Servers

PassWindow: A brand new Web-site authentication process

An Australian inventor may have found a secure way to log into Web sites. On top of that it's cheap and simple to use.

IT consultant, Matthew Walker created PassWindow. A visual-authentication system that uses pattern-matching techniques to provide verification every time a person attempts to log on a Web site.

Walker's motivation

About eight years ago, Walker himself fell victim to on-line credit fraud and decided to do something about it. After having the "eureka moment" we all wish for, Walker spent three years experimenting with pattern analysis and developing the technology for PassWindow. Ultimately, Walker has received several patents for his effort. With everything finally in order, Walker is now free to talk about his invention.

I was fortunate to have a conversation with Mr. Walker, during which he explained how PassWindow worked. While we were talking, I kept trying to figure out where I have seen this before. Finally, I realized where.

My digital clock

PassWindow reminds me of a digital clock with some of the number segments missing. Here's how Walker describes it:

"By holding a printed unique segment key pattern on a transparent plastic card over a synchronized screen pattern image, any number of unique visual dynamic password combinations can be created each time authentication is required."

The following slide shows what correctly aligning the two patterns looks like, courtesy of Matthew Walker:

Software and a card

There are three components that make up PassWindow:

  • Key-pattern generator: Software installed on the Web server that generates the unique key pattern given to each user.
  • Challenge-pattern generator: Software also resident on the Web server that generates the dynamic challenge patterns users will see when they initially log on.
  • Pattern card: Is the device (universal plastic card) with the user's unique key pattern printed on it.
How PassWindow works

The simplest way to explain how PassWindow works is by example. It's Fall in America, and Sue is starting university. Sue is issued a username and password for her confidential Web page on the university Web server. Sue is also issued a university identification card.

The card is a normal ID card with the requisite magnetic strip and embossed information. What's new is the transparent window that contains Sue's specific key pattern for PassWindow.

Sue gets home and wants to make sure her class schedule doesn't interfere with work. Let's follow Sue as she tries to log on:

  • Sue brings up the university's Web site, entering her username and password.
  • The Web server recognizes the username/password combination and asks the challenge-pattern generator to create a one-time pattern specific for this log in attempt.
  • That pattern is sent to Sue's Web browser and displayed in a prominent location.
  • Sue then aligns her ID card over the displayed pattern and visually recognizes a number.
  • Sue types the number in the verification box and gains entry to her Web page.

The following slide is a graphic explanation of Sue's log in, courtesy of Matthew Walker:

Advantages of PassWindow

PassWindow is a true multi-factor authentication system, using something you know and something you have. I compare it to SecureID tokens, but simpler to use, cheaper to make, and easier to carry. Walker lists over 20 reasons why PassWindow has an edge on other authentication systems. Here are some of them:

  • Unlimited working life, lifespan is not limited to battery life.
  • No expensive dedicated electronic hardware tokens and protection against the myriad of associated electronic vulnerabilities.
  • Unlike SMS-based authentication, the codes are delivered securely over SSL directly to the client, not over unreliable third party telecommunications networks. (GSM is cracked)
  • Phishing deterrent, regain e-mail communication with your customers by including a PassWindow pattern image which will authenticate the email message specifically to that customer. Phishing attackers are unable to generate these legitimate challenge patterns.
Some questions

I did have some questions I asked Walker to make sure I understood the technology:

1. What kind of printer is required to make the cards? How stable is the ink?

"Generally I imagine the PassWindow will be incorporated into existing card systems printed with regular card printers, $500-$5000.

However for cheap simple implementations it can be printed onto transparent stickers with a regular printer and stuck onto a more stable transparent surface or even the corner of your screen."

2. How does the user initiate the authentication? Is it by entering a user name at the Web site? Your Web site does not clearly explain this.

"Yes it would be used in combination with existing username and password systems or at the very least a username. I envision it will be incorporated alongside other authentication mechanisms however it could work on its own for users who don't want to memorize anything."

3. If I understand, shoulder surfing is not an issue, because the number created is a one-time event. Is that correct?

"Yes you are correct, however it's actually difficult to shoulder surf PassWindow. The slight distance between the card pattern and the on-screen pixels creates a limited viewing angle. The shoulder surfer would need to be directly behind your head.

In addition, the pattern card could have a tint printed around the pattern as shown on my security page. This is simply a grey background on the key-pattern image, which works well against someone trying to capture the key pattern."

