Assets/Security Goals

1. The most obvious potential target of an attack is that of the eggs. They should be secured from procurement or damage by any cause.

2. The physical integrity of the chickens is perhaps the most important element of the system, and hence deserves the greatest share of security resources.

3. The condition of the coop itself is also very important, and should be protected from damage and undue wear.

Potential Adversaries/Threats

1. Hungry people are one clear threat to the safety of both the eggs and the chickens. In an urban setting, however, stolen chickens may be considered too much of a liability to be of interest to the common thief or burglar. Yet provided adequate incentive (such as hunger), it is conceivable that someone could abscond with the chickens and dispose of them very quickly. The eggs are more obvious targets.

2. Hungry non-human animals form another category of adversary. These include large birds, mammals, and in some cases reptiles.

3. Finally, the most subtle and devious adversary is–perhaps ironically–Mother Nature herself. Her spite may take the form of dire weather and/or natural disasters, erosion, disease, and famine.

Potential Weaknesses

1. The primary weakness of the chicken coop system is hard to pin down, because it typically sports almost no security measures. Probably the most important flaw is that it is possible for an adversary to simply walk (or dive, glide, slither, or crawl) in and compromise the system. The only kind of authentication in place is usually based on the urban farmer him/herself, and this feature is often disabled. For instance, an adversary could carry out an attack while the farmer is asleep. These attacks include stealing of eggs, stealing of chickens, and damaging of coop.

2. Even when under the watchful eye of the farmer, it is possible for the system to be compromised. For example, an attack could occur so quickly that the farmer has insufficient time to react, as when a large bird of prey swoops down and flies away with one of the chickens.

Potential Defenses

1. A lock on the egg compartment of the coop would deter potential human adversaries from stealing the eggs.

2. A fence with a ceiling could prevent large birds of prey from swooping down and grabbing a chicken with their talons.

3. A watchdog (or other animal), if properly trained, could prevent potential animal adversaries from executing a physical attack on the chickens.

4. Finally, a system of water ducts, extra supplies of food, a bio-shelter, and a good veterinarian would all contribute to the security of the system against the attacks of Mother Nature.

Risks

The chicken coop is a very intricate system, comprising many key elements, any one of which is necessary for the functioning of the system, making the risk associated with any vulnerability or attack especially high. In this way, chicken coops are not unlike many computer systems, where one point of compromise can bring down the entire system. The risks inherent in the weaknesses described above are very difficult to completely rectify, because each one depends on a multitude of factors and conditions, and the fix for one may be incompatible with another. For example, the chickens can be protected from predators by keeping them “cooped up,” but this would also prevent them from obtaining adequate nourishment through foraging, and would also demoralize them.

Conclusions

Any project or asset in a system that resides out in the open such as this is going to be vulnerable to attacks. It is important that one  takes this into account when deciding how much time, effort, and money to invest in such a system. Above all, one must keep foremost in one’s mind the goals of the system, and allocate resources accordingly. Adequate food and shelter are clearly critical, but a nice paint job is not. Further, such ornaments as paint might unintentionally attract adversaries by drawing their attention. Furthermore, chickens are not extremely difficult to replace, and a damaged coop is only as expensive to repair as its parts. Given the daunting challenges associated with securing a chicken coop, “perfect” security–in addition to being impossible–is probably not a realistic goal. It is ultimately up to the urban farmer to weigh the costs and benefits of any security feature, and act accordingly.

Assets:

• The digital copies of the books are information resources that individuals might want to spread or suppress.  In general, it is important that users have access to them to supplement their education, and, in the case of partially available books, the publishers want to restrict how much can be seen while still providing enough information to act as an incentive to buy the books.  Google’s security goal with the digital books should be to ensure that access to books is not unduly restricted, while also not giving away too much about restricted works.
• The search results for books are another asset.  The goal should be to keep these as balanced and open as possible.

