Tag Archives: PIN

Today on international Safer Internet Day, Microsoft Corp. released the results of its second annual Microsoft Computing Safety Index (MCSI), revealing that more than half (55 percent) of global respondents are experiencing multiple online risks, yet only 16 percent say they take multiple proactive steps to help protect themselves and their data. This year the MCSI also examined mobile safety behaviors, uncovering that although less than half of respondents (42 percent) run software updates on their personal computers, only 28 percent run regular updates on their mobile devices, potentially compounding their risk.

 

“Mobile devices often have just as much, if not more, valuable personal information stored on them as a home computer, making mobile devices equally attractive to data-stealing criminals,” said Jacqueline Beauchere, Microsoft’s incoming chief online safety officer. “The latest MCSI results demonstrate that no matter where or how people access the Internet, exercising safer online habits is essential. There are steps that people can take and technologies that they can employ to help prevent them from becoming a victim.”

 

The MCSI surveyed more than 10,000 PC, smartphone and tablet users in 20 countries and regions about their personal approach to online safety and assigned a point scale of 0 to 100 based on their answers. The global average score was 34 for PC online safety and 40 for mobile. An abbreviated version of the MCSI is available at Microsoft Computing Safety Index Survey for people to check how savvy they are when it comes to online safety.

 

Other key worldwide findings from the MCSI include the following:

 

• Theft of password or account information was cited as a concern for 47 percent of respondents, with 33 percent saying they use secure websites and 28 percent saying they avoid using open Wi-Fi spots on their mobile devices.

 

• Forty-eight percent of respondents said they worry about computer viruses, with fewer than half (44 percent) turning and leaving on firewalls, and just more than half (53 percent) installing antivirus software on their PCs.

 

• Forty-five percent of those surveyed said they worry about having their identity stolen, yet only 34 percent have a PIN (personal identification number) to unlock their mobile device, and just 38 percent say they educate themselves about the latest steps to help prevent identity theft.

 

Microsoft offers a range of online safety tools and resources at http://www.microsoft.com/security, including the following practical steps consumers can take to stay safer online:

 

• Lock your computer and accounts with strong passwords and your mobile phone with a unique, four-digit PIN.

 

• Do not pay bills, bank, shop or conduct other sensitive business on a public computer, or on your laptop or mobile phone over “borrowed” or public Wi-Fi (such as a hotspot).

 

• Watch for snoops. People scouting for passwords, PINs, user names or other such data may be watching your fingers or the screen as you enter that data.

 

• Treat suspicious messages cautiously. Avoid offers too good to be true and be wary of their senders, even if the messages appear to come from a trusted source.

 

• Look for signs that a Web page is secure and legitimate. Before you enter sensitive data, check for evidence of encryption (e.g., a Web address with “https” and a closed padlock beside it or in the lower right corner of the window).

 

• Reduce spam in your inbox. Share your primary email address and instant messaging name only with people you know or with reputable organizations. Avoid listing them on your social network page, in Internet directories (such as white pages) or on job-posting sites.

Microsoft Computing Safety Index Shows Consumers Do Little to Change Online Habits Despite Multiple Risks.

EuropolEuropol has published its Situation Report on Payment Card Fraud in the European Union, based on the analysis of intelligence provided by law enforcement agencies and other key operational partners.

Although the total number of payment cards (debit and credit) issued in the EU in the previous 12 months reached over 726,000,000, card fraud has actually been on a decline in recent years due to technological advances that have increased the security of transactions. However, the report examines how there remains a very active criminal market in payment card fraud in Europe, pulling in around 1.5 billion euros a year for the organised crime groups involved.

The wide adoption of EMV (Chip and PIN) technology in the EU has been a key driver for reducing domestic “card-present” (CP) fraud. Chip and PIN technology offers stronger security features than conventional magnetic strips, both for the physical card (unlike magnetic strips, the chips cannot be easily duplicated), for the technological infrastructure behind the transaction, and for the cardholder whose confidential data is more secure.

However, the level of illegal card-present transactions carried out overseas has seen a sharp increase as criminals target the weak points of the system by committing crimes using non-EMV compliant cash machines and payment card terminals in countries such as the USA, Dominican Republic, Colombia, Russian Federation, Brazil and Mexico. Organized crime groups upgrade their criminal techniques relatively quickly, producing devices to bypass the latest anti-skimming technology and exploring other ways to rip off EU consumers and industry.

As “card-not-present” (CNP) transactions do not benefit from the same security enhancements as Chip and PIN cards, CNP fraud is on an upward trend. In the period analysed, around 60 percent of losses to card fraud, totalling around 900 million euros, were caused by card-not-present fraud. Credit card information and bank account credentials are some of the most actively traded “goods” on the Internet’s underground economy and this stolen data is used to create cloned cards which are used to make fraudulent card-not-present online purchases with EU suppliers.