4. It seems to me that PassWindow would be susceptible to key loggers and screen-capture applications?

"Apart from the dynamic aspect of the password, the character locations randomly jump around inside a larger segmented matrix pattern. Which means even with screen capture and key logger applications secretly installed on a victim's computer, the attacker won't be able to intercept enough data to calculate the key pattern before the key pattern is renewed with a new annual card."

What's next

Walker already has been awarded the People's Choice award by the Australian television show The New Inventors. Walker is also currently negotiating with several credit-card firms including CARDPro.

It appears that PassWindow's uses are only limited by one's imagination. Walker mentioned that a respected micro-credit foundation is looking to use PassWindow, but on paper:

"A micro-credit foundation working in 3rd world countries wants to use PassWindow on paper ledgers to authenticate transactions with the villagers who have loans. The people will simply hold their card over the printed pattern on the paper and write down the authentication code, which is then confirmed back at the branch office.

Later, they will migrate the information to digital databases when the Internet becomes available. In their current conditions all electronic-based solutions are impossible, from a cost and implementation point of view."

Final thoughts

"Outside the box" thinking always impresses me and PassWindow exemplifies that. It's not hard to see where our on-line security would benefit from this technology.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

137 comments
goody_uk
goody_uk

Is this not similar to the Lenslock designed by Digital Integration Ltd, implemented on the ZX Spectrum about 20 years ago?

tomwarrior
tomwarrior

gi?ng nh? m?t t?m th? g? ?? m? ? Vi?t Nam ch?a t?ng th?y nh?ng c?ng nh?n th?t l? si?u

Senrats
Senrats

This is really a great idea. One of those "ah man, why didn't I think of that?" (which are usually the best ideas) I know nothing is going to be 100% secure, with that said: 1. Could someone take the card and quickly sketch the patern? I guess the issue is that the pattern doesn't change, right? Of course, they would still need the password. 2. I am still not completely convinced that a keylogger would not pick up the number that the user types. Unless the web server has a virtual keyboard. Again, great idea.

Michael Kassner
Michael Kassner

Matthew Walker for taking the time to answer all of your questions. If you have any more please ask away. Now is the time to understand the process.

8thom
8thom

Nice idea, however isn't it still quite easily susceptible to phishing attacks? Although the "phishing site" couldn't reproduce a legitimate challenge pattern it could display a carefully constructed fake one and reverse engineer the transparency. As this transparency is static they would gain the username, password and at any time (before the card was replaced) be able to pass a challenge based on the response from the fake one.

felix_internet
felix_internet

I am happy and quite adept at remembering multiple 15digit+ passwords. This is a nice gimick but unless it beats the rubber mallet cracking scheme, which it doesn't, I see no use for it. Who wants to carry around yet another card?!?! Not me! He will make some money because marketers these days can sell ice to eskimoes and most consumers are dumb eskimoes.

amalsp
amalsp

I hope i have not duplicated this. HSBC has offered a security key for their internet banking users which generate a number when a button is pressed. We need to enter this every time we log into internet banking. The security key is attached to my banking id by the serial and i think works in a similar manner as the one described here. So I think this a variant of the HSBC system of vs versa.

Harry.Hiles
Harry.Hiles

After visiting the PassWindow site, I can see a lot of thought was put into this concept. But I didn't see any mention of how many unique segment patterns are possible to provide each of potentially millions of users with a unique pattern every year. Some of the other comments regarding potential issues like image size and font are non-issues if you read the PassWindow site. There might be some fine tuning needed for cellphones with limited-function browsers. Of course, it would be difficult for vision impaired people to use this method. Cost is always the limiting factor for any security solution. The cost of implementing PassWindow seems nominal with minor modifications to a credit card or ID card, plus the cost of the software modifications needed to add PassWindow to existing login screens. This is a fantastically simple multi-factor authentication method. Although I don't think it or any other method should be used as single-factor authentication, PassWindow can strengthen the inherent weakness of passwords--strong passwords are too hard to remember and easily-remembered passwords are too easy to crack. PassWindow still needs to be vetted and it will be interesting to see how it will be adopted by security practitioners.

Craig_B
Craig_B

This sounds quite interesting and I think it could work. It adds an extra layer of security for a low cost. One more tool to help people.

SarcasmDoesn'tReadWell
SarcasmDoesn'tReadWell

I could crack this easily. I dont need your unique code, I just need to make enough attempts to form a patern and see which lines are always missing. So then all I need is a username, which makes this only 1 piece of information I need to find out. As we all know, via social engineering, or capturing emails, it is realistically possible to find a username. To sum up, the main problem with this is that you are giving away part of the password. And if the prompted image changes each time, I get even more information each time I try.

