Monday, June 27, 2016

Verification versus Authentication

On my Twitter feed, I see there is a continuous trickle of tweets asking for CIBC bank to adopt two-factor authentication ("2FA").  It looks like this:




You normally see about 2 or 3 of these a week - and they all originate at the same site about 2FA.  As you can see, after the request to consider that the bank adopts 2FA, there's a canned response that goes like this "We take security very seriously, so we have two step verification".

Of course, that irks me, and here's why:  The customer is talking about authentication (i.e. making sure the person accessing their bank account is the correct authorized person who should be accessing the account), and the bank is responding on the subject of verification. In the case of a bank sending a code to a phone number on file, all the bank is verifying is that regardless of whether they're authorized or not, the person trying to access that account also has the phone belonging to the person who's account is trying to be accessed. 

That's a fundamental flaw in security.

If you don't know the difference, two step verification is where you supply a password, and the bank sends you a code and you type this in as well.  So, imagine your other-half has your phone and you're in the middle of a messy breakup, and they know your password, the bank sends a code to your phone in their hands, and voila!  

There's a really obvious problem here, and anyone with an ounce of security savvy will tell you, physical access is 9/10ths of the problem.  This is why people are asking for 2FA.

With 2FA, you have to supply something in addition to the password.  This usually is two items out of this list of three:
  • Something you have (eg password)
  • Something you know (eg maternal grandmothers maiden name)
  • Something you are:  (eg biometric, location, etc).
It doesn't have to be those three, but they are the most common.

As you can see, the response from the banks totally undermines any confidence that they even understand what's being asked, because in the situation pointed out above, the bank is providing the tools to the attacker to complete the compromisation of the customer.


Of course, the access agreement is written with a totally one-sided assumption that the customer is the only person who could ever put the bank or the customer into jeopardy.

(click for bigger)



The part that says "Without limiting the generality of the first sentence in this Section 9," makes me shake my head, because of course, the first sentence says that you are on the hook for "any losses" whilst ignoring the logical reasoning where as often happens, the bank has set the customer for failure in the first place.

In a nutshell, the security situation can is analogous to going into the sea to scuba dive and the dive master says "There are sharks here, and we take your security seriously, so here's some fresh raw beef steaks to hit the Sharks with", and then having setup the divers with the tools to be eaten, has them also agree to an agreement which is totally one-sided and places on blame on the customers.

And people wonder why I banned the CIBC mobile apps from my house?




Tuesday, June 7, 2016

An Overview of Canadian Bank Credential Phishing

In Canada, we have our fair share of bank account phishing.  Primarily, these scams mostly originate from two distinct teams, and each team has it's own trademark way of operating.

In one corner, we have Team Asia.

  • They register a proper domain.  
  • They set up their own DNS and make the site look like a proper clone of the real bank site.
  • They are sometimes able to operate for a few months before they get taken down.
  • They send invites from the SMS code 7000 (formatted as 700-0).

In the opposite corner, we have Team Russia.


  • They don't register a proper site, preferring to hang off the back of an existing site.
  • They don't set up their own DNS, preferring to use the short.cm service.
  • They get taken down quickly, so are much more proliferate.
  • They send text messages from full phone numbers, usually in Alberta, Ontario or British Columbia.

There are a few stragglers that I haven't assigned to one group or the other, but one particular code base does show up in a number of these, which means they're either the same person/group, or they're buying templates from the same source.

To give you an example of Team Russia:

Here's the SMS from area code 250.

As you can see, it's rather sloppy in comparison to Team Asia.  The final link hangs off a Brazilian site, seen here:



URL aside, the site looks real, until you try to navigate, at which point you run into this:


And for anyone interested in the data, here that is (click for bigger version).



As you can see, this isn't complicated at all, and that's a good thing because most of Canada's banks have online banking with holes that are not secure enough to guard against anything much more aggressive than this.

So, there you go.  The state of Canadian bank phishing in one quick post. 











Wednesday, June 1, 2016

Online Banking and Hosts File

Over the years, I've had my fair share of runaway data.  This is usually caused by Bell Canada, as they resell your data to third parties (if you want privacy, you have to pay Bell an extra fee of $2 per month), and once that data has left Bell, it's going to run and run as it passes from marketing company to aggregator to directory service to marketing again.

As a result of Bell Canada and the three year battle to get a data noose around them, we have a strange win-win situation; Bell Canada sells my data over and over to the marketing people so they get their money, and the buyers (marketing people, directory services, etc) then scrub my details from the incoming data.  That stopped the runaway data in it's tracks. As a bonus, I left my old residential data that Bell leaked some years ago online, so now it optically looks like Bell puts out stale data about me.  It's a wonderful system and works really well.

For this post, I'm going to cover how I tidied up a similar problem a while back with online banking.  When I log in to my two banks, I want to be dealing with the bank and the bank alone, not sharing my purchasing habits with the bank through a third party, or even know that any third party is tracking me at the bank and then reporting that to some computer hardware store 30 minutes later.

Both my banks use Omniture/Adobe Analytics.  Right there, you got the holy trinity of data sharing going on.  Between the two banks and Apple (all the iTunes and Apple store run through the same system), the amount of back and forth of data would be astonishing.  So, a while ago, I did something about it as a result of trying to work out why a password issue (unrelated) was giving me so much hassle.

I ended up just driving all the junk requests for tracking and analytics, and marketing to localhost (127.0.0.1). Yes, I could opt out of some of this stuff (the banks don't offer you the ability to opt out, but if you track where the banks send this stuff, you eventually end up at Adobe and THEY have a link that allows you to opt out), but that just sets a cookie in your browser, and as a developer, I'm resetting my browser cookies and environment more frequently than the average person, and that would opt-me-in again.  

So, my solution was just hack this stuff off at the knees by permanently editing my hosts file.  If anyone sends a page asking my browser to go talk to Adobe Analytics so it can generate another damn survey or indirect piece of targeted marketing, it will now go into a dark hole and never be seen again.

NOTE:  Only change your hosts file if you know what you're doing. I'm not going to tell you how to change the file, as I don't want to be responsible for what you might break. I'm just telling you what I did. YMMV.

So, what entries are in my hosts file? 

The Scotiabank entries look like this:

#ScotiaBank Changes
#Callback with Trusteer DMG.
127.0.0.1       www.splash-screen.net
#Omniture Profiling & Tracking
127.0.0.1       somniture.scotiabank.com
#Oracle Maxymiser, marketing & optimisation

127.0.0.1       service.maxymiser.net

The CIBC entries look like this:

##CIBC Related Changes
#Marketing
127.0.0.1       adobetag.com
#Omniture Profiling & Tracking
127.0.0.1       cdn.tt.omtrdc.net
127.0.0.1       adobe.tt.omtrdc.net
#General Adobe Hidden Profiling
127.0.0.1       adobe.demdex.net
#Oracle/TAG merchandising, marketing and live chat
127.0.0.1       as00.estara.com
127.0.0.1       liveperson.net
127.0.0.1       sales.liveperson.net
#More Marketing, targetting & feedback.
127.0.0.1       iperceptions.com
127.0.0.1       iperceptions01.azureedge.net
#Even More marketing.
127.0.0.1       api.demandbase.com

And there you go.  

It works for me.  Your mileage might vary.