Caller ID "spoofing" 2974

ref:

note that pin is part of shared-secret infrastructure.

from 3-factor authentication,

* something you have * something you know * something you are

where multi-factor is considered more secure if the different factors are subject to different threats-vulnerabilities. pins ("something you know") were somewhat countermeasures to lost-stolen card ("something you have"). however, reading magstripe on the card was representation-proof of unique "something you have". by the early 90s, skimming technology was starting to appear that represented a common threat to both pins ("something you know") and cards (reading magstripe to establish proof of "something you have").

discussion of some vulnerability characteristics

some URLs from earlier in the week about current attacks on PINs

some URLs from today on PIN attacks: PIN Scandal 'Worst Hack Ever' Worldwide Wave of Debit Card Fraud Debit-card fraud continues New Theft Scam Targets Debit Cards Worldwide Wave of Debit Card Fraud

basically all 3-factor types can use "static data" authentication mechanisms ... i.e. information that can be recorded and later reproduced for fraudulent purposes. this falls under the general category of "replay attacks". for multi-factor authentication to be effective, different factors need to be subject to different threat-vulnerabilities. in the case of the general category of "replay attacks" ... at least one of the factors needs to be resistant to recording and later replay-reproduction.

this analysis can also be approached from the standpoint of availability and "no-single-point-of-failure" ... although in this case it is more like "no-single-point-of-attack". misc. collected posts on high-availability

misc. other past posts mentioning "static data" and-or "replay attack" threats-vulnerabilities.:

--