MattPW
MattPW

Lenslock was a series of prisms held over a screen making a 2 digit code, there is a wiki article about it, the problem with it and about half a dozen other on screen authentication system is 1)they dont work very well in real life for a variety of reasons and 2) there is not enough entropy in the method, this means if someone or a trojan can intercept just 1 or 2 user entries they can effectively crack the key. With PassWindow it works easily in real life and I can easily crank up the interceptions needed to well over 1000+ with a very small window.

JCitizen
JCitizen

Amazing how the brain can complete such pattens! But even my salty old brain couldn't begin to complete the type of pattens this security factor is referring to!

MattPW
MattPW

All the info and demonstration animation/video is on http://www.passwindow.com The single use password is an entirely different concept which provides a limited number of unique passwords which are crossed off each time the user logs in. This used to be adopted by some European banks but it has some serious flaws, firstly the limited number of them means you can only authenticate sparingly before running out of codes, secondly usability, funny enough a European friend I know had this same method from his European bank but forgot whether he had crossed off the last password or not, it turned into a disaster when he entered the wrong code and got locked out, he was travelling at the time and couldn?t log into his account. Its not the worst of methods to be honest but passwindow does not run out of unique codes, doesn?t require an extra item on top of the existing bank card, the keys are not as easily copied and has anti phishing and man in the middle capabilities.

MattPW
MattPW

Thanks for the support, I appreciate it. Someone could sketch the card pattern if they have a backlight handy and a bit of time but it would take awhile, the patterns shown are the simplest incarnation and real ones will most likely have multiple rows, if they have full access to card and a bit of time away from the user not just an over the shoulder glimpse then they could put the card through a specially lighted setup and take a digital photo but once again it wouldnt be very surreptitious or something you could pull off easily, and really if they have that much access to anyones security device and person they could just use it to start stealing if they somehow also know your secret account username and password. Id love to think PassWindow was the complete solution to the authentication problem but I have to work within the constraints of the average user and there will always be situations you just cant protect against, such as physical violence etc. PassWindow is really designed to prevent the type of mass online card fraud happening remotely online at the moment. The keylogger would pick up user code but being a dynamic code and different for every authentication it would do them no good. The virtual keyboard while making it a more difficult for attackers it is technically possible for malware to monitor the display and mouse to obtain the data entered via the virtual keyboard, unfortunately all the pure software solutions seem to fail to other software attacks. Hopefully PassWindow will be one more tool in the defense mechanism.

Michael Kassner
Michael Kassner

I am not sure of the number of variations, but how would the phishing site be able to offer one challenge that would mate up with the key pattern?

MattPW
MattPW

Without knowing the users key pattern any fake challenge pattern they try to generate will display as nonsensical gobbledygook and the user will immediately know something is wrong (and hopefully check their address bar more carefully), furthermore if they somehow gained access to a login challenge image and then tried to use that genuine challenge in the email (In the same way attackers fool hardware token users into thinking they are doing something like logging in but in fact the attacker is using the code to authorize a fund transfer out of their account) the user would also immediately know something was wrong by the fact a specific character such as an L for login challenge and E for email challenge embedded into the challenge themselves wont appear or another improper type of challenge character does appear when they superimpose their card. This flexibility not available in hardware tokens and can also easily identify the actual funds transfer clearly with a T or A for amount secretly embedded in the challenge pattern and then the actual amount being transferred, of course none of this challenge type information will be visible without the users physical key being superimposed. There is a section on Man In The Middle Attacks on the security page which outlines this threat with some basic demonstration challenge images. I should be clear to everyone that these single row challenge and key patterns used in the demonstrations will most likely be for very low level security, I would expect a bank grade passwindow to have multiple rows 3+ and a number more columns to increase the difficulty of analysis, many people believe they can analyze it quite easily however they are forgetting the obfuscation segments randomly and targeted designed to confuse analysis algorithms, also the character set is not stable, an attacker will not know which character set a system is using at any specific time, most people assume 0-9 however there are a further 10 versions of numbers just within numbers alone, let alone possible letters. All this combined with characters randomly jumping side to side and up and down make analysis no walk in the park, some of the best guys have tried and struggle even with simple implementations. Given enough interceptions and user data with enough time it is possible but the constraints of the lifetime of the card coupled with a built in reissue request (just before the known amount of data needed for their specific configuration is theoretically reached) means technically it cant be cracked in this way even with this unrealistic full compromise of the users computer. There will be a number of whitepapers out soon with analysis results which so far have been very favorable.

