Flaw found in securing online transactions

Feb 16, 2012
Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

A program used to generate random number sequences for encrypting worked properly 99.8 percent of the time, meaning that two out of every thousand "keys" wouldn't thwart crooks or spies, the report warned.

"We found that the vast majority of public keys work as intended," said a report based on work by a team of US and led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne (EPFL).

"A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security."

Online rights champion (EFF) supplied key data for the research, and said that Lenstra's team found tens of thousands of keys that essentially failed to guard data in supposedly encrypted online sessions.

"The consequences of these vulnerabilities are extremely serious," the EFF's Dan Auerbach and Peter Eckersley said in a blog post.

"In all cases, a weak key would allow an eavesdropper on the network to learn , such as passwords or the content of messages, exchanged with a vulnerable server."

Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF.

The non-profit EFF said it is working "around the clock" with EPFL to warn operators of using encryption keys offering no protection.

Explore further: Computer scientists can predict the price of Bitcoin

add to favorites email to friend print save as pdf

Related Stories

Experts uncover weakness in Internet security

Dec 30, 2008

Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found ...

Ore. senator, others cited by digital-rights group

Nov 01, 2011

(AP) -- An Oregon senator who was behind a 1996 federal law that has made content-sharing services such as YouTube and Facebook possible is among three recipients of Pioneer Awards from a leading digital-rights group.

They're watching you: Methods to block nosy Web advertisers

Oct 29, 2010

Virtually everything you do online is scrutinized by search engines and advertising networks that evaluate you as a potential customer based on what you search for, the sites you visit and the ads you see -- whether you click ...

Recommended for you

Tablets, cars drive AT&T wireless gains—not phones

2 hours ago

AT&T says it gained 2 million wireless subscribers in the latest quarter, but most were from non-phone services such as tablets and Internet-connected cars. The company is facing pricing pressure from smaller rivals T-Mobile ...

Twitter looks to weave into more mobile apps

2 hours ago

Twitter on Wednesday set out to weave itself into mobile applications with a free "Fabric" platform to help developers build better programs and make more money.

Blink, point, solve an equation: Introducing PhotoMath

3 hours ago

"Ma, can I go now? My phone did my homework." PhotoMath, from the software development company MicroBlink, will make the student's phone do math homework. Just point the camera towards the mathematical expression, ...

Google unveils app for managing Gmail inboxes

4 hours ago

Google is introducing an application designed to make it easier for its Gmail users to find and manage important information that can often become buried in their inboxes.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

Royale
not rated yet Feb 16, 2012
Any next step? As a network admin it would be great to see some kind of action I can take here...
tadchem
not rated yet Feb 16, 2012
Finding the flaws in a defense is tactically an "offensive" gambit; patching those flaws is "defensive". Logically the initiative always belongs to the offense.
@royale: As a network admin your obvious course of action is to test all keys used in your network and replace all those found to be flawed. The hard part will be to get the test protocols used in this study.
Paul_Harrington
not rated yet Feb 16, 2012
Beta-decay chip level random number generators and/or 'sound' cryptographically algorithms are needed. As known, via experience, flaws are often traced to algorithms that are underdetermined sufficiency proofs. Many others have flawed implementations.
Royale
not rated yet Feb 16, 2012
If only it were that easy tadchem... This would be something where a patch is necessary. You don't just look through 'keys' to pick out bad ones. A random number generation program with flaws doesn't have 'keys' that you can look at and change.. I suppose I just have to keep a note of this and hope something further comes out.