Comments on: Password managers and phones

By: Nat Friedman

Nat Friedman — Tue, 13 Oct 2009 18:12:46 +0000

That is so bad. Ditto the RFID passport situation. I’m not much of a security maven but these kinds of decisions defy reason.

By: karl

karl — Tue, 13 Oct 2009 00:21:26 +0000

i heart clipperz

By: Ismael Olea

Ismael Olea — Mon, 12 Oct 2009 21:38:00 +0000

Here in Spain there are experiences on using bidi codes on mobile phones by Vodafone and the Spanair airline: http://www.movilfonia.com/noticia.asp?ref=4278 (Spanish)

By: gst

gst — Mon, 12 Oct 2009 20:51:24 +0000

One problem with the SMS approach is that security of GSM is pretty weak. I think the only reason that there have not been any widespread attacks against GSM is that there are no free open-source implementations and thus nobody has played around with it enough. But that’s changing. There’s already basic GSM basestation support for GNURadio (http://gnuradio.org/) and people are actively working on rainbow tables allowing to crack the A5/1 encryption scheme used in GSM (http://reflextor.com/trac/a51).

I think in a short time from now we can expect the same security from GSM as we can expect from WEP. While the encryption used in the newer UMTS protocol is pretty secure, it’s still possible to force phones to downgrade to a GSM connection by disturbing the UMTS frequencies with your own emitter.

By: gst

gst — Mon, 12 Oct 2009 20:40:53 +0000

Seems your looking for something like our QR-TAN approach described here: http://gst.priv.at/papers/ares09_qrtan.pdf (disclaimer: I’m one of the authors). QR-TAN is basically targeted for online banking transactions, but could also be used for other purposes (e.g. simple logins to a website).

By: harrybuttle

harrybuttle — Mon, 12 Oct 2009 19:34:54 +0000

what about http://www.clipperz.com? no local apps, no webcams, no flash, no phones, just client side encryption inside the browser with javascript and online (or offline) storage of the encrypted data.

By: Donnie Barnes

Donnie Barnes — Mon, 12 Oct 2009 18:10:27 +0000

98% of all iPhone apps are games, flashlights, alarm clocks, and levels, it would seem. But I do want to point out that Starbucks has a “gift card” type app for the iPhone and they’re currently testing it at 16 locations in the valley and somewhere else to let you pay. It does it by generating a barcode that the cashier scans off your iPhone screen. Which makes me wonder if their testing is limited like that because they had to roll out special scanning hardware, or if they are using their normal stuff and it’s for other reasons.

And you should be able to *lay* the iPhone on your chest and get heartrate using the accelerometer instead of trying for sound. But it wouldn’t surprise me that there’s a sucky app that doesn’t work at all for that. It is also worth noting, however, that apparently Nike is working on a real heart rate monitor that will talk to the newer generation iPods that have Nike+ capability.

By: Donnie Barnes

Donnie Barnes — Mon, 12 Oct 2009 16:27:07 +0000

It all depends on how far you want to go with the security. If “enough” is just to separate the password from the phone itself, how about printing your barcode password and keeping it in your wallet? Then use the camera on the phone to “scan” it when necessary. Add a mental password layer to “unlock” the barcode password and you’re back to one thing to remember and TWO things someone would have to steal and crack. With a 3D barcode you can embed a good amount of data in there to unlock, too.

By: Jered Floyd

Jered Floyd — Mon, 12 Oct 2009 15:59:22 +0000

This is a great idea, but I think the underlying problem is not a technical one, but rather that there are no “real” penalties for bad security, that the existing social construct is to hold people accountable after the fact rather than secure things before, and therefore people don’t care about good security. Talk to basically any security researcher and I think you’ll hear the same.

Take, for example, the credit card system. The industry has spent billions of dollars rolling out RFID infrastructure, more formally called “contactless smartcard”. This could have been done as an end-to-end challenge/response between the issuer (or at least clearinghouse) and the card, making it impossible to fake or replay transactions.

Instead, it sends your credit card number (shared secret) plaintext over the wireless channel.

