security – Krunk4Ever!

So recently there’s been a lot of news about Firesheep and how people are using it to steal your cookies through unsecured wireless connections. Then they created a tool for detecting if you’re being hacked by Firesheep called BlackSheep. All interesting stuff in which to show you that you should really be careful when accessing sensitive data over an unsecured wireless connection.

Today I was reading the following Ars Technica article: Researcher: free WiFi should use “free” password to protect users which talks about how Hong Kong government has started password protecting their free public WiFi access points. What they do is they still have unsecured wireless points, but when connected to that, all it tells you is to reconnect to a different secured WiFi access point with the given password. I was wondering if everyone has the password to this wireless access point, wouldn’t it have the same issue where people can steal your data? From the article:

“What is the value of a password if it is a ‘well-known secret?’ WPA2 negotiates unique encryption keys with every computer that connects to it,” Wisniewski wrote in a blog post. “This means you and I cannot spy on one another’s traffic even when sharing access on the same access point.”

That got me thinking why not amend the WiFi standard so it can support negotiating unique encryption keys even over unsecured connections. That way even if the initial handshake isn’t secure, anything afterwards would be.

Near the end of the article, it pointed to a BoingBoing post: Password Doesn’t Shear Firesheep. It basically states that because the password is commonly shared, anyone can sniff the packet that contains the unique encryption key that was generated. Instead he suggests using 802.1X with a shared username/password (e.g. WPA/WPA2 Enterprise + PEAP), which will protect the keying process from outsiders. However, someone has already pointed out that approach has a vulnerability called Hole196.

I haven’t gone too deep into finding out how the keying process works, but wouldn’t it be possible to provide a public key to the access point during the original handshake, in which they’ll reply with your unique key encrypted with your public key. That way, only people with access to your private key would be able to decrypt that package and get access to the unique key.

Crazy world we live in huh?

Firesheep image courtesy of =MixedMilkChOcOlate

I’ve always found credit card activation through the phone system very insecure. I’m always afraid I might dial the wrong number by accident, so I always triple check the number I punch into my phone before I start entering any information. I mean consider the information they ask you during activation:

Full 16 digit credit card number
Last four digits of your social security number
3 or 4 digit credit card code

If you reach a customer service, they might even ask for more information, like name and birthday. I mean if I misdial the number even by 1 digit, think of the potential identity fraud I could land myself in.

Several credit cards have implemented an online system to activate new cards, such as American Express, which I prefer to use instead of the phone.

Something I think that should be implemented is a 2-way verification. Meaning, they prove to me who they are, before I provide any of my real information. Something like a system where they include two x-digit numbers in the letter that accompanies your card or even on the sticker of new credit cards. You punch in the 1st number and the telephone system tells you the 2nd number. That way you can confirm the other side is really the bank that issued your credit card.

Of course, this doesn’t prevent random companies from sending you fake credit cards and stealing your information. However, you should never activate random credit cards, especially ones you don’t remember applying for.

Tag: security

Unsecured WiFi + Security

New Credit Card Activation – Easy Phishing?