Adversaries, Threats:

• More oppressive governments try to censor all information, and censoring Google Books would be a natural extension of that.  In addition to filtering traffic to Google, they might try denial of service attacks to take Google Books down altogether.
• In the future, Google itself or a successor company might want to practice censorship by not making certain works available.
• Users might want to gain access to restricted (copyrighted) books.  If the entire books are being stored in a database connected to the Internet, it is conceivable that someone could break into the database and steal the books.
• Publishing companies would want to skew the search results on Google Book Search in favor of their own partially available books, in the hopes that users would buy them.  While it may be doubtful that an attack could affect the search engine directly, it might be possible for a publisher to plant popular search terms in sections of a book and then release the relevant sections to Google.  This could result in a higher number of views on the “advertised” sections, and possibly higher sales of the book.

Weaknesses:

• While Google undoubtedly has defenses against DoS attacks, it cannot prevent censoring nations from filtering traffic and denying some potential users access to its library.
• Google has a lead in publishing online versions of print books.  This might eventually turn into something approaching a monopoly, which would make the library vulnerable to the possibility of someone with bad motives gaining control of it.
• If it’s connected to the Internet, it can probably be accessed somehow; if the complete versions of copyrighted texts are stored on databases connected to the Internet, they could be vulnerable to being stolen.
• Google seems interested in scanning as many books as it can, and may not be paying too much attention to the contents.  This would make their system vulnerable to the search-terms-planted-in-books strategy.

Defenses:

• To defend against DoS attacks, having a distributed system of servers would help (and they certainly do have defenses).
• Encryption of data transmitted could help avoid censorship.
• Google no doubt has excellent access control mechanisms for their databases
• Google can avoid becoming a censor itself by promoting competition: encouraging rival libraries by giving them its own scanned copies when possible.

Risks
Censorship of content on the Internet is basically inevitable; while some users in oppressive areas will be able to circumvent it, there is not much Google can realistically do to help spread information past censors.  Google turning evil seems improbable at the moment, though it could turn into an evil monopoly in the future; hopefully by then there will be more competition.  The possibility of copyrighted books being stolen by users is probably negligible, though there might be some risk of employees taking copies of copyrighted books for their own use or distributing them.  The likelihood of publishers sneaking search terms into samples is fairly likely, and difficult to defend against.  The last one is the most likely exploit to succeed in the short run, but it only affects balance instead of access to information, so it is not as important.

Conclusions
Having access to information is important for a society in general.  Two of the factors contributing to the growth of GDP are the amount of technological knowledge a society possesses and the level of education of the populace.  This is why it is important to encourage the spread of information; making books freely available will help societies grow and prosper, and help lead to a more prosperous world.  That it is important for books be able to spread information as much as possible, free of censorship.

Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

For years, dopers and anti-doping agencies have played much the same cat-and-mouse game that security researchers play with crackers. Riders use performance enhancers; researchers create tests to detect them; riders find new drugs to use, and so on and so forth. Doping was present in cycling long ago already, but it was the 1998 expulsion of the entire Festina team from that year’s Tour de France that signaled the beginning of the “doping era.” Since that year, every “grand tour” (the class defined by the Tour de France, the Giro d’Italia, and the Vuelta a España) has been plagued by expulsions, positive tests, litigations and scandals. In order to restore honor and fairness to the sport, many are crusading against the use of performance enhancing drugs. Until recently, the fervor of athlete and corporate lust for success seemed unbeatable.

According to an article by Juliet Macur in the February 28^th, 2009 edition of the New York Times, the anti-doping community has developed a new methodology for detecting cheating. Rather than attempting to detect traces of illicit chemicals in riders’ bloodstreams, drug testers are attempting to develop a “biological passport” for each rider. By comparing a rider’s current blood work against earlier tests, it is now possible to detect telltale signs of substance abuse via the changes observed in that rider’s blood. Legal action has already been brought against several riders with this biological passport as evidence.