Most of the credit card numbers misused in the EU come from data breaches in the USA. Major investments by EU industry in the 3D secure protocol have increased the security of transactions, however not all transactions are protected with it on an EU or worldwide level.

Since the vast majority of such criminal activities take place online in multiple countries, often involving numerous parties, the most effective law enforcement solution is to task specialised cybercrime teams with such cases.

In the last year, Europol provided support to EU law enforcement authorities in hundreds of international investigations into payment card fraud. The new European Cybercrime Centre (EC3), which officially launches this week at Europol in The Hague, will be the focal point in the EU’s fight against cybercrime, contributing to faster reactions in the event of online crimes. It will support Member States and the European Union’s institutions in building operational and analytical capacity for investigations and cooperation with international partners.

EC3 to Tackle Rising Trend in Payment Card Fraud | DFI News.

We’ve already established that when it comes to security, passwords alone are not a very good choice. Sure, they’re better than nothing, but with most people picking insecure passwords and companies saving them in unencrypted formats, there are better solutions out there.

American Express takes insecure passwords and makes them even more insecure. When registering your credit card, the site asks a series of questions including username, password, and “special question,” but the restrictions they put on the answers is downright baffling.

First, when creating your account, they require the username to have both letters and numbers. Why this is in place isn’t especially clear and while it doesn’t hurt security, it really doesn’t improve it either since usernames are generally fairly public.

Another piece of information that must be provided is a “personal security key.” This is a backdoor that can be used in cases when customers forget a password. It’s also used as a challenge phrase when you call into customer service. There are only three questions that a user is allowed to select: a purely numeric PIN, the name of the city you were born in, or the name of the first school you attended. While the questions may be relatively normal, the restrictions placed on the answers are puzzling: They do not allow special characters nor do they allow spaces. So if you were born in Los Angeles or went to 50th Street School, you either need to concatinate your answer or come up with an incorrect answer. (We actually recommend NOT answering these questions honestly as it makes it much easier to steal your personal information).

Even stranger is the confirmation email you receive from American Express after signing up. Though “Place of Birth” is public record, the company tells you to keep the answer confidential and to not share it with anyone. Does everyone with an AmEx card have to murder their parents to protect their security?

As if all of these silly requirements were not enough, American Express outdid itself with its password policy. First, the company limits the use of special characters to one of only seven selections. The icing on the cake is the fact that all passwords “will not be case senstive.” This reduces the number of available characters from 52 down to only 26. Once you add in numbers and the limited special characters, customers only have 43 characters to choose from. While a secure password can still be created under these rules, American Express is making it more difficult for users who care about security.

We can’t figure out why American Express would have such ridiculous password requirements, but it’s something that is easy to fix and we hope they address it in the near future.

American Express doesn’t take security seriously – Neowin.

If you have a WiFi router at home and are using the WiFi Protected Setup (WPS) to secure your network, you might want to think about switching to another protocol. The US Computer Emergency Readiness Team sent out an alert this week that describes an exploit in WPS that could lead to cyber attackers figuring out your WiFi password.

The WPS protocol is supposed to make setting up a wireless network easier for people who are not as tech savvy as others. However, US-CERT now says:

A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

At the moment there is no solution to fixing this issue. US-CERT recommends that people who are using WPS for their WiFi routers disable it and use another method to secure the router, including “using WPA2 encryption with a strong password.” Several WiFi router makers such as Netgear, D-Link, Belkin and others sell products with WPS but so far none of them have commented on this newly discovered exploit.

WiFi WPS exploit found; no solution yet – Neowin.net.

 

Vulnerability Note VU#723755

WiFi Protected Setup PIN brute force vulnerability

Overview

The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

I. Description

WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

II. Impact

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

III. Solution

We are currently unaware of a practical solution to this problem.

Workarounds
Disable WPS.

Although the following will not mitigate this specific vulnerability, best practices also recommend only using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network.

Vendor Information

Vendor Status Date Notified Date Updated
Belkin, Inc. Affected 2011-12-27
Buffalo Inc Affected 2011-12-27
D-Link Systems, Inc. Affected 2011-12-05 2011-12-27
Linksys (A division of Cisco Systems) Affected 2011-12-05 2011-12-27
Netgear, Inc. Affected 2011-12-05 2011-12-27
Technicolor Affected 2011-12-27
TP-Link Affected 2011-12-27
ZyXEL Affected 2011-12-27

References

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
http://www.wi-fi.org/wifi-protected-setup/
http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/

Credit

Thanks to Stefan Viehböck for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public: 2011-12-27
Date First Published: 2011-12-27
Date Last Updated: 2011-12-27
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric: 7.44
Document Revision: 21

http://www.kb.cert.org/vuls/id/723755