MattPW
MattPW

I am glad your memory is so adept, it would be nice if everyones was, myself I am maxed out remembering passwords and many sites now force me to use passwords with multiple number/characters and a large length which I cannot remember. Even with these strict rules no matter how big your password is even if 100 digits it will take a single keylogger virus trojan (not uncommon now) to intercept it and you are done. Regarding the difficulty of pattern analysis I have run the patterns past some of the worlds best cryptographers and mathematical pattern analysts who have given it the all clear. As explained in previous posts on here passwindow wont be a new card in your wallet instead it will be simply incorporated into your existing cards, card are quite universal items. Glad you think I will make some money because I have no commercial structure, I am sure you thought all this was part of some IPO, I merely came up with the idea. I prefer to think of consumers as potential fraud victims, like I was when I had a credit card and got ripped off, I didnt go out to buy protection for the bank, the lack of it was decided for me with the static card numbers clearly exposed to the world on every card, currently consumers have little to no protection against a myriad of online threats, every day the news outlets give nothing but bad news about new online hack attacks and I would like to think this is the first bit of good news against online thieves in a long time.

MattPW
MattPW

Yes these are called Hardware tokens, which is the best current solution to banking authentication. Unfortunately they have a number of serious flaws, the first problem is cost, you were probably charged $10-$40 for the device however the bank actually pays orders of magnitude more for them and writes it off as a protective payment, internal quotes reveal between $80-$400 per token, not to mention the annual licensing and management fees, as well as the need to install a big dedicated server and the security and technicians which go along with that, a massive amount when multiplied by the number of users, (banks deserve some credit for this generally unknown generosity) The reasons for the high cost is the specialized hardware inside and the security needed from the factory to the user, literally an entire factory in Asia needs to be secured. But cost aside they have inherent real life security problems, firstly they are vulnerable to Man In The Middle attacks or Phishing schemes which have seen recent attacks carried out in Europe on banks who use the hardware tokens, attackers simply trick the user into entering their hardware token key into a fake website or with a phone call from "the bank security" and next they are in and have cleaned out the account, I address this on the Security page of the website. The beauty of PassWindow patterns is the extremely to trick a user into explaining or giving out their key to a potential attacker online, the phishing emails in your email box will be unable to generate the correct challenge patterns and the actual transaction details can be built into the challenge so the user always knows what they are authenticating, unlike tokens where every number is anonymous and you dont really know what you are authenticating. Another technical issue is the internals of the hardware tokens work on have a synchronized clock value in time with the server, unfortunately these clocks drift slightly with time and when cryptography is involved it doesnt take too long before your device stops working which is a private major problem within the hardware token industry.

MattPW
MattPW

Its true while there are 128 combinations in a single column with x number of columns there will be a x number of possible key combinations, (x being a huge number) The reason this x number is difficult to put a finger on is it changes for every configuration and there are alot of possible row/column configurations, and then to make it more complex it changes again depending on the character set and specific method used. This all works as a security feature making analysis extremely difficult as each implementation will be customized and so no chance to fine tune your analysis. The basic implementations shown on the website contain more than enough possible key patterns but also if you think about the 4 digit pin number on bank key cards it means there are literally 10's of thousands of people walking around with the exact same pin code so its not a huge issue. Thanks so much for the supportive message, the tech behind the challenge and key patterns isnt anything mindboggling, literally an extra script added to your webserver and referenced by your login page, no dedicated server boxes or anything like that so there shouldnt be any problems there. I can say a number of famous cryptographers have run the numbers and the results are good and much more complex than the average mathematical statistician would initially believe, they are writing whitepapers at the moment which should be ready soon. Thanks again, Matt, Inventor

PaulK66
PaulK66

The second factor needs to be something you and only you possess. This could be a Dick Tracy secret decoder ring if you could guarantee that there is only 1 copy of the decoder and it could not be copied. In this solution there is no way to GUARANTEE that the key has not been photo copied, photographed or even traced freehand. Once the auditor gets up off the floor and stops laughing they may recommend a new line of work to whoever recommended this solution...

