The Problem
Secret Codes Everywhere
The computer at home or in the office, the money machine, the ec–card
terminal – all of them require some kind of secret code such as a password, a PIN
or TAN. And it is definitely not always easy to remember these meaningless character
combinations, with all their lower and upper case letters, numbers and special
characters. The increasing number of such secret codes is an additional hurdle. Some
people already fail to remember their login name, even though it is not secret like a
password, a PIN or a TAN.
Users occasionally try to get rid of this curse of today’s digital era by using the same password for different purposes. This may make it easier as far as memorizing it is concerned, but not many users are aware of the security gap they create by doing so. A user who is really interested in keeping the secret codes safe but would still like to be able to access the passwords whenever necessary, will have to use appropriate technical tools.
Little Helpers
Today a wide range of tools is available that support the administration of the secret codes, thereby easing the burden on the user. But caution is advisable, because not every tool is suited for every situation or application. For example, tools that generate strong passwords are not able to handle preset passwords, PINs or TANs. Password tools installed on PCs – even if specifically developed for PCs – are completely useless when the PIN is needed at the money machine or at the ec-card terminal. Mobile data media, e. g. USB sticks with the secret codes on it, are also of no help at a money machine or the ec-card terminal, because the data cannot be read.
Many people are therefore resorting to the infamous piece of paper with their secret codes on it, carrying it around in their wallet or purse. Or the secret information is stored on the mobile phone, today’s ubiquitous companion.
Easy Game for Attackers
If this piece of paper with all the passwords falls into the wrong hands the user
may be headed for serious trouble. He has to react very quickly and block his accesses
or accounts and change the secret codes – always hoping that he will be faster
than the attacker. This also applies to stolen or lost mobile phones.
If secret codes, even if they are encoded with a master password, are stored on such a device, the owner may face very serious consequences. As a series of tests has proven, the main problem is that users choose weak master passwords for protection, i. e. master passwords that can be cracked relatively easily with hacker tools.
An attacker may transmit the encrypted data from a mobile phone to a much more powerful computer. With the help of special hacker tools, the hacker can then try out millions of master passwords within only a second and be able to find the correct master password within a short amount of time. These attacks are possible, because current encryption technology allows an attacker to find out, if the decryption attempts with arbitrarily chosen master passwords were successful or not. When the master password can be found in such a way the hacker will be able to read all the access codes. A stolen or lost mobile phone in the hands of an unauthorized user, who in addition to that may also have access to the owner’s ec’card, practically clears the path for immediate misuse.
What Would Help The User?
Passwords, PINs and TANs represent information that should definitely be protected in a strong manner. If a user decides to store this information on the mobile phone it would be desirable if the information could be protected accordingly. Addintionally, a user would benefit from a much simpler master password selection process, meaning that the user should not have to think so hard about how to choose a good password that in the end he may not be able to remember anyway. In a best case scenario a user should be as flexible as possible in selecting the master password. Even if a master password was chosen that could be listed in the huge hacker tools collection, it should not be to the user’s detriment.
Illusion or Reality?
Can this problem be resolved at all? And is it possible to realize such a solution technologically? Can anybody use this software?
You don’t think so? Try the MobileSitter! It solves the problem. You will only need a Java compliant mobile phone – and the MobileSitter.
