When surfing the Web for something as simple as a new book or pair of shoes, an alternative to the username and password
system seems like a great idea. It saves time from the laborious system of remembering multiple usernames, passwords or even
from re-entering credit card information for each site visited while a user
is shopping. However, sometimes it’s all too easy to forget that the fastest growing crime on the Internet is identity
theft, and aside from limited user savvy, a foolproof way to prevent this crime does not exist.
MORE ON CIO.com
Microsoft CardSpace Attack Works but Was Rigged
CardSpace and Attacks
Microsoft’s CardSpace system was at first deemed the answer to eliminating the rat race of username and password
memorization. Yet, as Sebastian Gajek, Xuan Chen and Jorg Schwenk, three researchers of the Horst Gortz Institute for
IT-security Ruhr University Bochum have proved, even the seemingly most efficient steps taken towards solid privacy
techniques can be attacked.
When shopping in the virtual world, attackers are essentially invisible. The traditional system of relying on the
username/password combination method for website registration has one main drawback; passwords can be stolen.
“It is much more difficult for users to recognize attack activity in the Internet. As more and more high-value transactions
take place in the Internet today and the Internet does provide more convenience for attackers, I could imagine that attacks
in the Internet would become more commonplace in the future,” researcher Xuan Chen pointed out.
Because of how quickly users jump between sites, users may tend to be easily tricked into “freely” giving personal
information to non-secure entities. Although there are a number of ways that a user can verify the validity of a website,
the average Internet user doesn’t even realize that many of these exist.
“Do not share any personal information if you are not 100 percent sure about the transaction,” Chen suggested. “Most users
cannot tell which privacy settings are related to sharing personal information on the Internet.”
One way scammers gain personal information is through phishing, where scammers trick users into
opening malicious e-mail. From there, the e-mail invites users to visit a fake website mirroring a real one, and to enter
personal information such as a password to log in to the site. As when initially registering for a website, users are the
ones deciding which websites to trust with their personal information and which e-mails to open and click through. Since
fake sites can display the same graphics as real sites, there need to be steps taken towards differentiating the two. A
website needs to have a better way to prove its legitimacy to users and users need to more readily determine what level of
assurance they’re getting. In the end, it’s up to the user to decide whether to trust a website.
There is also a difference between whether a user types in the full or shortened version of a website address. If a user
types the shortened version, the certificate is no longer valid and the user must click away the warning page.
“Although the new IE7 warns users
of an invalid certificate with a whole warning page now, we still cannot guarantee that users will always pay attention to
the warning. Apart from the user’s lack of knowledge, many legitimate websites also have certificate problems,” Chen said.
“Can you still expect an inexperienced user to realize the importance of the warning page if even the legit Web server cannot
pass the certificate check? Or can you expect an inexperienced user always to remember which website has and which doesn’t
have a valid certificate?”
Microsoft’s CardSpace eliminates the password creation step. When users go to validate a website or online service,
CardSpace automatically appears as a pop-up complete with a set of InfoCards from which the user can choose. Each card has
identity information associated with it, kept by an identity provider such as a bank or employer. The user can alternatively
opt for self-issued cards, which hold limited personal information, or managed cards, which are created by third-party
providers. The user clicks on a card and an encrypted security token (with vital personal information associated with it) is
sent to the website. When a user first installs a card into his system, he has to accept the security tokens issued by the
identity provider for the card. Then, for each new website visited, he is given the opportunity to send digital identity
information, eliminating the need for the username/password identifier.
Although CardSpace is meant to improve the relationship between real websites and users by improving the certificates used,
the CardSpace system is not altogether free from risk. In their attack demonstration, Gajek, Schwenk and Chen showed that
attackers can modify the domain name server settings so the user arrives at both the real CardSpace website for a shop and
the fake one. Since users are unable to distinguish the real site from the fake one, they become victims of DNS
spoofing, one of the biggest security issues on the Internet.
Chen spent six months studying the CardSpace Metasystem and two additional months with the team working to create and
implement the “proof-of-concept” attack. According to Chen, the attack was conducted under real world conditions—no
special “rigging” was done.
“Our purpose is not to develop a perfect attack against CardSpace. Instead, we just want to point out that there is a
possibility for such an attack and warn people and Microsoft about it and hope that Mircosoft could improve the CardSpace
system accordingly. That’s also why it is called a “proof-of-concept” attack. A creative real attacker may possibly apply
such an attack in a much better way,” Chen said.
Microsoft is currently working to rectify the problem that has arisen between users’ knowledge and information verification.
All in all, using CardSpace is more time efficient than remembering multiple username and password combinations. And, as
proven by Gajek, Schwenk and Chen, the average Internet user needs to become more educated in the world of Internet trust and
stay aware of common clues that a website is not legitimate.