MattPW
MattPW

Ok I understand what you are saying which is the case with this concept however that is not the case with PassWindow, for a start the user will only be shown the one specific challenge until they solve it, so you dont solve it and come back the next day it is the same challenge so you wont get much information in a hurry even with the uername and password and you wont see random challenges each time the page is refreshed (which is explained on the Demo page) the demo page does refresh a new challenge so people can get a feel for what is going on, it doesnt actually log in to anything. Now regarding the analysis you job wont be very easy at all, iv had heavy cryptographers have a crack, for a start there aqre obfuscational segments not just around the characters but also a few within the characters randomly appearing, dissapearing per challenge to make the number of challenges you need to intercept very large and then just to make it more difficult I can easily add multiple rows/columns and use random alignment offsets which you wont know so you will have to analyse a whole giant chunk of challenge pattern not just the simple implmentation shown on the demo page, that is for people to get the basic concept, believe me the sums blow out for analysis and it goes beyond the annual lifetime of the card you would need to intercept to make key deductions, This is what makes PassWindow unique for this sort of concept, there is alot of flexibility for increasing the security and mathematical analysis difficulty. There will be a whitepaper written soon by various cryptographers on the subject full of statistical analysis info.

SarcasmDoesn'tReadWell
SarcasmDoesn'tReadWell

Although I still think I could figure out the code, I had not considered this being shown after the user enters their username and password. That puts me more at ease. Although it still does not add too much more value than the username and password, as long as it is not the sole password it doesn't hurt. Depending on the number of unique character paterns displayed, there should be some sort of logout threshold where a new card is issued to the card holder after several false attempts.

pandu
pandu

Because the pattern shows (if I read the article correctly) only after one enters one's username and password.

Michael Kassner
Michael Kassner

It more than likely would be the second factor tor authenticating. Besides you are forgetting that the challenge pattern changes every time you try to log on.

robkraft
robkraft

Matt, thanks for inventing this technology and replying to the posts here! I think it provides an option for additional security, but I do think keyloggers could use the code the user types in, plus the code displayed on the user's screen, to deduce how the user's specific card alters the values displayed to the user. Thus they could apply that same transformation on future codes. I'm not saying that would be easy, but it does seem to be a possibility. Would you agree?

Senrats
Senrats

I agree with the first part and learned from the second part. I will have to look into this solution more.

8thom
8thom

Someone could still potentially gain the username and password via a phishing attack, pass this through to the real site to access the legitimate challenge and present this back to the user. Therefore also gaining the legitimate response. Whilst this is a more difficult approach similar methods have been used against hardware tokens in the past. I guess the major issue is the fact that the transparency remains static whereas a hardware token is time-locked. These codes are relatively easy to get but hard to use. As soft tokens for mobile phones gain popularity - it will be very interesting to see where this goes. When gathering the stats please consider the number of failed attempts before you can get x% of the original. As I know people that would sit there and try many times before realising there's something wrong. Lastly, best advice I've got is try not to overcomplicate a simple concept - eg. Introducing L for login challenge and E for email challenge, the real benefactors are the ones with no idea about this stuff.

Ocie3
Ocie3

who implement PassWindow on their systems to leave the "challenge" pattern on display until the user has entered the passdigit string. In my experience, some numbskull will think that "5 seconds is long enough for anyone who has a brain to memorize the 9-digit string", then s/he will probably replace the challenge pattern with the blank field in which the person who has the card must enter the passdigit string. Of course, the first time that happens to a cardholder, they are likely to assume that something is wrong with the process because they didn't bother to attempt to memorize the passdigit string, and they don't know what to do about it.

amalsp
amalsp

Thanks for the explanation on the hardware token. I would also like to point out that I have been issued the token free and I have been using it for about three years and yet to have it fail. I am sure the vulnerabilities are real and i for one take care when entering personal data into websites. Fingers crossed so far I have been safe.

JCitizen
JCitizen

Obi-Wan Kenobi, I bow to your great intelligence! *snicker-smirk*

MattPW
MattPW

There is no way to guarantee anything physical cannot be copied, so by your constraint nothing would qualify as a "something you have" second factor, which I can understand from a theoretical angle but in a real life circumstance I believe there is adequate protection available for this. I acknowledge that the pattern could be copied by if you look at the bottom of Security page dealing with personal key protection, but not as easily as you might imagine, you can see high res camera photos taken up close and with a white background fail to capture the pattern image as well as a normal photocopier. An attacker could make a copy with the right setup but it wouldn?t be easy or surreptitious to the user. And remember that these photos were taken using just the basic shaded background with a regular printer, a specialized transflective laminate or sticker would provide a far better visual obfuscation method. People don?t realize how back lighted the average digital display actually is and the protection takes advantage of that. I would envisage the individual key pattern protection level would be either selected by the user depending on how much public usage they expect (ie a backpacker on holidays in suspicious countries vs the grandma who only logs in at home) and could be automatically customized based on the users bio statistics and usage patterns. At the end of the day even the toughest of cryptographic ciphers fail the unconstrained theoretical attack, with PassWindow I am trying to solve a common serious problem based on the average Joe?s normal usage.

