Ben Laurie blathering

23 Oct 2009

Just How Bad are IDNs?

Filed under: Security — Ben @ 17:11

IDN, in case you didn’t know, stands for “Internationalised Domain Name”. Or something like that. In short it is the highly dubious idea that you should be able to define domain names in any script you like. I thought I’d written before about how this leads to homograph attacks, but I can’t find the post. Perhaps it was so long ago it was before I was blogging?

Anyway, this problem didn’t go away and I was recently pointed at this rather fine slide deck explaining all the problems with IDNs. Well worth a read if you want to see why IDN should be eradicated.

Unfortunately the uselessness that is ICANN thinks that IDNs are politically super-important, and are all tied up with control of the root. So the hell with security, making sure DNS stays in the hands of the US, err, I mean ICANN, is far more important.

“We Used To Be More Secure”

Filed under: Security — Ben @ 17:01

A couple of days ago I went to my bank to do a CHAPS transfer for a great deal of money. Buy-a-house kind of money. I didn’t want to have any problems when I got there, so I called them to find out what I should take. Of course, I can’t talk to my bank (Barclays) anymore, so I got a call centre in India. They told me I’d need ID and a utility bill – this one amuses me since these days no-one gets utility bills: it’s all electronic. And anyway, all my utilities are in my wife’s name. I called them again a while later to try to make an appointment (I can’t, apparently) and this time they told me two forms of ID and no mention of the utility bill. So, I headed off to the bank with passport, driving licence and a TV licence (hey, TV is a utility, isn’t it?) in hand.

When I got there we sat down with a bank employee who asked me for my cash card. He stuck it into a PINsentry and asked me to type my PIN. On that evidence alone, we proceeded to transfer enough money to fund a small country. I find this a little scary. Anyway, when I reviewed the documentation, which I had to sign, it had a little box about ID verification, into which he’d typed “PIN xxxx + SRS” – “xxxx” was (part of?) the code from the PINsentry. I asked him what “SRS” meant and he explained it meant he’d checked my signature. In fact, he hadn’t, but he proceeded to do so at that point, commenting that he already knew what my signature looked like, presumably to explain away why he hadn’t done the check before…

Anyway, at this point my wife mentioned that we were rather expecting them to check ID and stuff, to which he responded in a way I feel sure was not authorised by the bank: “well, we used to be more secure but now the bank believes that PINs are the highest level of verification”. I explained to him why I disagreed with the bank. He didn’t argue with me.

Oh yes, the signature check? He wasn’t even in the room when I signed. For all he knew I carefully copied it from a crib sheet. So, all that’s standing between me and complete emptying of my bank account is my PIN. But hey, the only way anyone other than me could know that is if I told them, isn’t it? So it would serve me right, obviously.

Powered by WordPress