1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

what is PassWindow?

Discussion in 'Off Topic' started by erich37, Oct 16, 2011.

  1. erich37

    erich37 Well-Known Member

    I just found this website regarding security.
    http://www.passwindow.com

    Do you know this service? Is it good or not ?

    Many thanks!
     
  2. Fred Sherman

    Fred Sherman Well-Known Member

    Kind of interesting, but limited. The key permutations are finite so I doubt it can scale to extremely large numbers without making the viewing window insufferably larger.

    It will ever be adopted in the corporate world. Too many challenges.

    Limited appeal to those paranoid about their personal electronic security - which should be everyone.
     
  3. Slavik

    Slavik XenForo Moderator Staff Member

    Too much effort for the end user
     
  4. erich37

    erich37 Well-Known Member

    yeah, looks like a lot of effort.
    Just came across this website and was wondering if any of you guys is using this or have heard of it.......
     
  5. MattPW

    MattPW New Member

    Hi Fred, thought id respond. If you look at how its done with an animated challenge the actual size of the passcode can be as large as you like without increasing the size of the key pattern, it just adds extra frames to the animation. In this same way you can easily add entropy to the challenges so that hacker analysis becomes impossible. There is a whole thing on this on the security page of the website.
    It is being used in the corporate world.
    Paranoid wise there really is practically no personal security anyway, any physical device you have can be spoofed, replaced with a dummy, MITM'ed etc if an attacker can get personal access to you and the device. And in the case of RFID well they dont even need that much personal access and the news/youtube is full of how that is working out. Im sure weve all seen the biometric spoofing videos on youtube or at blackhat etc. We could spend a few bucks and put a keypad or biometrics etc over an electronic window but in practical terms it doesnt help personal security much and the cost goes from a piece of plastic to over $10. In any case this is not how the majority of computer fraud/hacking is happening and so isnt passwindows focus, its all online with malware/trojans etc and this is where passwindow security excells. Id like to hear what you think would be a better alternative?
     
  6. MattPW

    MattPW New Member

    Hi Slavik, re effort its easier and quicker than any other 2 FA ive used, by the time any of the USB devices have registered with the OS passwindow is done. The tokens are all hardcoded at 6 or 8 digits no matter what, while passwindow can be customized for x number of digits for x authentication. And I can carry my card securely in my wallet instead of dangling around open on keychains or more usually left at home in a drawer as most pople do. But the real comparison should be for transaction authentication, USB, tokens, mobile etc they can all be MITM like spyeye etc already do. Transaction authentication is the only thing you can do to stop it and have you ever done transaction signing on the high end token devices which are the size of scientific calculators? Its a nightmare and takes up to 10 minutes if you dont enter any of the 40+ digits back and forth incorrectly. And even then this manual transaction authentication method has been successfully bypassed by trojans feeding the user garbage and then convioncing them the electronics is broken and therefore needs to be reset. Id be interested in hearing your proposal for this level of online security.
     
  7. MattPW

    MattPW New Member

    Hi Erich, might look like alot of effort but in practical terms its actually one of the easiest, in fact there is already alot of people using the method through www.shieldpass.com authentication service where you buy cards and then plugin the code to a website or online service and everyone using it loves it in comparison to the alternatives which either offer no practical security gains or are a nightmare to actually use or setup. Obviously I use it everyday myself but objectively knowing its always going to work on any device without mucking around with drivers or strange operating systems is a massive bonus. It really depends what its being used for and how paranoid people want to be about different things. Personally I set it to 3 digit codes for non important things like viewing admin charts etc and then have 6 or 8 for actually making admin changes. I cant get that level of flexibility with any other system which isnt vulnerable to various MITM attacks.
     
    erich37 likes this.
  8. Slavik

    Slavik XenForo Moderator Staff Member

    Hi Matt,

    Thanks for taking the time to reply, the problem I see is that your own system (if I understand it right) is just as vunerable to a MITM attack as a 1 time generation key.

    Even though you have those nice moving lines to create numbers, surely the same principal of the malware sending junk to the authentication system and sending off the 1 time key for a malicious user to quickly enter applies?

    In which case, granted the different levels of security is quite nice, how does your system provide anything more secure than a vasco key I use for my online banking, but if it came to having to get a card, hold it upto the screen and wait for the code, opposed to pushing a button, and typing in what it gives me, it still seems like a lot of extra work for the end user, and we all know in this day and age, people are getting lazier.
     