Assets

• Riders don’t want to suffer in the ranks as a result of their competition using performance enhancing drugs
• Sponsors and team owners don’t want the cheating of other riders to reduce the acclaim, visibility, or overall performance of their respective teams.
• Race officials and fans want to see respectable racing, not battle-of-the-druggies. Cycling has been tainted in recent years by the proliferation of doping scandals.
• Every non-adversary wants final rankings to be representative of rider athleticism and effort.

Potential Adversaries

• Riders whose competitive spirit may drive them to seek “help” in order to win.
• Riders who suffer from excessive pressure from sponsors to perform.
• Sponsors, team owners, or team managers wishing for more team/product/brand visibility thanks to front-running riders.
• Doctors and researchers developing new doping methods.

Potential Weaknesses:

• Though I don’t claim to understand the biology, and while I can’t imagine that an attack this simple would be possible against the “latest and greatest” in anti-doping technology, I see one fundamental flaw in this approach. If detection of substance abuse relies on change between two test dates, the test is vulnerable to a rider who is never tested prior to adopting a doping habit. Because blood may not change once routine doping is adopted, there might not be a difference between old tests and current tests either.

Potential Defenses:

• In addition to using these “biological passports,” parallel research should continue into discovery and detection of new doping techniques. These detection methods should be applied in addition to any delta-comparison between bloodtests.
• If it is possible, attempt to correlate blood of dopers, as well as the blood of likely non-dopers (very poor performers, amateurs, etc.). It may be feasible to derive a model that can detect riders for whom an accurate “clean” sample is unavailable.

]]> http://cubist.cs.washington.edu/Security/2009/03/13/security-review-new-weapons-in-the-fight-against-doping/feed/ 0 http://cubist.cs.washington.edu/Security/2009/03/13/security-review-helios-online-voting/ http://cubist.cs.washington.edu/Security/2009/03/13/security-review-helios-online-voting/#comments Sat, 14 Mar 2009 05:55:23 +0000 Orion http://cubist.cs.washington.edu/Security/?p=1285 The Technology

The technology being evaluated is the Helios Online Voting Booth, usable at http://www.heliosvoting.org and outlined in the 2008 Usenix Secuirty paper available at the same site. The election system does not create novel cryptographic tools or algorithms, rather it provides a protocol for using existing cryptography to make an election that is universally verifiable and provides ballot casting assurance as well as voter secrecy. The general outline of the system is as follows:

• The voter fills out a ballot and then “seals” it by essentially encrypting it with the election’s public key so that only the election administrators can decrypt it.
• The voter then has the option of verifying that the sealed ballot contains her same choices, if chosen requires the voter to “reseal” it with new randomness.
• The voter is then authenticated and, if allowed to participate in the election, their ballot is “cast” to the server and the voter receives a copy of their sealed ballot.
• Upon receipt, the server publicly publishes the voter’s name and sealed ballot so the voter can verify that the sealed ballot is the same as the one cast.
• Upon election conclusion, the server downloads all sealed ballots from the previously mentioned public place and scrambles and re-encrypts them with a mixnet.
• The server then decrypts all ballots and tallies the totals, providing proof of correctness.

The paper contains a few proposed improvements to current weaknesses, but I still felt it reasonable to discuss those weaknesses. More information on the broader implications of this system was presented in a Current Events article published earlier today.

Assets and Security Goals

• The election system needs to provide ballot casting assurance. The voter needs to be able to verify that his/her ballot was received, and received correctly in order for him/her to deem the election valid. The makes sure that the voting system cannot change or destroy a voter’s ballot without the voter being able to find out.
• The election system needs to provide universal verifiability. Anyone must be able to independently and externally verify that all votes that were received were, in fact, counted and counted correctly in order for the election to be known to be valid. This, with the above, makes sure that not even the election administrators can tamper with the election.
• The election system needs to provide voter secrecy. It should be impossible for anyone to link a voter and his/her vote in order for voters to be free to vote for whomever he/she wants without fear of punishment.

