Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Bobby's-Nutz]

Ok guys I couldn’t resist posting on this blog.
Could someone please explain the point of this stupid p.r. stunt next Tuesday or can’t Bent Kent get it into his tiny little rootkit yet that it’s all over now? I do understand he may challenge our law but on what grounds? There are none.
You see there was previously no way even via ssl encryptions, browser privacy settings or opting out of it to block the intrusions entirely. Phorm could at anytime read anything it so chose to no matter how hard you fought against it therefore the law has ruled against him from setting up this elaborate scam as he’d planned. Mr. Erty Gerty thought he could buy the law out in this country but has learned a hard lesson in doing so, a £32million lesson no less and he’s dropped Bt fairly and squarely into the cess pit with himself in doing so.
Seriously now, would someone please enlighten me as to where the legal challenge is and why is this stupid idiot orchestrating these silly p.r. stunts next week?
I believe there is more to this thing than we’re being told.

[Draby]

Regarding Phorm as a "man in the middle" and able to see even https sites if they choose to.
Today I received in the post from Nationwide (whom I bank with), a battery powered card reader, that's not connected to my pc in anyway.

What happens is, I log in as usual to their secure site, select the third party I want to send a payment to, Nationwide then asks me to insert my debit card into the reader, which asks for the "atm" pin, then asks for the ref. no.that Nationwide gives me, plus the amount to pay.

Still with me? The reader gives me an eight digit number to enter on the website, and after confirming, the payment goes through.

So... it seems that Nationwide no longer, implicitly trusts https and ssl encryption, and has inserted an extra layer. I wonder if Phorm are the trigger for this, or just the (what seems to be), trend towards profiling of users via traffic interception. Does anyone know of other banks making similar moves?

Richard

[Cobbydaler]

Quote:

Originally Posted by AlexanderHanff

Probably all those Wii owners using iPlayer and eating up all the BBC's bandwidth

Alexander Hanff

---------- Post added at 22:05 ---------- Previous post was at 22:03 ----------

Anyway, Copyright section is now completed. Just the Council of Europe's Convention on Cybercrime and my conclusion to go Its been a long haul and I fear I will never be able to remove the OPSI logo from my retinas, but hopefully it has been worth it, I know it has for me.

Alexander Hanff

I'm sure everyone who cares about their privacy appreciates your efforts.

Thank you

[CaptJamieHunter]

Quote:

Originally Posted by Cobbydaler

I'm sure everyone who cares about their privacy appreciates your efforts.

Thank you

Seconded. I salute you, sir.

[SMHarman]

Quote:

Originally Posted by Draby

Regarding Phorm as a "man in the middle" and able to see even https sites if they choose to.
Today I received in the post from Nationwide (whom I bank with), a battery powered card reader, that's not connected to my pc in anyway.

What happens is, I log in as usual to their secure site, select the third party I want to send a payment to, Nationwide then asks me to insert my debit card into the reader, which asks for the "atm" pin, then asks for the ref. no.that Nationwide gives me, plus the amount to pay.

Still with me? The reader gives me an eight digit number to enter on the website, and after confirming, the payment goes through.

So... it seems that Nationwide no longer, implicitly trusts https and ssl encryption, and has inserted an extra layer. I wonder if Phorm are the trigger for this, or just the (what seems to be), trend towards profiling of users via traffic interception. Does anyone know of other banks making similar moves?

Richard

So now you will be sending the chip data, your pin and your on line banking pin to nationwide via the Phorm profiler.
When your card gets cloned and Nationwide turn around and say it is your loss as they knew the PIN can you go back to them and highlight that Phorm could have snooped it so Chip and Pin is no longer secure. I would have thought an RSA SecureID key would be more secure than this approach in many respects. Now you have a token and two shared secrets, both have alternate uses wheras with a SecureID you would still have a token and a secret, not much less secure and well the token cannot be cloned and put in an ATM or used to fill the car up.

[mark777]

Quote:

Originally Posted by Bobby's-Nutz

Ok guys I couldn’t resist posting on this blog.
Could someone please explain the point of this stupid p.r. stunt next Tuesday or can’t Bent Kent get it into his tiny little rootkit yet that it’s all over now? I do understand he may challenge our law but on what grounds? There are none.

Given that the meeting involves 80/20, I suspect it's all part of the privacy impact statement. Having said that, i'm sure they want to try to trip people up, probably over the legalities. They will certainly have something up their sleeves.

One thing that I think is likely to happen is, when challenging over the legal side, the anti-phorm challenger will be asked 'Are you a lawyer?'.

The Phorm side will then have someone stand up and say 'I'm a QC and I say you are wrong because ...'