Michael Kassner
Michael Kassner

Also, the challenge pattern can jump around. If you check out the Web site, you will see an example.

MarkGyver
MarkGyver

...He's relying on it. Although you might not be able to prove what the segments are in the card, you can guess pretty well based on which segments appear in the changing pattern. If you only have example challenge patterns, it's going to be more statistics-based. But you have a keylogger on Bob's system (something that the website claims the product's secure against), you can start figuring out segments pretty easily. For example, once Bob has entered "1" for a position in the challenge response box, you know that there are only two segments that it can possibly have. If they then enter a "2" in that same position in a future response, (assuming that each character slot in the card has at least one segment filled) you now know which segment is filled in the card's box (the top-right vertical one). If another character position is filled with "3" and "4" on two different occasions, you have reduced the possible filled segments in the card for that position to only the two right vertical segments and the middle horizontal segment. Eventually (probably within a dozen logins), all (or enough) the blank segments will be figured out to know with a high degree of certainty which ones are solid, and thus the card's data becomes useless. Tricks like turning the card around only obfuscate this fundamental flaw. I would only trust use of the same card once.

Dr. Solar
Dr. Solar

It's the fact that the challenge pattern does change each time that gives the cracker information. OR all the images together, and eventually everything will be filled in except the lines supplied by the card. Take the NOT of that composite, and you've cracked the card. Just like The Doctor did to find the shape of the last segment to The Key To Time.

JCitizen
JCitizen

that is the question.If the program that went with passcode generated the fake keypunches, much like a VNC session, then that could be a winner there!

Curious00000001
Curious00000001

Not sure if this has been thought of but I had a few ideas that could possibly make this a little more secure. #1 Have the generator occasionally place dashes that are already part of the users pattern. This would help with the "fill in the blank" type of guessing what the users key is by what dashes are not used by the generator. #2 Implement a refresh feature that would allow the user to get a new pattern of dashes with the same "passcode". This could make password guessing easier if the user refreshes too often but would make it more usable and would be key to my next idea :) #3 Have the generator occasionally output a pattern that results in no recognizable password. This would conceivably throw off an attacker gathering data over time and would not be an issue for the user if there was a refresh capability. Everyone have at it and see if it would make sense or cause any new problems.

JCitizen
JCitizen

Are you aware of anyone attempting to develop a Vista video hook firewall, similar to the XP version Snoopfree Privacy Shield employed? I would think writing new code for such a I/O firewall would not be a copywrite violation of this previous work, but I'm not a binary lawyer, so I digress! However, I can see how your idea could thwart this eventuality greatly. I sometimes feel I have too many AS utilities on Vista x64 as it has many file protections and various system privileges rules to input requests which, like Linux could make video hooking more difficult. But I'm really just guessing at this stage. I'm really more familiar with Linux system rules than I am with Vista so far. Of course public computers may have no malware protection, but it gripes me that many of the posters seem to forget, most business, and personal computing users are going to at least have minimal malware detectors on board! Sheese! Let alone the video/keyboard hook only gets a very limited snapshot of your particular system. What I don't understand is how a keyboard logger could even get [u]anything[/u] on it? Doesn't this factor simply confirm a transmission? How is this detectable to a keyboard hook of ANY kind? Plus, I'm assuming the image is encrypted to everything but the video image. To your detractors, I can only say; "Where's the beef?"

robkraft
robkraft

I understand. I think the process should work well; especially when issuers of the card can control how frequently they issue new cards. I hope this tool can become another valuable weapon in our protection arsenal. Good luck and good fortune to you Matt.