Adversaries and Threats

• Anyone (including the election administrators) wishing to fix an election for monetary, religious, or political gain may try to change or destroy ballots or tamper with ballot counting without being discovered.
• Anyone wishing to discover who voted for whom may try to link individual voters and ballots, either during or after voting.

Potential Weaknesses

• It is possible, just after the voter casts his/her ballot, for a corrupt router to intercept the ballot en route to the Helios server and send the user a fake Helios server success code, causing the “voting booth” to immediately display a false success message and clear the ballot from memory. At worst, the voter fails to later check that their ballot was recorded on the server before the end of the election and his/her ballot is never counted. At best, the voter realizes their vote was not counted and has to cast a new ballot.
• As it currently exists, if the election administrator allows Helios to administrate the election (as it seems they suggest doing), it is possible for a corrupt Helios server to create new, fake voters and cast ballots on their behalf without easily being discovered. Since the system relies upon voters validating their votes, it would be difficult to distinguish between actual voters who didn’t validate their vote and server-generated voters.
• As the client-side code utilizes jQuery, LiveConnect, and Java BigInteger libraries, any vulnerabilities or cryptographic insecurities in that code could potentially be exploited to tamper with the election.
• As currently implemented, the election administrator (who has the power to add voters and freeze the election) is authenticated through Google Accounts. Any vulnerability in the login (weak password, easily guessed security questions, etc.) could allow an attacker to end the election prematurely or add additional voters (potentially multiple accounts for the same voter).

Potential Defenses

• The main defense the Helios system uses to prevent the sort of ballot manipulation or rejection described in the first weakness is to provide open-source tools for the user to verify that the ballot they have created (but not yet cast) does indeed contain the desired voting preferences. This seems to be the best-possible solution short of forcing the user to verify their ballot because it should be inherently impossible to validate the values in a ballot after it has been cast (otherwise others could view the values as well).
• The Helios defense against a corrupt Helios administering a server and creating fake voters is to provide means for other election administrators to acquire and store the election’s private key necessary for decrypting the votes.

Risks and the Big Picture

• The risks associated with this sort of system are nothing less that selling democracy to the highest bidder, or at least the one with the most computing power. If this sort of system were eventually used for a governmental election, the key lengths (currently 1024) would need to be significantly larger because the stake is so much higher. All of a sudden the researchers with 10,000 PS3 cells, or the BBC with a botnet of 10,000 computers might be able to crack encryption keys and tamper with ballots or fake election results. Since this system is based upon computational security, it needs to be implemented in such a way that even the best of the FBI cannot affect the results. Otherwise the currently established government could control all subsequent election results.
• Most of the risks can be alleviated through complete voter validation of their ballots in combination with auditing of the election results given the provided proofs of correctness which are part of the system. If many voters do not do this, however, then it is possible for many security flaws to go unnoticed.

Conclusion

The general idea is that here is finally a system which seems to hint that it may be possible to design an electronic voting system that is secure and transparent. The details have obviously not been ironed out, and may not be for some time, but the spirit of the system is enough to provide some hope in this era where Diebold Premier Election Solutions voting booths are still being used in US elections. The Helios system is not the solution, but it is a step in the right direction, if for no other reason than Kerckhoffs would be rolling in his grave if he knew how we trusted Diebold’s secret code to run this democracy. When not even the government in charge of an election can alter its outcome without the public being able to check, elections may finally be able to be trusted.

Sources

http://www.physorg.com/news155473407.html
Adida, B., Helios: Web-based Open-Audit Voting, Usenix Security 2008

Assets / Security Goals

One clear asset that needs to be protected is the user’s sensitive personal information.  If an attacker can read this data, they can effectively steal the user’s identity.

Another desirable security goal is that accurate information must go to the government.  Inaccurate sending of information could lead to either the user owing more money than they should, or the IRS performing an audit on the user.

Adversaries / Threats

One threat could come from someone sitting between the company building your tax return and the IRS.  Someone in this position might be able to intercept and modify the return when it is transmitted to the IRS.

