Password application gives wrong info to fraudsters

Germany's Fraunhofer Institute for Secure Information Technology is selling a mobile phone application that offers a unique feature over other password-storage applications.

The application, MobileSitter, will store passwords, PINs (personal identification numbers) and TANs (transaction authentication numbers). Those secret codes are encrypted and then revealed by entering a master password.

The danger with storing passwords in such applications is that there are methods a hacker can use to get that master password. Attackers may try brute-force or dictionary attacks, where different passwords are repeatedly tried using automated programs, said Rachid El Khayari, a research fellow in secure mobile systems at Fraunhofer. Some password storage applications do not limit the number of times passwords can be entered, he said.

The MobileSitter, however, will always return an answer regardless of what master password is entered. If your debit card PIN is "5555" but a wrong master password is entered, the MobileSitter will decrypt a value based on that wrong password, such as "8901."

"It doesn't answer the question of whether the master password is right or wrong," El Khayari said.

Attackers wouldn't know the returned value is incorrect until they tried to use the card. If the attacker obtained the victim's debit card and tried to withdraw cash but repeatedly entered the wrong PIN, ATM machines will typically seize the card after a few attempts.

The authorized user of MobileSitter can also define rules for how certain information is returned. For example, a rule can be created to solely return 4-digit PINs when that information is requested so that an attacker will believe they've obtained a PIN rather than some other secret code, El Khayari said.

"When you ask for a PIN and it shows you letters, you know that's not right," El Khayari said.

What happens if MobileSitter's authorized user enters the wrong master password? MobileSitter will display an icon, such as a red star, that the user has picked when they created their master password. If the wrong master password is entered, the user will see an incorrect icon and know to try again. The attacker will not know the right icon.

Fraunhofer directly sells MobileSitter for €9.90 (US$13.45) from its Web site, even though the research organization normally licenses its technology, El Khayari said. It also has a program whereby companies can buy the application, put their logo on the startup screen and provide it to their customers. Fraunhofer also offers a license for manufacturers to preinstall MobileSitter

MobileSitter is compatible with Java-enabled phones that allow access to a mobile phone's file system. Fraunhofer expects to release a version for Apple's iPhone this year. A version for the Android operating system is also in the works, El Khayari said.