One-Time Pads To Protect Electronic Bank Access

dummkopf writes "CNN reports how Scandinavian banks issue one-time passwords to protect customers' accounts when these use the same password for other, i.e., more insecure email accounts. Having a bank account in the U.S. (with a trusted and well known Bank OF nAtional reach) I always wondered why the security was soooo poor: while it has changed slightly now (better usernames/passwords) it used to be the case that your username was your SSN and your password a number code (!). I am sure most of you will agree with me that this is scary... I live now in Switzerland where one-time passwords for online banking are a must and where my current bank is one of the 'crappy' ones with a little card with one-time passwords like mentioned in the CNN Story. The nicer ones even give you credit-card-size RSA password generator which is combined with a calculator you can keep in your pocket. Hence my question: are others also worried about poor security of online banking in the U.S.? Are there banks which are better than the ones mentioned above?"

Change is a comin'...

[danielrm26]

Combining something you have (the scratch-0ff bit, an ATM card, or an RSA token) with something you know (a password) will soon become the standard for most everything. I for one can't wait.

Our Bank

[JoeShmoe950]

My local bank simply has us use our name to sign in, and a password we choose. Because I choose passwords, and I don't have much money, i never thought of this as very scary. I guess that in the event that somone tried to steal my money though, I would be quite vulnerable. One better technique that I've learned is to spread your money through multiple accounts. No one will want to waste much time breaking into a few accouns with small soums of money when someone out their has lots in one account.

It's about time...

[Mz6]

I guess it was only a matter of time before more commercialized security practices made it to the general public. SecurID is used in a lot of different places, for example, the US government. It was about time that this sort of security practices made a more outreaching affect on the rest of the World.

One caveat I had about this article was this....

"Outfitting 1 million customers with such devices could cost $20 million, while Internet fraud for those customers amounts to "tens of thousands at most," said Tony Chew, director of technology risk supervision at the Monetary Authority of Singapore. Singapore banks thus limit dynamic passwords to fund transfers, he said."

This is a pretty bold statement coming from the director of technology risk at eBay. eBay has pretty much become the breeding ground for scams and frauds. With millions of items up for auction at any one time this doesn't make any sense. I believe I read an article several months back that eBay estimated that at any one time about 3% of their auctions are fradulent. A small number in comparison to the number of auctions that are ongoing. Doing a totally unscientific experiment, I averaged about 3,000,000 ongoing auctions at eBay, and took the 3% of fraud auctions = 90,000 auctions. I would imagine atleast an average of $100 per auction completion. That puts it at $9,000,000 at any one time and that's only from eBay. This also doesn't acocunt for auctions that were performed outside of eBay as the P-P-P-powerbook one was so performed. Also, imagine the thousands of other financial banks and credit card companies doing business online. And let's not even get started on Paypal.

*Notice.. this was a totally unscientific experient performed by myself.

I think that when putting these numbers all together would make a strong case for such two-factor authentication. I don't mind a second step if it's going to save me money if someone really wants into my banks, eBay acocunts, etc...

It's cliche, but...

[RobertB-DC]

I know it's cliche, but I still get stuck in line behind people who don't understand the basics of the ATM machine interface. Inserting (or swiping) the card throws them off. Grocery store POS systems, never consistent between chains, present even more hurdles. I've seen "Pay at the Pump" customers drive off because they just don't understand the instructions.

You want to give these folks RSA dongles? They don't even see the security implications of putting their entire credit line on their keychain with not even a PIN for validation.

The two problems are simple: People here won't understand it, and they won't care.

Why this works in Europe is beyond me, but I'm sure there are plenty of cliche anti-American rants to help explain it.

Maybe I should be more concerned, but...

[steevo.com]

There really isn't a lot of damage that someone could do with my online banking account.

I can't transfer funds to an account that is not mine.

The information that is available online about me and my account is less than what is available on a check. I guess I should be more concerned about that, but I have no control of my checks once I have used them to pay for something.

My Debit card information is not available online.

About the best someone can do with my account is see my balance.

Re:Nothing New.

[stratjakt]

The problem is if Mary has a list of 25 TAN's that she's crossing out, what stops me from sneaking up behind her, knocking her out with a blackjack, hiding her body in a dark corner, and then draining her account?

Sorry, been playing too much Thief 3 lately.

But my password is as secure as I make it, so is my login (which I chose and is just as obscure as my password). Both exist only in my head.

