Slashdot Mirror
One-Time Pads To Protect Electronic Bank Access
dummkopf writes "CNN reports how Scandinavian banks issue one-time passwords to protect customers' accounts when these use the same password for other, i.e., more insecure email accounts. Having a bank account in the U.S. (with a trusted and well known Bank OF nAtional reach) I always wondered why the security was soooo poor: while it has changed slightly now (better usernames/passwords) it used to be the case that your username was your SSN and your password a number code (!). I am sure most of you will agree with me that this is scary... I live now in Switzerland where one-time passwords for online banking are a must and where my current bank is one of the 'crappy' ones with a little card with one-time passwords like mentioned in the CNN Story. The nicer ones even give you credit-card-size RSA password generator which is combined with a calculator you can keep in your pocket. Hence my question: are others also worried about poor security of online banking in the U.S.? Are there banks which are better than the ones mentioned above?"
Single-use passwords are not the same thing as a one-time pad, which is a form of encryption. However, one-time passwords do sound like a good idea. Given reasonably good encryption like in SSL, then password management becomes a weak point - which this scheme addresses. (Just parroting Schneier, and wondering if this scheme will get mention in the next Crypto-gram newsletter.)
A scratch-off password list is a password scheme.
a One-time pad is an encryption algorithm.
The two have basically nothing to do with each other.
A one time pad:
Generate a random pattern of bits of the same length as the plaintext. XOR the two. The resulting ciphertext and the random field are now both requried to re-generate the plaintext (to call one the ciphertext and one the key is wrong too. they are both statistically equivalent).
Both are also completely useless by themselves, and truly totally, provably, unbreakable.
This is the only form of unbreakable encryption.
The moment you use a pad more than once, though, it ceases to be a one-time pad, and is breakable.
A few months ago, most (AFAIK, all) portuguese banks updated their online banking auth systems.
... and so on.
There's no standard, and they seem to be having some dificulty balancing user-friendliness with security.
The current "hip" thing is to require a login/password pair, followed by things like:
- Enter the the sixth and second numbers of your ID card/passport (random positions)
- Enter your numeric PIN using the randomly placed JavaScript keypad
- Use the code-matrix card (provided by the bank) and enter the value in square 4C
- Confirm every money-moving operation with digits in random positions from a fixed (long) code given to you by the bank. Said code is regenerated every month.
I don't thinks there's any bank here using plain login/password auth. There were attempts to use personal x509 certs, but most users had trouble installing them or using them.
I work in the security field (mostly smartcards and biometrics) and I can tell you that if that's all they have then their security sucks.
Biometrics are highly inaccurate/insecure. We break them all the time. I myself would never use anything important that was secured with only a biometric. Even a 4 digit limited error PIN would be more secure.
The ratio of people to cake is too big
Two areas where the USA is just out in left field, cellular services and banking. The first one has stopped suprising me, the second one blew me away. I consider my country (Poland) to be backwards, especially when it comes to commercial services - like banking. It's not.
Not only does my bank use one time passwords, the card they're on is a scratch-off card. This gives me 2 additional levels of protection. Not only does it prevent someone from peeking at my card, but it let's me verify that I made each transaction. I don't need to keep track of the last number I used, it keeps track for me. And I don't need the card unless I'm actually moving money around - all I need is my login and password.
The web interface on my bank is incredible - I can check on all transactions since I opened the account.I can set up sub-accts on the fly, issue debit cards to each of them, and my debit card works great online - so I can keep track of those internet purchases. Between-bank money transfers take a max of 1 day, usually same-day if I make it before 17.30, transfers within my bank are instantaneous - really handy for lending my brother some money *fast*.
And the icing on the cake, the thing that made me go to this bank - instant text-message updates on my current account. I get a transfer - I get an SMS, I buy something - I get an SMS. It's incredibly fast (I usually get the SMS before they hand me the reciept to sign) and incredibly useful. I know how much money I have, how much money I spent that day. It really helps to stem the spending sprees that plastic seems to lend itself to.
And all this, from my local, Polish bank.
It's just a US thing. Banks in the USA are for some reason stuck in the 80's.
All the banks I use in Poland provide one-time passwords for anything important. There are no checks in use, but you can use electronic money transfers to pay for just about anything (this is being introduced as "BillPay" in the US and advertised as big news).
I guess the US was first to develop a mature banking industry with credit cards and checks. This has worked so well (back in the 70's) that banks were not under pressure to innovate.