication. When I did it, it was in 1999 using a traditional merchant credit card terminal.
Banking computing standards often take a decade to make even a trivial change because regulators are very careful. I'm pretty sure that this terminal wasn't even capable of transmitting the expiration date I typed to its partner.
Posted Dec 14, 2011 20:55 UTC (Wed) by eli (guest, #11265)
Signature and CC # embossing are on the opposite side of the card.
Posted Dec 8, 2011 17:17 UTC (Thu) by iabervon (subscriber, #722)
Posted Dec 9, 2011 1:23 UTC (Fri) by giraffedata (subscriber, #1954)
The system really doesn't rely on a semi-trusted point-of-sale agent; the retailer is about as untrusted as anyone by VISA, which is why he used to have to get an imprint of the card, and now has to swipe it through a reader. To prove to a large extent that the card was actually present. In addition, the retailer has to produce a signature that reasonably matches the one on the card, proving to some extent that the owner of the card was there too.
The only thing I've seen change since the early days is that for small transactions, someone - I don't know if it's Visa or the retailer - is now willing to take the risk of fraud in exchange for speed and convenience.
Posted Dec 9, 2011 10:20 UTC (Fri) by mpr22 (subscriber, #60784)
Posted Dec 9, 2011 16:27 UTC (Fri) by giraffedata (subscriber, #1954)
I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.
And yet the main reason signatures exist is that many people do regard them as something you are, being difficult for a fraudster to learn.
I, for example, could almost certainly not reproduce your signature, no matter how much I practiced. So there's one fewer fraudster to worry about.
None of the security mechanisms we're talking about are perfect, so it's all about reducing, not eliminating, the chance of fraud.
In any case, it's not "something you know" -- if it were, then you could instantly disclose to someone how to write your signature.
(Incidentally, the other major purpose of a signature that people often overlook is not as security, but as a statement. The fact that someone wrote his name (or even an X) on a piece of paper makes it impossible for him to argue he didn't mean to commit himself. As most people are honest, whether he signed or not is often not disputed).
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds