El modelo Social

There are four main flaws in the current system on online financial transactions that lead to the possibility of mass exploitation. First, the authentication for most finan- cial transactions (specifically credit card transactions) is based solely on knowing the right information. Second, transactions take place using consumer personal comput- ers which cannot be secure and are not trustworthy. Third, the basis of identity in the United States is a unique 9-digit number called a Social Security Number which is inherently insecure and easy to steal. Fourth, information security, particularly patching vulnerabilities and creating anti-virus/anti-spyware signatures is a reactive process.

The current system on online financial transactions is bases authentication solely on knowing enough information. If a person knows the correct 16-digit credit card number with CVV2 number, the correct login and password, and the address of the victim, an attacker can make transactions in the name of the victim. While banks are moving to two-factor authentication to perform transactions, the transition is slow and voluntary. Many banks simply require a username and password and balance

transfers or online bill payment services can be accessed. There is no clear attempt to

move to two-factor authentication for commerce online. The leaves a system where

fraudulent financial transactions can be made by an attacker who happens to get enough information, some of it public domain. Further, there are no small amount of online locations that store credit card information (Google ”5424 cvv2”) where a lazy attacker could just poach another attacker’s work.

To make matters easier for an attacker, most people who engage in electronic commerce do so from their home personal computers. Few people in the informa- tion technology industry are fully qualified to harden a machine against attacks on the Internet and those are computer experts. Most consumers are not fully versed in the full functionality of the computers, much less how to secure them. Nor should they be experts in information security. However, our current system assumes that the consumer’s PC is secure. A keylogger on a consumer PC makes it trivial to steal financial information. Even encrypted traffic can be stolen relatively easily when one of the end-points (i.e. the consumer PC) has been compromised [2].

This problem of insecure personal computers is only enhanced by consumers who aren’t aware, much less, practice safe online browsing and e-mail practices [3]. According to the Bentley survey conducted in 2004, only 46% always update their anti-virus software. Between 30% and 60% of people simply had little to no knowl- edge about basic computer security issues such as viruses, spyware and safe web browsing. Most computers ship with trial anti-virus software which surely helps but these numbers indicate that most home users simply do not pay for updates after the trial period ends. Only recently have Microsoft and anti-virus vendors integrated an anti-spyware strategy into their products. Likely many more users have not installed anti-spyware software even though many programs are free to download.

What this creates is a ripe environment for attackers to operate. There are com- puters out there with financial data that do not have adequate protection, are operated by unsophisticated users, and likely aren’t patched as frequently as those in a corpo- rate environment. Even corporate environments have a hard time keeping up with their protection, it simply isn’t a feasible strategy to assume consumers, with less re- sources than large companies, can keep pace with a constantly changing information security landscape.

The entire identity regime in the United States is based on a unique 9-digit num- ber called a Social Security number. This number is required to open bank accounts, it is used for identifying credit files, it is often used to identify medical records, it is required by educational institutions, in short this number is used as a unique iden- tifier which is the basis of all other identifying documents. The problem is that this identifier is used so ubiquitously that it becomes easy to steal. Several sites even use Social Security Numbers as logins (most infamously, student loan agencies)!

Every month it seems there is another story in the press about a laptop getting

stolen or backup tapes getting lost that include Social Security Numbers or other fi-

nancial information. Some of these instances, such as the Department of Veteran’s Affairs, impacted tens of millions of Americans. With the amount of instances of theft and compromise of Social Security Numbers we are approaching a situation of complete compromise of the entire balance of Social Security Numbers.

The theft of a Social Security Number would not be such a big deal if it were not for the fact that knowledge of that number allowed malicious individuals to ac- cess credit records, open financial accounts or even steal the identity of the victim. Though identity theft can take place, and mostly does take place, using offline meth- ods, the ability of massive compromise of a large number of victims in a short time via the internet cannot be ignored. In 2002, one estimate places identity theft loses at $24 billion. In 2003, that estimate is $73 billion [4] from both online and offline attacks.

Lastly, information security tends to be practiced in a reactive manner. A new virus is released and caught by an anti-virus company who begins to work on a sig- nature. Usually with 24 hours they have a signature out with most anti-virus software updating their signatures daily. This gives a maximum of 47 hours where a virus is

knownand operating in the wild successfully compromising machines that are pro- tected. Even before detection, exploitation is occurring. This means machines are being compromised and information stolen hours if not days before protection is available.

In addition, personal computers in general will trust all software unless it is specifically rejected by the anti-virus or anti-spyware systems. Instead of a regime of least privilege, where only trusted software can run, these computers run under a regime of most privilege where anything, including unknown but malicious code, can run without obstruction.

That patch cycle also creates problems. If the vulnerability stays secret before the patch is released there is about four days, at best, between the patch being released and the exploits being seen in the wild. If the vulnerability gets out before a patch is released it could be some time where the exploit has free reign to attack machines. The worst recent example of this window of vulnerability was with the WMF ex- ploit [5]. There was over two weeks between the discovery of the WMF exploit and the out-of-cycle patch being issued by Microsoft. In the meantime, over 200 differ- ent attacks were used in the wild to exploit this vulnerability, some of which created botnets. While there is about 4-6 days between an exploit being released after a vul- nerability is known, the time to develop a patch is about 40-60 days [7].

The reactive nature of signature-writing and patching means that attackers will be successful for some variable span of time in exploiting and taking over machines. While research continues to make that span of time shorter, the window of vulnera-

bility still exists. There are also new techniques emerging that avoid detection of an

exploit by anti-virus/anti-spyware vendors which would increase the window. Sun

Tzu in The Art of War says that victory in war is impossible once the initiative has been surrendered. For the most part, the initiative has been handed over to the attack- ers which is why they keep winning.