Surveillance State

In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.

While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.

In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.

The phishing problem is a particular threat to campaign sites, for a number of reasons:

• The various campaigns use completely inconsistent naming schemes for their domains. Users have no way of knowing if they should go to Hillaryclinton.com or Hillary.com, Rudygiuliani.com or Joinrudy2008.com.
• Politicians were nice enough to exempt themselves from antispam laws. An online store cannot send out unsolicited e-mail and ask you to buy their products, but politicians can send out hundreds of thousands of e-mails asking people to donate money.
• While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails, the campaigns all encourage this dangerous behavior. At the end of e-mail messages describing the threat posed by the opposite party, potential donors are asked to click and donate.
• Campaign contributions don't result in the sale of a physical good. If a phisher pretends to be Amazon.com and tricks a user into entering his or her credit card number, there is a good chance that the victim will figure it out when her book never shows up. However, once a donor has given money using a legitimate campaign Web site, the only thing they will ever receive is a thank-you e-mail, which can easily be spoofed by a phisher.

In our research paper, we suggested that Google and PayPal begin to offer online-campaign contribution systems. The two companies have already spent millions of dollars in establishing trusted brands--enough that millions of users entrust the firms with their credit card details and other personal information, both have Web site names that users can remember, and the two companies have well-staffed security teams that can respond in real time to phishing threats.

A couple weeks ago, PayPal launched its "PayPal Kit for Non-Profits" product. Similarly, Google recently announced a form of Google Checkout specifically designed for political campaigns.

I'm not going to claim credit for inspiring these product deployments, as I'm sure that the legal complexities in designing a campaign contribution system are significant enough that the firms were working on the products long before my colleagues and I published our paper. However, it is nice to see that we successfully predicted the future.

Both sites pitch their products as ways for campaigns to increase the amount of money that is donated and a way to increase the number of potential people who will give. The massive security benefits to donors and the campaigns (in terms of reputation damage in the event that a phishing attack occurs) is glossed over.

The introduction of these products is a great first step. However, the millions of people who donate to campaign sites are not yet safe from phishing attacks.

First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.

Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.

Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.

With millions of dollars per week being raised online for the presidential campaigns, this is an area that is ripe for fraud and evil activity. While the phishers have thus far not targeted campaign sites, it is surely a matter of time before they do. However, if the campaigns are smart, and start taking advantage of the tools made available to them by trusted online-payment sites, they can do much to reduce the risk that phishers pose to the online-donation process.

It remains to be seen if the campaigns will actually be wise enough to embrace Google, PayPal, and others--or if they will allow their reputations and the confidence of online users to be trashed due to an inability to see future threats.

Disclosure: I interned with Google's security team in 2006 and have received $5,000 of fellowship money from Google and the Hispanic College Fund in both 2007 and 2008.

Do you consider yourself to be a privacy aware Internet user? Are you concerned about your security online?

You've installed antivirus and spyware software, which you also keep updated. You regularly update your operating system for any security patches. You have a firewall on your home computer and have locked down your home wireless network with a WPA2 password. Most importantly, you've ditched Internet Explorer and jumped on the Firefox bandwagon.

Your job is done, right? Think again.

While installing Firefox (and not using IE) is one of the most important steps users can take towards a safe online experience, Firefox is (alas) not totally safe out of the box. Luckily, Firefox provides a very flexible framework for open-source programmers and commercial vendors to create their own software add-ons for the browser. A number of these software extensions fix critical design flaws in Firefox--or simply improve transparency so that users have a better idea of where they are and which sites they're interacting with. I've selected a few of the best ones, which I highlight below.

... Read more

Later today, I will be presenting as part of a panel on the subject of political phishing at the Anti-Phishing Working Group eCrime Researchers Summit.

During the panel discussion, I will be speaking about the threats to the online fundraising model used by political candidates in the United States. While attacks in the wild have yet to be seen, there are a number of factors which make online campaign giving particularly vulnerable to phishing attacks.

To go along with my talk, Professor Markus Jakobsson and I have released a white paper which clearly explains the issues, threats and a solution to the problem. The slides for my talk are also available online at www.politicalphishing.com.

Based on advice from legal counsel, I won't be including any of the screenshots and synthetic examples of political phishing sites in this blog post. This research needs to remain 100% non-commercial, and since I get paid for this blog, I don't want to be seen as profiting from this phishing project. I'll explain the problem of political phishing briefly here, but if you find the subject interesting, I urge you to go and read our technical report or at least look at the slides.