  9. MattPW

    MattPW New Member

    Hi Slavik, no problem. Many people when they look at passwindow think its just a neat cheap trick to do OTP one-time-passwords like your vasco key probably does. And yes the security value of OTP is severely weakend if a simple phishing scam with an instant messenger attached to the backend is all it takes to bypass the method. (one method hackers use) The primary method professional hackers use with trojans like SpyEye etc is MITM through injecting fake html into the browsers or network to gain the OTP value and simply pass it on to their backconnect (real connection) the only real speedbump is they have to wait for the user to want to login to their bank before they are able to steal the genuine token OTP value. Some of the trojans then fake a "session expired.." type message with a fake login if they need another OTP to validate a outgoing transfer. For many years it was considered an unsolvable problem. There are just so many ways to do MITM and there is really only one way to prevent it which is transaction authentication. This is the really special thing about passwindow any why its not vulnerable to online MITM, its the ability to encode specific transaction information into the challenge code. The essential problem with all the token OTP's is that the numbers provide no information about WHAT you are authenticating, you may think you are logging in but if the hackers control whats on the screen (HTML injection / phishing page) then you dont know what you are actually authenticating. There is one snippet demo in the website video where you can see a transaction to a specific account and the specific last 3 digits of the destination account have been encoded into the challenge alongside an OTP which the user enters. (its shown very quickly) The hacker no matter where he is in the chain even on the desktop or mobile device itself with full control over what the user see's cannot unencode the destination number and so cant authenticate his fraudulent transfer to his mule account without the user being aware somethings up. The same concept can be applied to many different transactions including just transmitting secret numbers to a user and confirming they have actually read them since its all on a loop. The actual security length of OTP is quite superflous relatively as many people try to connect it to static passwords but being an OTP a hacker gets just once chance to guess. While its nice to be able to turn it right up I feel the real value is to be able to turn it right down ie 3 digits and make it super quick and fast for low value security models ie admin statistic graphs etc. My justification for low 3 digits is an example of credit card CVV numbers have been 3 static digits for a long time and I have never actually heard of hackers just outright trying to guess even just 3 digits when the system rejects them after a single failed attempt. Of course hackers just capture the CVV along with the rest of the numbers. Hope that helps explain it all, there is some more info about it http://www.passwindow.com/security.html
    The only equivalent transaction authentication with the high end electronic tokens is what they call transaction signing devices. The few banks which give out these signing tokens disable or dont use the manual transaction signing process as its just unacceptable to the average person, it usually requires the user entering digits into the device manually then that is hashed to output 9 digits they manually enter into the website (this confirms who they are dealing with) then they get a further 9 digit code back from the website they manually enter back into the device along with 9 digits of the destination account number, this outputs 9 digits they then manually renenter back into the website and you have transaction authentication.. about 10 minutes later, 20 if you get any of the digits wrong and have to start again. It just doesnt fly with the average joe so some UK banks have transaction signing tokens but only actually use the OTP aspect for the sake of reasonable usability.
    The other downside to this scheme apart from the horrible usability is that due to its manual nature and complexity hackers reprogrammed their trojans to take advantage of that and bypass it anyway. There was some articles http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians who were using these transaction signing tokens. What the trojan did was feed the users device garbage numbers til the devices gave an error and then said on the website with MITM "we have detected your device has become unsynchronized.. click here to resync your device etc etc" which gave the user a giant string of numbers to enter in order to "fix" their broken electronic device. Hidden in this string was of course their mule account so they got the authorization code, of course i cant convince you your piece of plastic is broken or out of synchronization, I also cant ring you up and say hey im from your bank but i need to confirm your identity please give me numbers from your token which is another trick they use to get codes out of people.
     
    Slavik and erich37 like this.
  10. Slavik

    Slavik XenForo Moderator Staff Member

    Hi Matt,

    Thanks for the information. It makes for an interesting read.
     
  11. MattPW

    MattPW New Member

    No problem Slavik, actually wondering if someone would like to write a xenForo plugin for www.shieldpass.com ?
    I have a wordpress plugin and some guys are writing Joomla and Magento.
    You can dissect the wordpress plugin here https://www.shieldpass.com/wordpress.html to gauge the difficulty.
     
    erich37 likes this.
  12. Slavik

    Slavik XenForo Moderator Staff Member

    I was looking at this earlier, and while I wouldn't use it for basic log in, I would possibly use it for the ACP login...
     
  13. erich37

    erich37 Well-Known Member

    a XenForo plugin for Shieldpass would be great!
     
  14. MattPW

    MattPW New Member

    Are you interested in writing an add-on for shieldpass? It should be quite straightforward.
    In any case, everyone on this thread is welcome to create a shieldpass account and I will credit them with a free access card to play around with, just send a message with your thread username.
     
  15. Cool

    Cool Active Member

    hi all,
    may i bump this up because i would like to use my admin.php with shieldpass.

    any idea how to implement it to the admin.php?
     
  16. Cool

    Cool Active Member

    a quick and dirty solutions is:

    1) rename admin.php as explained in: http://xenforo.com/community/thread...xisting-redirect-on-server.15975/#post-210019
    to ex. admin2.php. You may use any advanced name you like as ex. a_very-secure_name.php

    2) create a file admin2.php with the content from orig. admin.php
    3) edit the file admin.php and delete the orig. code and insert the shieldpass code
    ex.:
    PHP:
    <form id="shieldpass_form" method="post">
    <?php
      
    require_once('shieldpasslib.v2.php'); //*location must be entered by you
      
    $shieldpass_public_key "your_public_key"//*must be entered by you
      
    $shieldpass_secret_key "your_secret_key"//*must be entered by you
      
    $shieldpass_user_id "your_local_user_id"//*must synchronize with user id
      
    $shieldpass_trans_id ""//*optional 3 number transaction id

      
    if (($_POST["shieldpass_user_id"]!="")&&($_POST["shieldpass_user_response"]!="")) {
          
    $resp shieldpass_check_answer($shieldpass_public_key,
                                          
    $shieldpass_secret_key,
                                          
    $_POST["shieldpass_user_id"],
                                          
    $_POST["shieldpass_user_response"]);
        if (!
    $resp->is_valid) {
          
    // Response is incorrect
          
    die("Response is incorrect.<br />Detail : ".$resp->detail." ");
        } else {
          
    // Your code for successful authentication, such as validating your user session
          
    echo "Response is correct.<br />".$resp->detail;
        }
      }
      echo 
    shieldpass_get_html($shieldpass_public_key,
                                
    $shieldpass_secret_key,
                                
    $shieldpass_user_id,
                                
    $shieldpass_trans_id);
    ?></form>
    edit the line with:
    PHP:
    echo "Response is correct.<br />".$resp->detail;
    to:
    PHP:
    // echo "Response is correct.<br />".$resp->detail;
    header("Location: admin2.php");// or the name you like
    all done...happy shieldpass
     

Share This Page