By: Ken Crandall

Ken Crandall — Mon, 12 Oct 2009 15:53:06 +0000

One way to implement this would be to do so as an OpenID provider. That way, you could use existing OpenID support to link to your provider. Your provider could then use this method (however your work it out) to be either the sole authentication factor, or as a 2nd factor to go with a password.

(Your original post reminded me lot of the one-time-password (OTP) applications that I used to see for PalmOS…)

By: Digitreo

Digitreo — Mon, 12 Oct 2009 15:08:56 +0000

There is a similar solution for a smart product called Novell Access Manager.

http://bit.ly/2JayYc

By: Joe Shaw

Joe Shaw — Mon, 12 Oct 2009 14:53:05 +0000

Thinking about this some more, you could maybe still do it via SMS with the help of an app on your phone to help fix the display-OTP-even-while-locked problem.

If the phone and the service share a one time pad, the password that is SMS’d to you could then link to an app which would decrypt it to the true code which you’d type into the app. Maybe too many steps, though.

By: Joe Shaw

Joe Shaw — Mon, 12 Oct 2009 14:43:25 +0000

The attacker who has stolen your phone also needs to know the site that you’re using and your username. A good OTP implementation wouldn’t give either of that information away.

By: Nat Friedman

Nat Friedman — Mon, 12 Oct 2009 14:31:05 +0000

Yeah, it doesn’t make sense to me that the reflective properties of the pixels would change enough to be picked up by those red-laser scanners. Probably would be more likely to work with a CCD reader.

Also, my experience is that there are a lot of non-working apps for the iPhone. The other day I bought the “sonar ruler” app which uses little clicking sounds to try to guess the distance to an object. It doesn’t work at all. Likewise the heart rate app that suggests you press the phone against your chest so it can hear your heart beating.

By: Waldo Jaquith

Waldo Jaquith — Mon, 12 Oct 2009 14:25:57 +0000

I’ve been trying to use a program on my iPhone (CardStar) to replace my affinity cards at grocery stores. It’s the same concept—the barcode displays on the screen and I have it scanned at the store. But it doesn’t work. I’ve tried it in two different grocery stores, and despite valiant effort on the part of the clerks, the bar codes have proven unscannable.

No doubt it’s possible. After all, no sane person would release a program that cannot possibly function. But apparently it’s so finicky as to be impractical, at least in my limited experience.

By: Nat Friedman

Nat Friedman — Mon, 12 Oct 2009 14:24:54 +0000

Actually as I’m thinking about this, this is perhaps slightly less secure than having your passwords encrypted on your phone, or a simple challenge/response system on the phone.

With an encrypted password store, you have to tap out a master passcode to unlock the passwords.

But my phone (iPhone) will display an SMS even if the phone is locked, so all you need is physical possession of my phone to get my OTP via SMS. And you don’t need to know a special passcode to unlock the password store.

By: Nat Friedman

Nat Friedman — Mon, 12 Oct 2009 14:18:06 +0000

I just remembered that my wife gets one-time passwords for her bank via SMS also. Great in general, but it was a problem when we were in Bora Bora and SMS wasn’t working on her phone.

By: Steven Livingstone-Perez

Steven Livingstone-Perez — Mon, 12 Oct 2009 14:12:47 +0000

Ah cool – need to get out more!

Was thinking of those apps that say “Enter your mobile number” and then asks you to select your country and so on – a bit of a pain, that’s all.

Actually i never remember my mobile number anyway so the SMS option would never work for me in any case

By: Eduardo Gonzalez

Eduardo Gonzalez — Mon, 12 Oct 2009 14:11:16 +0000

This can me used not just for passwords, but for financial transactions too.

Coca-cola has been doing that in Japan since 2001 with their C-mode vending machines.

http://gizmodo.com/019965/coke-via-cellphone

By: Pavol Rusnak

Pavol Rusnak — Mon, 12 Oct 2009 14:02:58 +0000

It also works abroad if you have roaming turned on and your SIM card with you.