Mehmet Erol Sanliturk
m.e.sanliturk at gmail.com
Sun Mar 24 08:48:36 UTC 2013
On Sun, Mar 24, 2013 at 1:21 AM, Doug Hardie <bc979 at lafn.org> wrote:
> On 23 March 2013, at 22:59, Mehmet Erol Sanliturk <m.e.sanliturk at gmail.com>
> > The following steps may be another idea :
> > Assume that you supply to your users a small login program prepared for
> them specifically ( since you are using SSH ) :
> > Compile that program for each user with a special identifier for him/her
> and ship this program to your user and require that the login will be
> performed by this program . This program will send a very long code to
> your system with user password which is only known to you and to your user
> . Since external users will not know this code , they will not be able to
> login into their accounts by using only password .
> > This will also easily identify fake login trials : It is very obvious
> that to estimate a very long code will require a large number of tries : If
> code fails , it means that login trial is from a fake user .
> > If password fails , it may be allowed a fixed number of trials ( The
> banks are allowing only TWO failed passwords , on third , a new attempt can
> be made after 24 hours , in Turkey ) .
> > This program may also additionally send computer signature to your
> system which is previously send to you on subscription computed by a
> program prepared by you .
> > If the user changes / or uses a different computer , he/she should
> supply a signature of the computer .
> > Here , important point is that , always you should verify that you are
> communicating the real user , not a faked user in behalf of the real user .
> > For the stolen program/codes , prepare a new program and ship to the
> user .
> Thats an interesting approach but becomes difficult to use when traveling
> as you have no idea what computer you will be able to use today until you
> get to it. Then you might have only a few minutes access to it before
> moving on.
> > Another idea may be the following :
> > Assume the user computer is NOT captured by a criminal bandit .
> > On subscription , send to the user a square bar code printed on a card
> like credit card having a very long code specifically prepared for the user
> > On login , the user will show this card to the camera of the computer
> and will be transmitted to your system . In your system , it will be
> decoded , and it will be used to identify the user with his/her password .
> > If this application is used , it may not be necessary to send the users
> a special login program prepared for each of them .
> This idea shows a lot of promise. I have to figure out how to tie it into
> mail, web etc. There is libqrencode for creating the QR images. I am
> downloading it now.
> -- Doug
A single method may not be so much useful for ALL the users .
You may design a part for mostly static users .
For traveling persons , by using relevant information in your system , you
may use a approximate solution : QR code , password , computer signature :
If two of them is correct , and in user profile there is an information
that the user travels frequently , you may assume his/her login is correct .
Another point may be that the user inform your system that he will travel
between dates ( if foreing countries are involved , he may specify them )
. By using such information , it may be possible
to identify users correctly as much as possible .
This requires a good user profile definition in your system , and temporary
exception which these exceptions should ALWAYS be obtained from fully
verified login to prevent fake changes .
As an example of bank robbery :
A criminal , applying to a user GSM company instead of another "person to
be robbed" by saying that "My GSM device has been stolen . Please cancel it
. Give a new GSM chip and number ."
After getting the new GSM number , the criminal is applying to bank for
request "Change my GSM number ." instead of another "person to be robbed" .
During money transfer of "person to be robbed" , the bank is sending a GSM
message to the person , but diverted to criminal to get authorization .
Person is giving authorization .
As a result : Money is stolen . Rest is not important .
The real person should go to court to prove that his/her money is stolen :
Such a trial is taking almost five years .
This means that security measures / steps should be designed with extremely
All over the world , there a large millions of personal computers captured
by criminals and are used for crime performance with the responsibility
being on the real owner of the computer .
For your users , some of them may obtain or have static IP numbers .
Therefore , it is not necessary completely discard such an alternative .
By using most secure method which can be implemented for the suitable users
to least secure methods have been implemented persons with difficulty may
be applied .
For least secure methods , some statistical measures may be implemented :
For example , average daily number of logins , average number of messages ,
a white list of target addresses , etc. If some of these measures violated
, the case may be inspected for possible security breaches .
Thank you very much .
Mehmet Erol Sanliturk
More information about the freebsd-questions