MattPW
MattPW

Yes its the most straightforward possible logical attack, a keylogger and screen capture combination which while more difficult to implement on a user could happen. Actually I think this is why this superimposition concept may have been thought of and written off as a single or at most 2 or 3 interceptions and its game over for the key. I actually have a patent on an entirely different superimposition authentication method which doesnt require any alignment however it suffers this problem from this same attack and is taken out in just a small number of intercepts and a good statistical pattern analysis algorithm. (I have to add some people like this alternative method better for low security situations because its more usable without even needing to be aligned, and they say if someones computer is compromised this badly that user is history anyway, the attacker would control just about every aspect of their online persona) But anyway the big positive with PassWindow using the segments as shown is that because the authentication points or characters can float around randomly within a much larger segment matrix means it takes a lot more interceptions to start deducing the key patterns, the challenge generator can then deliberately add obfuscational segments to the challenge not just randomly but deliberately to confuse the pattern analysis, the result is that its not too difficult to push the number of necessary interceptions beyond the average authentication history of a normal user, this is where people get confused, they think were dealing with a software cipher where you can throw a million chunks of data at it but were actually dealing with people behaviour which has its limits, so For example lets say a particular configuration/character set (a big issue budding analysts don?t think of), many people don?t consider each client would have a custom character set far more than 0-9, theres another 10 possible representations of just number let alone characters and the human brain is interesting in how it can visualize these numbers even amongst a lot of noise, that is something very hard to deal with in an analysing pattern algorithm that people don?t realise and has made life difficult for the cryptographers that ive had analysing it) So anyway back to the example this particular configuration of key may require 400 interceptions to deduce say 80% of the key which is probably enough for a good 80% guess. So the limiter is how often you target authenticates with the card, im guessing say once per day, I personally maybe only log into my bank once per week but it makes no difference they are probably not logging in every single hour of the year with no sleep, so the interceptions are not going to be extremely large numbers, so the attacker may wait around for a whole year to crack this users key pattern and then of course once the system recognises the user has reached a threshold say 350 authentications (just before the 400 needed) they reissue the user a new 2 cent card with new key pattern and so the attack is defended and also polluted now with the wrong data from the new card without the attacker knowing. The implementation would just assume every user?s computer is totally compromised with keyloggers and screen captures going and just reissue when it reaches the threshold limit the client has set. Being such a cheap physical token of sorts its simple and cheap to have a regular key renewal policy which many cards do anyway. It is possible that attackers may come up with better statistical analysis algorithms than what the crypto guys ive had develop can do (and will be replicated out in the wild I am sure) but this isn?t cipher territory complexity and there is limits to deduction improvement so I am not terribly concerned and also will leave this renewal threshold to the paranoia of the client implementing passwindow.

Michael Kassner
Michael Kassner

Mr.Walker is very interested in hearing your opinion.

JCitizen
JCitizen

perhaps this is covered by another patent already; but what if the "lego" patterns were colored, and different filter elements were included in the card window; perhaps by sliding them out? The right pattern would only be visible by the user. Also using polarity could do this, but I'm not sure if you said this was covered before by another inventor or not. Could this introduce complexity without much cost? I can't stop brainstorming this; please forgive me!

8thom
8thom

That's true however if you wrap a plausible reason around the reset it could catch more than just silly users. For example you could first present a fake challenge which fails with a "Invalid card" error then prompts the user to reset their card with the blank grid. For a call to action you could add a message below to say that the alternative is to reorder a new card at a cost of $100 and they leave with the nice feeling of saving some cash by resetting the card this way. Once complete you send them to the real site an their card now works. There's probably better examples but it's a whole lot more believable than a "send money here" scam and I know of ways a security system can stop this. Unfortunately most people are naturally gullible and social engineering is a b####!

MattPW
MattPW

Its true there will always be someone silly enough to go along with anything, but I think if someone was that silly you could just ask them to send you their money and they probably will, which come to think of it is how the 419 scams have been working nicely since forever so there are people that silly and I doubt any security system is going to stop them.

8thom
8thom

Hey - if silly enough to fall for the phishing attack in the first place they would probably fall for a site that would present an empty grid and ask them to fill in the gaps. Then it doesn't need to be an active phishing scam.

MattPW
MattPW

Although much more difficult to pull off an active instant phishing scam rather than the regular passive ones where they send your login details to an online drop box for their own safety, It is exactly that type of active instant attack which just destroyed a token system with some European banks recently despite the attackers being much more exposed electronically, they could with the right story trick a user into logging in for some reason but I cant imagine how they could then trick a user into confirming the second transfer challenge transferring out of their account a specific amount of money embedded within the challenge itself, which I assume would be the point of the exercise, the user would be aware of what is really happening along the process and the attacker could not be able to extract the specific transfer information from the challenge and hopefully at some point the user will have alarm bells ringing. I am sure some people might go along with anything but its got to be better than the alternative passive token system where every authentication code appears as any other so they simply get the user to strangely keep re logging in until their real account is empty. Regarding the mobile phones I completely agree, with mobile operating systems becoming more complex like computers its interesting to see the number of virus/trojan/hacks being specifically aimed at mobiles as some banks adopt SMS token systems. It seems every week on the security news sites a new mobile targeted attack appears. You are right with each user entry even false to a compromised pattern gives away a bit of deduction that could be made, but from the analysis its far from enough with a decent multirow configuration. Adding people to the equation rules out the brute force attacks employed against software security systems. You are right about simplicity being the key, I merely offer these as potential solutions to a common problem, I am really not sure how it will eventually be implemented in real life, I can say an interesting simple idea came right out of the box a few days ago when a microcredit bank in Asia plans to use passwindow on pieces of paper with fieldworkers and pens because they have no electricity around their various branches let alone phone or internet. They intend to issue the village women cards which they then superimpose on the fieldworkers printed ledger complete with challenges and write down the unique code which is then later checked back at the branch when the power comes on. Sure its not sexy authentication but I guess you just work with what youve got. I will probably leave everything up to any future users to decide how exactly it gets implemented and just supply the basic guidelines to the implications of their decisions.