Another threat could be from a disgruntled employee at the company building your tax return.  To make their services as easy to use as they are, these companies must store all the information you enter each year so that you don’t have to re-enter your personal information again the next year.  A disgruntled employee might be able to steal this data and sell it to the highest bidder.

Weaknesses

One possible weakness could be cross-site scripting vulnerabilities.  These are often caused by easy to miss bugs, and their consequence could be as serious as having all the user’s sensitive data stolen.

Another weakness comes from the combination of sensitive data being stored for an extended period of time (1+ years) and the user using their account very infrequently (likely only once per year).  This allows for both inside or outside attackers plenty of time to launch quite extensive attacks, which the user will likely know nothing of for a very long time

Defenses

The main key to defending against cross-site scripting vulnerabilities is to check everything going into and out of the server side script is sanitized.  This includes not charging blindly on in the case of invalid values.

As for the data retention weakness, not storing the sensitive data from year to year would definitely be the most secure option.  However, this does mean a sacrifice in convenience that users may find worth a small decrease in security.  Assuming the data must be kept, ideally it should be kept in such a way that not even the company would be able to look at it without being given some secret by the user.  This could work by having the user know a password that the company only knows the secure hash of.  This password could then also be used to generate a secret key that could then encrypt the user’s sensitive information on the company’s computers.  This way, when the user is not accessing the data, the company’s computers do not have enough information to recover the user’s password, the secret key generated by their password, or their sensitive data.  But they would be able to quickly verify that a user’s password is correct, and from that correct password, generate the secret key to temporarily unlock their data.  The downside to this system is that it is now only as strong as the user’s password, and user’s are notoriously bad at choosing strong passwords.

Risks / Conclusion

The main risks in doing taxes online lie in the possibility of identity theft and tax fraud.  I would imagine that companies providing online tax services likely know of and have defenses for attacks coming from the outside.  What has me a little bit more worried is the threat of an inside job.  A single disgruntled employee, or even just an unpatched computer that gets a virus could likely bypass most defenses against outside attacks if they are not considered.  One thing that does sooth my worries some is that as reputable companies wishing to continue making money, these companies would likely work hard to mitigate the effects of any attack on the user, otherwise they might get a reputation for screwing people over.

“The Eye-Fi Card stores photos & videos like a normal memory card. When you turn your camera on within range of a configured Wi-Fi network, it wirelessly transfers your photos & videos. To your computer. Or to your favorite photo sharing web site. Or both.”

The Eye-Fi card is an SD memory card used with cameras, capable of connecting to wi-fi networks and uploading to sharing sites like Flickr, Picasa, etc.  It’s also capable of specifying privacy levels for each upload.  All these configurations can be set using their software on a registered computer on the same network.  Photos can be uploaded as you take them as long as you are connected to the network.

The assets include the card, photos, and the website account information/access.  The card is expensive and can contain sensitive and private photos.  As mentioned, the photos being uploaded can be private.  The website account information/access is also valuable because you don’t want your password and account compromised.  Knowing the password could compromise your accounts on other sites.  Also you don’t want unauthorized photos uploaded or unauthorized actions on your account.

Adversaries may include anyone who is interested in potentially private photos and malicious adversaries who want to take control of or exploit your website accounts.  Adversaries could gain access to these assets through a number of ways.  Since the Eye-Fi card communicates via wireless, if the messages were unencrypted and the protocol reverse engineered, it’s conceivable that messages could be spoofed, tricking the configured computer on the network to conduct unauthorized actions like uploading different photos to the photo sharing website accounts.  Photos could also be intercepted through the network.  Also, depending on the protocol, if account information is being transmitted back and forth between the Eye-Fi card and the configured computer, these messages could be intercepted and account information such as passwords could be read.  The product description seemed to suggest that the card could be configured wirelessly.  If this were the case, then a malicious user could spoof the configuration messages and reconfigure the card.

