New Application Protects Mobile-Phone Passwords
The application uses a novel technique to confuse a thief. When a wrong master password is entered, MobileSitter returns a fake password that matches the format for a given account. For example, if a bank ATM PIN consists of five digits, MobileSitter returns a five-digit fake password. This makes it harder for thieves to determine whether they have, in fact, guessed the master password correctly.
"Right now, users are very much exposed if their handset is stolen, unless they're using a Blackberry, which can be remotely wiped," said Avivah Litan, a research director at Gartner Group. "I don't think people realize how vulnerable they are. We put everything on those phones."
Password-vault applications like MobileSitter are becoming more important as consumers turn to their mobile devices to track passwords for a growing number of accounts, such as email and Web services, as well as physical devices, such as door-lock key codes and ATMs. In Germany, the number of passwords is also increasing with PIN requirements for ID and medical-benefits cards, said Ruben Wolf, one of MobileSitter's lead developers at Fraunhofer.
The application runs directly on any Java-enabled cell phone. The institute is selling the application directly to consumers and also to institutions such as banks in branded versions for promotional giveaways.
The Password Conundrum
Password complexity has increased over the past several years, along with increases in the number of online services and Internet financial transactions. Many users face a dilemma in trying to balance security and convenience. At one extreme, many settle on weak passwords or reusing the same password across several different services. Hackers that guess this one password can theoretically access the user's email, bank account, or stock-trading services.
"Given the security and privacy problems with many major websites, it's more and more important for users to follow good security practices," said Ellen Craw, general manager of Ilium Software, which makes the eWallet. In an analysis of 32 million Facebook passwords earlier this year by Imperva, a security software vendor, 30 percent of all passwords were six characters or less, and nearly half had easily guessable names. The most common password was "123456."
Users who create multiple, more-secure passwords must remember unique codes for each service or site. Internet browsers that remember a user's login credentials and allow automatic connection in the future mitigate this problem somewhat. Another tactic is to make a clear-text list of passwords and store it on your phone.
In both cases, if your phone is stolen, the thief has easy access to your accounts. This puts you in a race to deactivate or change all your login credentials before your money is stolen or your account settings are changed to lock you out of the services.
Enter the Password Manager
Several password-management applications have emerged to provide security that improves on storing passwords in the clear. These tools let users store many individual, highly complex passwords in an encrypted database that can be unlocked with a master password. Many of these applications were initially developed for personal computers and subsequently ported to mobile-phone devices. They include the Ilium eWallet, RoboForm Mobile, SplashID, and the open source applications KeePassMobile and Password Safe.
With these tools, users can consolidate password management and store it in one place for multiple devices to share. Applications like RoboForm Online even make it possible to share passwords via an online service. With all these applications, anyone who enters a wrong password gets an error message in return.
As a result of security concerns, the password-management field has flourished. Password vaults now have tens of millions of users, noted Bill Carey, vice president of marketing at Siber Systems, which makes RoboForm.
Building a Better Vault
However, Fraunhofer's Wolf said that sophisticated thieves can crack the master passwords by using brute-force attacks that test millions of passwords until they find a valid one.
In some cases, password managers have weaknesses that require no specialized software to run such attacks. For example, the Fraunhofer Institute has successfully attacked Code Memo, the password manager installed by default on most Sony-Ericsson phones, using standard tools not intended for hacking (www.mobilesitter.de/downloads/security-codememo.pdf). But there are also hacker tools specialized for the job. They include Firemaster for Firefox, OphCrack, and Cain & Able, and others found at Elcomsoft, Objectif SÃ©curitÃ©, and OpenWall Password Recovery Resources.
Some password-manager developers have taken countermeasures. By introducing time-consuming calculations into each master-password test, they've slowed down force attacks on the device itself. However, some hacking tools let attackers offload the data to a PC, where they can execute the attack much faster.
Because MobileSitter will return a seemingly valid password, attackers gain no advantage in trying to crack the password vault. They would still have to attack each password individually. Eventually, the online service or ATM would lock them out.
One limitation of MobileSitter's current implementation is that it encrypts only passwords. Other password vaults encrypt the account names as well, noted Christoph Sperle, one of KeePassMobile’s developers. "An attacker that knows MobileSitter is aware that the decrypted passwords are fakes," he explained, "but may be interested in the rest of the information the database provides, such as the account number of the user's bank, his Visa card number, Gmail account name, or the chat sites he uses and nicknames at the site."
At the moment, no one is certain of the extent to which existing password vaults have been compromised, Wolf said. Fraud reports often don't account for how the attackers succeeded, and compromises could come from network wiretaps, malware, broken password vaults, or personal engineering such as pretexting to trick the information out of an employee. "But what is clear," Wolf concluded, "is that the sheer existence of so many tools and Web services for recovering lost passwords points to evidence that existing password vaults can be hacked."
George Lawton is a freelance journalist based in Guerneville, CA. He can be reached via his website at http://glawton.com.