[Ravenheart]

Quote:

Originally Posted by Draby

Regarding Phorm as a "man in the middle" and able to see even https sites if they choose to.
Today I received in the post from Nationwide (whom I bank with), a battery powered card reader, that's not connected to my pc in anyway.

What happens is, I log in as usual to their secure site, select the third party I want to send a payment to, Nationwide then asks me to insert my debit card into the reader, which asks for the "atm" pin, then asks for the ref. no.that Nationwide gives me, plus the amount to pay.

Still with me? The reader gives me an eight digit number to enter on the website, and after confirming, the payment goes through.

So... it seems that Nationwide no longer, implicitly trusts https and ssl encryption, and has inserted an extra layer. I wonder if Phorm are the trigger for this, or just the (what seems to be), trend towards profiling of users via traffic interception. Does anyone know of other banks making similar moves?

Richard

Hi Richard,

Barclays have a similar scheme which they call PINSentry, you insert your card into the calculator like device and it gives you an 8 digit number to enter when logging into the online banking section, or if you're making a payment to someone new. I'm sure it's a similar thing to the nationwide one.

The PINSentry info is here http://www.barclays.co.uk/pinsentry/

I read somewhere that HSBC have plans for something similar too

[Draby]

@SMHarman
No, I don't think so, the card reader is not connected to anything, "chip & pin" just identifies me to the reader, I'm assuming the eight digit code is a form of encryption generated by the reader.

[Ravenheart]

Quote:

Originally Posted by AlexanderHanff

Probably all those Wii owners using iPlayer and eating up all the BBC's bandwidth

Hi Alex

Any self respecting Wii owner won't be bothering with Iplayer since Mario Kart was released today (and it's excellent)

[SMHarman]

Quote:

Originally Posted by Draby

@SMHarman
No, I don't think so, the card reader is not connected to anything, "chip & pin" just identifies me to the reader, I'm assuming the eight digit code is a form of encryption generated by the reader.

Whoops missed that bit about not connected to the PC in any way and yes wow reading it properly this time, what a palava, almost easier to write a cheque and put it in the post or go to the local branch.

[unicus]

Quote:

Originally Posted by bishbosh

http://www.bbc.co.uk/blogs/technolog...ish_phorm.html

In the comments: A Possibility?

Webwise works by having a layer 7 switch intercept and impersonate the client and server requests on the network: -

You browse to a secure site

The switch takes this request and passes it to the site as its own, adding the Webwise cookie.

When the site responds with its public encryption key, the switch strips the public key for the site out, adds its own public key and forwards the request to you.

Even when you exchange a private key, the switch will also intercept this, (seeing it already has the public key) create its own private key and use its key to communicate with your 'secure' website.

Meanwhile, all this decrypted data is being forwarded into Webwise for 'processing'. This is the fatal flaw with SSL.

If your ISP or your network admin wants to 'snoop' on your browsing, they can.

Bear in mind that you can send certificates in the post on a USB stick, however, header information is NOT encrypted - so they can still see which sites you are visiting, even if they can't decrypt the traffic being sent.

I also thought about this and questioned it here #2176 though I had initially forgotten about certification. After subsequent reading, including this, I have come to the conclusion that using this deep packet equipment would make a 'man-in-the-middle' attack possible. Now if someone working for Phorm were not trustworthy...

[AlexanderHanff]

Interesting that online payments have cropped up. The new banking code takes a lot of the responsibility off the banks and places it firmly on the shoulders of the public with regards to privacy and security.

Under the new code customers will be liable for identity theft/fraud if they do not have:

Upto date Anti-Virus
Upto date firewall
Upto date OS patches

And a whole bunch of other things. I can't wait for the day when someone tries to put in a fraud claim and the Bank say "Sorry but you use a Phorm enabled ISP therefore you have not taken adequate measures to protect your privacy and as such are liable for any losses as a result of the fraud."

Alexander Hanff

[Bobby's-Nutz]

Oh forget the 80/20 confusion we know Bent Kent owns them, haaa..

Sorry I still cannot see and legal grounds to challenge the law. He may try to appeal the decision under'conflict of law' but he needs to carefully choose a sound solid law that allows him to access into millions of pcs in the uk by means of an opt out clause or similar and this does not exist. He could use American law under 'conflict of law' and quote the canspam act or something else, this is the only legal means he has..

[unicus]

Quote:

Originally Posted by SMHarman

Whoops missed that bit about not connected to the PC in any way and yes wow reading it properly this time, what a palava, almost easier to write a cheque and put it in the post or go to the local branch.

Yes it is a pain in the ass but it is more secure...might even stop Phorm snooping

[Draby]

@Ravenheart
I suppose all this does then, is establish that you have the "physical" card in your posession and not just the numbers.

Richard.