Alskar wrote:Here's where I am coming from: In the late 90's I was part of the Digital Display Working Group (DDWG), the group that created the Digital Visual Display (DVI) standard. The Motion Picture Association of America (MPAA) was very troubled by the idea of their copyrighted content being sent over an unencrypted digital interface. Intel, the promoter of DVI, created the High-Bandwidth Digital Content Protection (HDCP) standard to assuage their fears. I sat in numerous meetings where "cryptology experts" expounded on the difficulty of cracking HDCP. They put into place elaborate key revocation and protection methods. The MPAA was happy. DVI rolled out (if my memory serves) in 1999. On November 5, 2001, Scott Crosby from Carnegie Mellon and some others from Berkley presented a paper "A Cryptanalysis of the High-bandwidth Digital Content Protection System" (
http://www.cypherpunks.ca/~iang/pubs/hdcp-drm01.pdf) that outlined how to get around HDCP. HDCP lasted less than two years before it was compromised. In 2010 the HDCP master key was hacked with $250 worth of hardware (
http://www.engadget.com/2010/09/14/hdcp ... y-protect/). At this point HDCP is nearly useless.
During roughtly the same time frame, I was also sitting on the IEEE 802.11 committee. Wireless security was a huge concern. I sat in the audience during one presentation on the new "unbreakable" encryption system. Apparently unfamiliar with the term "hubris", they named the new standard "Wired Equivalent Privacy" or WEP. In less than 18 months I sat in another conference room and watched another "crypto expert" hack the WEP password and break into a random audience member's laptop in less than 8 minutes. That led to TKIP which led to WPA. I understand that WPA can now be hacked in less than 1 minute:
http://www.pcmag.com/article2/0,2817,2352231,00.asp
Numerous other encryption systems have fallen. The Content Scrambling System (CSS) used to encrypt DVD's is now considered worthless. The RSA tokens were hacked. Just today the WSJ and the NY Times announced they were hacked (
http://www.cnn.com/2013/01/31/tech/chin ... index.html
You are missing the point that for a financial institution
security is a multi-layered system. All of your examples are of security in a single layer system that rely solely on encryption. I agree that all such systems are susceptible to being broken. But that is not what we are dealing with here. For one thing, unlike all of your examples you can't merely throw computing power at decrypting the password, the system won't let you do it directly and other parts of the system are in place to keep you from doing it indirectly. Real security professionals have also read Mitnick's book, those holes are no longer so easy to find. Also, by the way, there is no such thing as a password hash file that can be easily removed when we are discussing systems like this. Generally speaking the hashed and salted passwords reside in protected databases that can only be addressed via the web through a middleman application that is only allowed to ask a limited set of questions. Of course, there will be some people with direct, internal access to the database. But if you can suborn the database administrators, then access to the password hashes is immaterial.
And that's just the start of it. Even if you somehow manage to get in, say through a phishing attack in which you get the customer to simply give you the username and password, you still can't steal anything due to Vanguard's process requirements. If you change the address or bank, you have to wait two weeks before they will transfer any funds. During which time they notify you via e-mail and mail of the change. They also won't transfer into banks unless the names on the accounts match (there are exceptions for trusts and the like, but they require jumping through several hoops such as getting bank signature guarantees). I'm sure the MPAA could live with a system where, if a DVD were decrypted, they were immediately notified and they decryptor couldn't do anything with it for two weeks.
Finally, your own examples show the futility of relying on just stronger encryption for security. WEP-128 passwords are 26 characters, WPA is 63. HDCP is weaker than WEP-128. The point is that anything long enough to make decryption truly difficult actually decreases security, since most users would have to store the passwords on a file on their computers which makes them vulnerable to all sorts of trojan attacks.
Again, for the security
system that financial institutions must have, 10 characters is enough.
Consider your ATM card. It relies on passwords of just 4 numbers. That's just 10,000 possibilities (as opposed to the 26,559,922,791,424 of Vanguard passwords). Why is this acceptable? Because the ATM card is part of a
security system that is designed to not let you get through those 10,000 possibilities.