A good defense perhaps would be to require configuration of the card to happen only while the card if physically plugged into the configured computer.  At this point, the computer and the Eye-Fi card could easily exchange symmetric keys in order to encrypt exchanged messages.  This also prevents a malicious person from spoofing configuration messages.  The account information should be kept on the configured computer and shouldn’t be transmitted across the network.  Since I’m not familiar with the details of the protocol, it’s possible that Eye-Fi already employs some or all of these security measures.

Requiring that the Eye-Fi card is physically connected to the configured computer is an extra inconvenience in order to enforce more security.  The entire idea behind the card is to make the photo uploading process easier and more convenient and enforcing this kind of security is likely not a priority.  Additionally, if the network you’re on is one you own and you already require a key to access the network, then Eye-Fi use is probably already secure from adversaries outside of your network.

However, it’s interesting to consider that as technology evolves, wireless will become more and more commonplace, and companies will likely continue to push convenience as a priority.  And often this convenience will come with the cost of security.  As it is, wireless already has its fair share of security issues but hasn’t become a mainstream concern.  With more users using wireless and more assets becoming accessible via wireless, more and more adversaries may find it worth their while to exploit wifi weaknesses.

Assets and Security Goals:

• The safety of attendees.  The guest lists of these events contains lots of famous names that could be the target of attacks  on their personal safety.
• The timeliness of the event.  These events are usually televised live, with lots of advertising revenue depending on the event showing on time.  Failing to do so would cause significant losses to many parties involved.
• The exclusivity of the event.  Failing to prevent the general public form obtaining access to the even would dilute the exclusivity and mysticism of the even, making the event feel less important overall

Potential Adversaries:

• Personal enemies.  The guests are often famous, meaning they’ve made a name for themselves, generally meaning they’ve also made a few enemies, who may want to harm them.
• Paparazzi.  These pseudo journalists will do anything to capture or make a story about some celebrity, often at the epense of that person’s reputation and possibly safety.
• Overzealous fans.  These fans can go overboard in their attempts to meet the Hollywood star in question, possibly causing safety issues for that person.

Weaknesses:

• Given the large guest lists generally include many lesser-known celebrities and their entourage, security personnel generally don’t know everyone on the guest list, so it’s possible to impersonate one of these people given the right fake credentials.
• While electronic keycards are common, there is quite often an entrance without the capability to verify these that’s used by service personnel, making the system trivial to bypass.
• As always, the human element applies, in that if a person acts like they belong at the event, no one tends to question that fact, once they’re inside.  Moreover, Weiss has found that security personnel will often back down from asking question is you claim to be in a hurry, not wanting to make themselves a target of the guests anger.

Potential Defenses:

• The electronic keycard system could be expanded to be at every entrance, making passes much more difficult to duplicate.
• Better training and protection from retribution for security personnel could help prevent the specific human weaknesses exploited by Weiss and company.

In conclusion, while the parties are generally secure from a large scale perspective, becoming totally secure for such a large even will be extremely difficult and possibly be at the cost of usability of the system.  The celebrities generally don’t want to be bothered with security, so the system will likely have backdoors built in to allow them easy access in, which could make any of these upgrades moot anyways.

Although the cars that drive themselves will likely be safer, it is not so clear with fully developed learning AI system implanted in flexible mobile machinery, unless necessary precautions are implemented.
Additionally, there are numerous other questions, including ethical coming with further development of AI, such as whether it can be considered a slavery, for example. Regulations on Artificial intelligence systems are inevitable, and users and developers should be thinking of them and be prepared for them.

Many operating systems include some sort of remote access solution by default. Windows XP, for example, ship with Microsoft’s Remote Desktop as a simple remote administration interface. Even OpenBSD, the Unix variant which is usually regarded as the most secure operating system available, includes SSH, which, again, is a simple and secure application that allows command-line access over a network connection to the remote computer.