The problem inherent with one-time passwords and TAN schemes is that people print them out and stick them on their monitor with a post-it. That's not very secure, especially if I'm a tech-savvy burglar who notices it while I'm creeping out with your VCR after dousing the torches with a water torch and distracting you with a noisemaker... sorry im done

simple economics

[hazem]

When the costs of fraudulent use of accounts exceeds the cost of implementing more secure access methods, the banks will then implement more secure methods.

Besides, what can you do from most US online bank systems? Check balances, transfer funds from one type of account to anther (savings to checking), or maybe even transfer to another member of the same bank? These are all very traceable and means that really stupid criminals will get caught.

It's probably much easier to just steal credit card numbers.

Re:One time password not one time Pad.

[stratjakt]

Unbreakable encryption, sure, but your head is certainly breakable and I can just take your list of scratch-off passwords..

Now, if you had a good secure password that existed only in your head, I'd have locked myself out by breaking your head.

Re:What security

[chaotixx]

Keep in mind folks, that in the US, electronic funds transfers just require your account number, and bank routing number. Someone armed with those two numbers, and a cooperative banking service, can drain your accounts dry, just as if someone got a hold of a blank check and forged your signature. In either case, you're in trouble unless someone at your bank puts up a red flag and stops it.

I've always wondered what keeps someone from simply taking a check you've written (to them possibly) and then using the account information at the bottom with your personal information at the top to drain your account.

Stronger security isn't always better security

[raehl]

Stronger security should only be provided if the cost of implementing that security (money, time, convenience) is less than the costs of not implementing it.

From my perspective, if someone breaks into my account, it's a hassle, but not a huge deal: My account is insured, and I get my money back. I'd rather deal with the inconvenince of this happening once or twice in my lifetime than having to deal with carrying and using a password generator for my entire life.

From the bank's perspective, it is probably cheaper to lose some money to accounts being compramised than to implement better security across the board. That translates to lower costs (or better interest) for me the customer, which is also nice. I'm fairly confident this is true, because were it better (cheaper, more convenient) to have stronger security, my commercial bank (always wanting to make a buck) would be doing that instead.

Your house would be more secure if you had bullet-resistent windows, steel-reinforced cross-bar doors, one-time pad electronic access, and 24/7 security guards, but most people the find much "weaker" deadbolt/key combination to be the BETTER solution.

Additional Security Ideas from .AU / .NZ

I work for a security firm who do vulnerabilty testing for banks in Australia and New Zealand. Several of the ideas that banks here have implemented / are working on include:

1. Sending a one time passcode to the users mobile phone via SMS text message when they login in. The user then enters this code to continue. So the user needs username, password and the correct cell phone to use online banking.

2. Requesting the user enter selected numbers from the there ATM card. So the user needs ATM card, username and password to access.

Neither are perfect by any means (cellphones and ATM cards are easily stolen / there are only a limited amount of numbers on an ATM card / not all customers have mobile phones / who pays for the text message etc).

However they add a signifcant amount of complexity over a simple username and password, without the expense of going to one time RSA style pads.

Re:Much better in Saudi Arabia

[Requiem+Aristos]

Do you remember to wipe the sensor after use?

I am reminded of an article several months ago on spoofing fingerprint readers. The gelatin technique is likely the one most Slashdotters remember, but for some, it was sufficient to blow on the detector. c't has lots more fun details, but these have both been on Slashdot before.

And why would you legislate it?

[raehl]

If people wanted to pay the additional costs for more secure banking, people would pay them.

The fact that nobody is paying for more security in the free market is a pretty good indication that people don't really want it in the first place.

Re:And why would you legislate it?

[nacturation]

The fact that nobody is paying for more security in the free market is a pretty good indication that people don't really want it in the first place.

A sound argument if the market is aware of more secure methods and the limitations to the current methods. However, even most technical people would simply suggest to choose a strong, unique password for sensitive sites.

Re:Nothing New.

[gmanic]

Another possibility in Germany is to have your bank card carry a secret key, protected by (another) pin. This is the hbci standard. Combined with a class 3 cardreader (cheap from your bank, having it's own keypad (for secure pin processing) and display (for interaction with the card), this is secure enough for me.

Thief would need my account-no. (ok, that's _pretty_ easy), my card and my card-pin (different to my internet banking pin). And, I can use some fancy home-banking apps (even available for linux).

Much better than the former times with such bignames as citi, which, at some point in time provided no usable access for linux (i.e. non-ie-users) in the us.