---

Hillary Clinton made headlines earlier this week when it was announced that she raised over $8 million through online donations in the third quarter of 2007. In the grand scheme of online political donations - this is a fairly small sum. After all, in 2004, John Kerry raised $3 million in a single day, and $5 million over a two day period. The reason that Hillary's financial haul is such a big story is that it is over a year before the presidential election, and she has yet to win the Democratic primary. Thus, I feel completely safe in predicting that the 2008 election will result in more online campaign donations than ever before.

The problem with this of course, is that where the money flows, fraudsters and criminals soon follow. While banks and other financial firms regularly urge their customers never to click on links contained in emails, political campaigns preach the opposite message. The regular flood of campaign emails in my inbox attests to the fact that politicians depend on you "acting now" - which usually either involves clicking on and filing out a petition, or donating funds. If Hillary Clinton's campaign (or Mitt Romney's , Fred Thompson's or any other candidate's campaign) can convince users to click on an email that arrives unsolicited in their inboxes, pull out their credit cards, and give money to a website that they have no real way of authenticating - then the phishers can too.

One of the main problems is that candidates use such inconsistent schemes when picking a domain name for their official website. A pop quiz: Should a potential donor visit joinrudy08.com, or rudygiuliani.com, barack.com or barackobama.com, fredthompson.com or fred08.com? If a user clicks on a web advertisement that takes them to hillary08.com, how can they be sure that they are at her official campaign website?

This little taste should be enough to at least explain the risks of political phishing. While 2008 will certainly be the biggest year of online fundraising, it may also be the year that political phishing becomes a serious issue. For more information on the subject, please read our white paper and check out our slides containing synthetic political phishing emails and websites. Both are located at www.politicalphishing.com. Would you be fooled?

During my blog posts this week, I'll be focusing on ways in which the Internet can be used to disrupt elections and the political process. On Friday, I'll be giving a talk on the subject at the Anti Phishing Working Group eCrime Researchers Summit on the subject of Political Phishing.

In today's post: What happens when voter suppression calls get outsourced to India? How will law enforcement track down the evildoers, and what will this mean for our elections?

---

Shortly before the 2006 election, voters across Virginia received calls that falsely claimed that their voting places had changed. According to a sworn statement filed with the Board of Elections, a man said he got a phone message from the "Virginia Elections Commission" telling him that he was registered to vote in New York and would be "charged criminally" if he voted in Virginia. The FBI later opened an investigation into the calls.

In 2004, Michigan Secretary of State Terri Lynn Land had to put out a statement in mid-October about where to send absentee ballots after voters in the Ann Arbor area received calls telling them to mail the ballots to the wrong address.

On election day 2002, computerized hang-up calls jammed phone lines set up by the New Hampshire Democratic Party and the Manchester firefighters' union. Over 800 phone calls were made to a get-out-the-vote phone bank over the course of two hours. James Tobin, the regional director of the National Republican Senatorial Campaign Committee was initially convicted and sentenced to 10 months in prison on charges of telephone harassment, but his conviction was later overturned by the 1st U.S. Circuit Court of Appeals. In total, the Republican National Committee spent over three-fourths of a million dollars to defend Tobin.

While these three incidents are all disgraceful examples of voter suppression tactics, the one silver lining is that the appropriate authorities were able to investigate, track the calls down to the source and, often, make arrests. This was primarily due to the fact that the calls were being made by U.S.-based companies, and thus the FBI was able to obtain call records, and then follow the money trail to the various state political organizations that had contracted out the immoral and often illegal tasks.

Which brings me to the point of today's blog post: My prediction for the next generation of voter suppression tactics.

Hunting down and prosecuting the perpetrators is not going to be so easy the next time around. If Dell and Citibank can outsource calling centers to India, it makes perfect sense that sleazy political activists can do the same. By placing a few thousand miles between the call centers and U.S. law enforcement, the funders of the next generation of dirty tricks will become almost impossible to track down and prosecute. And why not? It works for the phishers. Furthermore, if the call centers use prepaid voice over Internet Protocol (VoIP) services, it should add an additional layer of fog through which investigators will struggle to cut through.