Without the built-in applications, there are other solutions to control clients remotely with web-browsers, such as RemotelyAnywhere and LogMeIn. People can access their computer in which software that provided by these companies is installed on any platform.

These tools provide users convenience, but they bring security concerns as well. To control clients, first users login their account in which the list of all clients is stored. If this system were compromised, it would be easy for attackers to control clients.

Assets and security goals:

Remote Control: Users easily control their computers on any Operating System.

Easy setting: Users don’t have to understand firewall and port forwarding. The software provided by company takes care of every network setting.

Privacy: What user is doing with clients must not be exposed.

Authentication: Only authenticated users can access clients.

Adversaries and threats:

Denial of Service: Massive connection requests using zombie systems.

Man-in-the-middle attack: Sniffing connection and modifying data in transit.

Cross-site scripting: Stealing authentication cookie.

Phishing: Stealing user id and password using phishing sites.

Weaknesses:

Keystroke logging: Users can access their clients anywhere. If users connected their clients in the compromised computers in which keylogger worm is installed, attacker could steal user id and password.

Stolen mobile phone: Companies provide software allowing users to connect clients on mobile phones. Attackers steal users’ phones and control users’ computers.

Physical attack against internal system: Employees could steal the system storing users’ information.

Defenses:

Secure connection: SSL-secured connection between users and clients. Block cipher implementation like CBC, AES.

Authentication: Message Authentication Code. IP Address Filter. Block excessive login attempts.

According to security reviews provided by researchers and magazines, Both RemotelyAnywhere and LogMeIn provides relatively secure services. Block cipher is used between user and company server and between company server and clients. MAC and certificate also are used for secure connection and integrity. But still there are possibilities for attack such as XSS, stealing phone, and phishing. They regularly should provide materials to inform current possible attacks to their customers.

Assets of PayPal:

• Users Account Information:  A users account information must be kept secure from potential adversaries in order to keep their funds secure.  Ideally, if a users account is stolen, potential damages to bank account funds should be minimized and the intrusion should be detected quickly.
• Integrity of Purchases:  A user should be confident that if they make a purchase, the seller will come through with whatever product or service advertised.  In the case of a transaction in which the seller does not provide the good or service, the user should be able to receive a refund, and the seller should be dealt with accordingly.

Possible Adversaries:

• Credit Card / Identity Thieves:  Malicious individuals who attempt to steal a users account in order to transfer money out of it.
• Malicious Buyers / Sellers:  Individuals or companies who attempt to hoax others to giving them money without returning a service.

Weaknesses / Defenses:

• Phishing Attacks:  Phishing would seem to be the number one problem with most online transaction systems, primarily because it works quite well.  One phishing attack in particular that I have received was an e-mail saying that a fradulent purchase had been made with my account and that I needed to provide account information in order to verify that I in fact, did not make such a purchase.  One defense that has been used by PayPal is the concept of a Security Key (a review of the Key here: http://www.brighthub.com/computing/smb-security/reviews/12797.aspx), that generates a key that you must use with your login, appending it to the password.  This may help, but the key is only 6 digits long, which is not very secure, and a phishing attack could still get the user to enter in this security key, though hopefully it wouldn’t work on a second login.
• Bogus Sales:  A malicious seller could make bogus sales in which a promised service or product is not returned in exchange for payment.  PayPal can catch onto these when a buyer reports them, but in the event that the sales were made from an account that was stolen and the money has already been withdrawn by the bogus seller, the burden of payment would fall upon the legitimate owner of the account.  One possible defense that may already be in use is e-mail confirmation to the original account whenever a sale is made.  This would likely improve the reporting speed of a bogus sale as a buyer may have to wait a while to know that a product has not been shipped.

Overall, PayPal has a fairly good reputation for getting rid of bogus buyers and sellars that attempt to use the service and being able to detect and resolve cases of fraud.  The main thing that users of PayPal should be aware of is phishing attacks, and making sure they are able to recognize illegitimate requests for their account information, as stolen accounts are usually the cause for most security breaches.