MattPW
MattPW

Yes, unlike the hardware tokens theres no limited time involved to enter in the challenge pattern, It does not provide any extra security to do so, in fact if i were a programmer i would be suspicious of bots if anyone entered a code too quickly. I know with my hardware tokens I always panic a bit when i realise the 30 seconds is counting down from the time the page loads and I need to enter the token code or look entirely suspicious to the system, its never comfortable being on a clock.

JCitizen
JCitizen

isn't he? Funny thing is, I could see how a lot of what he was talking about was already evident; however even though I have fairly deep mathematical statistics training back ground; I wasn't sure about the chances a lego pattern could be figured out by a sophisticated key-logging algorithm. However, when I looked at the alternatives, I could easily see a great burden was placed on the cracker without much cost to the security firm, as a second factor(or third if you bother to apply more) Although I could see that optical dichroic and laser holography methods could be applied to this method as well, the inventor has mentioned that these methods are already patented by the developers and are probably out of bounds by economic factors here.

JCitizen
JCitizen

the keylogger suddenly has to become more complicated than the new security factor. It seems a lot of folks are making mountains out of molehills here, we are talking about a very smart - cheap, new factor - other factors could be easily added later!

SarcasmDoesn'tReadWell
SarcasmDoesn'tReadWell

If the lines on the card could potentially overlap the lines on the screen, then it is anybody's ball game. because then in the series of images, you could make it so that after 12 or however many images you get all 7 lines for each digit.

MattPW
MattPW

I understand what you are saying and yes like anything new it takes some people a few times to get familiar with correctly visualizing the numbers amongst the noise, An actual real life implementation would include a user manager which would statistically monitor each users authentication history, bio stats and behavior and on the fly tweak their challenges and lockout parameters etc to suit their unique characteristics. Its here the flexibility comes into its own allowing individualized authentication without much processing overhead. I can say from sending out many demo cards no one has had any problems visualizing the characters as yet but the situation will come up, and the manager should recognize these cases and modify the challenge codes appropriately, a unique ability as far as general authentication systems go and will enable more secure lockout thresholds with a better authentication experience.

Curious00000001
Curious00000001

Using lockouts as a defense to this attack is perfectly logical, however; in this case the overhead may be too much to bear. As pattern recognition this one seems to have a high likelihood of failed login attempts by actual users meaning the lockout threshold would be set high by most IT departments. Just looking at the demo pictures there were several times I would look at the image and then the response and notice what I had interpreted at a glance was not the correct response. Part of our pattern recognition ability means our mind will see possibilities and patterns that may not be fully there. If the pattern coincidentally looks like a valid number but is missing a single dash most users would see it as the number. Initially I had thought that increasing the complexity by adding lines and rows would help but this will increase the likelihood of false pattern recognition even further. All this will make implementation of lockouts alone as a defense too difficult to maintain for the average user and administrator. If this is to be a realistic reusable authentication means further defenses will have to be identified. If nothing else this would be great for single use authentication.

MattPW
MattPW

In a real life implemntation a new challenge would not be exposed to a user or attacker until the previous challenge was solved, there would be timed lockouts etc but I didnt want to bamboozal the average joe coming to the website with the details. The idea is the attacker would not be able to get lots of data to analyze. And from the calculations not enough data in a normal users authentication rate to be able to make enough deductions about the users possible key pattern. You have to keep in mind the website shows the simplest of possible key/challenge patterns, real implementations depending on the purpose would almost certainly be multirow with random offsets and varying levels of obfuscational noise, both in and around the characters. This makes anaylsis extremely difficult with large amounts of intercepted data which is limited by the rate at which the user actually logs in from day to day. In this way you are correct it has aspects of a one time pad where less usage is more secure.

Editor's Picks