This may not happen in 2008, or even 2010, but I'm fairly certain that it will happen eventually. Voter suppression is an immoral, yet valuable tactic used by both political parties. The only thing stopping them from using it more is the fact that it is often illegal, and at the very least, will make them look bad. If they can sever any links between the offending calls and their own squeaky clean political machines, the calls are bound to increase in number.

I jotted down a few back-of-a-napkin calculations to figure out how much it'd cost to call 1 million U.S. voters and speak to them for 10 minutes. Assuming approximately 4 cents per minute rates for VoIP calls, it'd cost around $200,000 just for the telephone time. To perform this in one day, you'd need access to about 5,500 home DSL lines (800kb upload).

Since the very act of voter suppression is already illegal, it doesn't seem to unreasonable to assume that the companies doing it would rent compromised botnets. I'm sure 5,500 bots could be rented for a very modest sum. Throw in $50,000 for setup and labor costs, and it shouldn't cost you more than $300,000 to initiate pre-recorded voter suppression calls against 1 million U.S. voters. Compared to the cost of a few commercials in Iowa, it's a steal.

The same task could be performed by live people in a foreign call center, although this would of course cost far more. However, by outsourcing voter suppression calls (both human and pre-recorded) to India and the Philippines, these next-gen Karl Roves will be able to make post-election investigation and prosecution of their crimes far more difficult, and save themselves some money in the process.

A bank that guarantees its online users safety and security has direct evidence that its Web-based banking system may not be 100 percent bullet-proof.

Should that bank tell its customers? And if it doesn't, is it misleading, or even worse, lying, to them?

Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon. Instead of having its customers log in with just a user name and password, these new schemes require some third bit of information.

Some banks choose to issue their customers a cryptographic hardware token (a keychain with a digital display that spits out a new random number every 60 seconds). Others, especially those banks with less profitable customers, have opted to instead adopt software solutions. The advantage of this, of course, being that they don't have to spend any money to send widgets out to their customers.

BofA's SiteKey two-factor authentication system is essentially a rebadged version of the PassMark system sold by RSA/EMC. Other banks that have licensed the technology include Pentagon Federal Credit Union, Vanguard, and U.K.-based bank Alliance & Leicester. Users of SiteKey and similar systems select a graphical image and phrase, which are then displayed to them every time they login to the Bank of America Web site from "trusted" computer (that is, one that BofA has seen before).

According to Bank of America's own numbers (PDF), over 21 million customers use their online banking system. BofA's Web site promises customers that the SiteKey system will keep them safe, stating: "You know it's really us--when you see your SiteKey, you can be certain you're at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."

The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.

On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system. Finally in April 2007, Professor Markus Jakobsson and I announced a working demo of a successful man-in-the-middle attack against SiteKey. Based on advice from lawyers, we did not release an easy-to-use version of the system, nor were we able to provide access to the demo to others online. To provide the factual support for our claims and to demonstrate how relatively easy such an attack would be to perform, we released a screen-captured video of the demo, as well as source code that would allow an advanced user to download the SiteKey image from any remote, untrusted machine.

Our demo got quite a bit of press attention, with mentions in The Register, ZDNet and The Washington Post. One of the main points we tried to make when we put our demo online is that Bank of America is promising its customers something impossible. By telling users that the SiteKey image guarantees they are visiting BofA's Web site--and not a phishing page--Bank of America is giving its users a false sense of security. Were BofA to instead acknowledge the risks of phishing and man-in-the-middle attacks, users might be more cautious when logging into suspect Web sites.

Shortly after we released the demo, Louie Gasparini, chief technology officer for RSA's Site to User Authentication group was interviewed by Brian Krebs at The Washington Post. He said that our attack demo "overlooks a number of back-end technologies that financial institutions use to detect fraudulent transactions."

"What they're critiquing is just the most visible piece to this technology," Gasparini added. "There is a whole bunch of risk management and fraud detection that goes on behind the scenes so that even if a user's account does get compromised, the bank can still protect that person."

Gasparini's comments mirror those of Betty Riess, a spokeswoman for Bank of America with whom I chatted on Tuesday. Reiss made it a point to mention that SiteKey is just one part of BofA's multipronged approach to security. However, she declined to comment further when specifically asked if the text on the SiteKey page is misleading, or if Bank of America has a responsibility to be honest with its users about the risks of man-in-the-middle attacks.

Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?

Watch our video of the man-in-the-middle attack against the SiteKey system, read Bank of America's promises of safety and security on its Web site, and decide for yourself.