But as long as there are services providing account-agregation (using your voluntarily provided accounts and passwords!), there probably won't be much increase of security in the US, I guess. And reading those "contracts" and "disclaimers" with the banks (i.e. you're not allowed to sue them anymore, it's your fault anyway etc.), I don't expect any customer to have a good chance to get some money back, if the customer didn't do anything wrong...

Re:Online Banking and Passwords

um...no. You can have a 230 character pass and if your machine is infected with one of the gazillion exploits affecting MS machines, then a hacker could just be running a keylogger and cut & paste your pass in. 2-factor auth is the only reasonable way to go. I would stay away from online banking until your bank offers this.

Ok, I'll bite...

[raehl]

What is the security impication of putting my entire credit line on my keychain? I've already got my entire credit line in my wallet....

Re:Ok, I'll bite...

[KrispyKringle]

Because that's a hassle. That's essentially what a debit card does now (you contact your bank over an allegedly trusted device, the card reader, view the amount to be charged, and punch in your PIN to signify acceptance). The problem here is twofold: the time this takes leads me to use credit more often than debit, and the security gained is minimal, since someone could simply swipe my card through a hacked reader.

Providing trusted communication becomes a whole lot more difficult. Smart cards make it simple, of course, by providing a challenge-response style authentication that cannot be broken by swiping the card and storing it's contents as with a simple magnetic credit card, but what that comes down to is the cost. Not for me, but for the issuer.

Sure, I'd gladly punch in a PIN instead of signing. But the cost of rolling out readers would be millions, quite possibly more than the cost of a few stolen cards. Regardless, why should I care much about the security of my card, my account information, and so forth? If my card is stolen, I'm not responsible for a penny (and even with the crappiest credit card company I'm not responsible for more than $50), and if the bank is robbed, I'm not responsible for anything. Sure, it's a hassle to report a stolen credit card, and even more worrysome, some people may not even notice false bills at first, but the burden on any interested party is hardly great enough to make anyone care.

US Banking is in the stone ages for security

You must be kidding.

In the US, bank personnel still think that your mother's maiden name and your SSN are the height of security (both fixed items with the two worst properties for passwords -- known by many people and unchangeable).

Re:Ultimate security

[ePhil_One]

I'm poor.

Funny as it sounds, just wait till someone get a hold of your identity, you'll be poor and deeply in debt. Scammers are very good and obtaining credit, it helps that they don't fear the repercussions of being unable to pay.

Being poor is no reason to not protect your identity. You'll just get more funny looks.

Re:Not a one-time pad

[Elwood+P+Dowd]

The goal of initiatives like this is not to allow better security. The current scheme allows for relatively decent security. However, the easiest way to use the current scheme (one password everywhere or trivial passwords) is incredibly insecure. It is difficult enough to remember dozens of strong passwords that people choose not to.

The goal of initiatives like this is to make decent security the only easy way. It is worth increasing the hassle a bit, even for users like you, if it drastically increases the hassle for the insecure path. So long as the decrease in fraud outpaces the increase in minimum hassle, we have a net win for the bank & bank customers.

Its up to the banks...

[davburns]

If money is stolen from a bank account, it is the bank that looses the money. (The account holder has a hasle factor, though.) The banks pay for security (including education of users.) The point of good security is to reduce the losses due to theft/fraud. Banks don't need to eliminate these losses -- just reduce them enough so they don't eat up profits too much. How much they spend to reduce theft/fraud is simply a buisiness decission for the bank.

If I speculate about the causes of the differences (from country to country) of bank security, I think about the following:

• Maybe American users are dumber than other peoples of the world. (I prefer to think we're about the same. But maybe I'm dumb.)
• Maybe in places other than the USA, it's the depositor that takes the loss. That means the depositor would want the bank to spend more of its money to provide better security. (BUT that really means that USA banks are providing more secure service, even though they use worse security. How odd!)
• Maybe there's more theft and fraud in places where there's better security. That might be because of differing severity of punishment for non-violent crimes.
• Maybe the USA rolled out ATMs and credit card readers earlier than some other places, and we're now stuck with what works good enough. Places that rolled out readers and machines later did so with newer, better technology.

Re:Ultimate security

[Master+of+Transhuman]

If you're poor, how do you pay the debt?

Answer: You don't. You tell the idiots who accepted somebody else as you that they're shit out of luck getting any money out of you and they'd better start looking for the guy who took them to the cleaners.

Which they should have done in the first place.

Of course, it's a hassle TELLING all these people that...