March 15, 2005

Update: DON’T Get Your Free Credit Report Online (SSL Can Be Compromised)

Filed under: Privacy/ID Theft — TBlumer @ 10:59 pm

In a previous post on how to obtain the free annual reports (one per bureau) you are or will be entitled to get by law once every 12 months, I suggested that going online to annualcreditreport.com would be safe as long as you took very careful measures to ensure that you are at the right place.

In light of a Wall Street Journal Article today “Cracks in Computer Security Code Raise Red Flag” (not linked since it requires paid subscription), I hereby retract that suggestion:

With worries about online security already at a high pitch, the discovery of a crack in a widely used Internet encryption technique has raised another red flag among government agencies and computer-code experts.

The technique, called a “hash function,” has been used for years by Web-site operators to scramble online transmissions containing credit-card information, Social Security numbers and other sensitive data. Hash functions are at work, for instance, for most of the millions of transactions that take place on the Internet every day. The system, involving an algorithm, or mathematical formula, was thought to be impenetrable.

But last month, a team of researchers from Shandong University in eastern China began circulating a draft of a paper showing that a key hash function used in state-of-the-art encryption could be less resistant to an attack by hackers than had been thought.

…..Cryptographers say exploiting the flaw for malevolent purposes doesn’t seem practical, even using a lot of computer power. Hash functions are also often used in conjunction with other cryptographic techniques, which haven’t shown any flaws. But if someone were to exploit the newfound flaw, the most immediate threat would be to applications involving “authentication.” A hacker theoretically could set up a dummy Web site that appears to have the security credentials of a trusted, secure site — and then steal data that is shipped to this site by unsuspecting users.

Experts say the research weighs particularly on the technology underlying secure Web sites. An online-banking site, for example, displays a “certificate” of authenticity to a Web browser, which then compares it, using hashes, to a third-party certificate repository to be sure the site actually belongs to the bank.

…..(Researchers were able to) produce two different certificates with the same hash — something that shouldn’t happen. The certificates aren’t for real sites.

YIKES. Maybe it “doesn’t seem practical” to the “experts.” But if you were going to spend the time to exploit this weakness, where would you try it first? Answer: The place where you can find the most personal data. The annualcreditreport.com web site is the motherlode. Even as you read this, online criminals are surely working feverishly to figure out how to compromise the site.

I give up–DON’T GO THERE. Based on this new information, you simply cannot be certain, even after “verifying” the site certificate, that you’re in the right place.

The low-tech ways to get your credit reports are:

    Phone: 877-322-8228
    Mail: Annual Credit Report Request Service
    P.O. Box 105281, Atlanta, GA 30348-5281

This problem has potentially grave implications for online security in general. As I learn more, I’ll certainly pass it on. I have also noted my changed suggestion on the previous post.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.