Slashdot Mirror
Banks to Use 2-factor Authentication by End of 2006
Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."
I am really sick of all the convient things in life suddenly become too cumbersome to use. I would really, really hate to have a hard token to carry around. IT has so many band features:
1. I have to carry it around
2. I may lose it
3. It will probably break
4. Its code could be duped
Too little security, too much inconvieniece
I would embrace T-FA. I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful. But for modest investment and great added peace of mind, I look forward to this.
Ironically, in the slashdot article reference to T-FA, the wikipedia gives as a downside to T-FA:
I think this actually strengthensstill does not ensure the intrude has access to one of the two pieces (something you know, and something you have).
Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of.
For a little more work or inconvenience, I think this adds much security.
No matter how secure internet banking is, I'll always feel most comfortable physically handing my money to a teller and getting a familiar yellow receipt.
At least so they said in that email they sent me...
Once I was a four stone apology. Now I am two separate gorillas.
Sounds great, as long as they don't take the opportunity to lock out their actual customers.
Good ideas:
Bad ideas:
Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.
And what are the chances that the second factor (USB tokens or fingerprint readers, most likely) will have drivers for minority operating systems? I use Linux as my only operating system. Until now, I had no problems accessing my bank account or my credit cards online. Now, I fear I may have to start visiting the bank branch in person...
The reason for my suspicion is that I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.
Maybe i am way off but isnt this already in place? To use an ATM i need:
-Something i have (My ATM card)
-Something i know (My PIN)
Am i living in the future or what is the deal with this?
Hmm..I'm going to need a notification from atleast one other organization than the FFIEC before I believe this.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Sounds great, but what about forgetful people? So called "Strong Authentication" or 2-factor authentication sounds great in theory. Rather than just cracking your password, a woodbe theif would also have to steal a physical item from your posession. However most people are dumb and forgetful, they would put a piece of scotch tape on the physical item and write their password onto it so that when the woodbe theif pick pockets them, then they don't have to even bother trying to crack their password. Sounds great in theory but it dosen't work - like communism. In summary, it is the authentication for communists.
... and in the DRM, bind them.
etradebank (https://us.etrade.com/e/t/microsite/custwelcome) offers them now.
Because BOTH methods of identification will be travelling over the SAME channel (your Internet connection), this will still be subject to man-in-the-middle attacks.
But because it will be a cool "encryption" key, people will not know that they aren't "secure".
The only way to improve the security is to use a different channel (example: the bank calls your phone to have you verify the transaction)
-or-
The site relays the information to you using your IP address as part of the encryption (this won't work with NAT/PAT/Masquerading, but will be feasible with IPv6).
Straight from the FFIEC's mouth.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
have the customer register an email account, perferably by going into a branch.
then when they login into the system, it sends a temporary use code to the email address.
Not used in 5 minutes, to is no longer anygood.
Older then 30 minutes, your logged out, the number is no longer any good.
In the email, you jsut send the number. If all banks used the same sender to send the code, then people intercepting it would not know what bank it came from.
The Kruger Dunning explains most post on
Yes
Before these banks implement high-tech security, they ought to consider common sense security. How many banks have I walked into where the back of the computers are exposed for a would be "hacker" to slip a keystroke recorder onto the PS/2 port? How many banks have I walked past on the sidewalk and their windows are wide open with no blinds and you can see directly onto the monitor with account numbers, etc on them? How many banks have I called and asked for information about my account and they failed to verify my identity before answering questions about my personal information?
Too many.
The wikipedia link claims that TFA contrasts to a system where only the password need be known. That may be a problem with some systems where the username is essentially public (i.e. *nix), but for online banking access, the username need not be easily guessed or based on any personal information, just unique.
Isn't requiring two non-obvious pieces of information (non-personally identifiable username + password) a form of two factor ID? (yes, I know the traditional mantra of "something you have/know")
If not, why is an ATM card and PIN considered to be, knowing the ease with which mag stripes can be copied? It's not like there should be high confidence the ATM card stripe is proof of possession of a unique object, as might be the case with a SecureID or retinal scan.
"National Security is the chief cause of national insecurity." - Celine's First Law
Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.
So does this mean that all banks will be required to have machines that read TFA?
-- I prefer the term "karma escort."
I am tired of things getting worse or more difficult for my "safety" or even worse my "convenience". It's like restaurants that change their menus. It's never an improvement.
The linked Wiki article actually states "A common example of T-FA is a bank card". Who knew TFA had another meaning ... I wonder if the banks realize -- so Don't get offending the next time you walk up to the bank teller wicket and are asked for TFA !!! They'll wonder why you are snickering. Woo-hoo
methinks gp was a play on the 2 factor scheme.
This will almost certainly lock Linux/BSD users out of online banking, and probably will lock out Mac users too.
Banks could much more portably just start requiring signed client certificates. For windows users they could be stored on a USB keyfob instead of the HDD for slightly better security. Users of other systems could set it up that way if they wanted, but implementastion on FreeBSD or whathaveyou would be left to the client.
It is a good idea for host login, though. CF the article in the November 2005 issue in Linux Journal, and this thread on the gentoo forums (and my journal post from yesterday too).
There are already two factors of authentication required:
1. username or account number
2. password
What is actually being discussed is a third factor of authentication. This would be extremely harmful to usability because people have enough trouble remembering two things. In fact, Jef Raskin suggests in his book "The Humane Interface" that systems should only require 1 factor of authentication--a password. He explains that if a password is made up of real words (such as "book-garbage-soda-airplane") not only will it be easy to remember (good for usability) but that it will be extremely difficult to guess as well as accidentally have two users with identical passwords. For example, if a dictionary of 10,000 words is used to generate a password that contains only 3 words, that would yield 1,000,000,000,000 possible unique passwords.
This will cost every Internet banking customer money, time, and convenience. (RSA fobs are not free; if your bank gave you one for free, it will have to pass the cost on to you in some way.) Meanwhile, it will not significantly reduce the impact of phishing or pharming attacks; it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.
How about requiring banks to use https correctly, which would at least reduce the impact of pharming attacks?
The shareholder is always right.
I have a bank account with a UK bank, and over there (I'm a US citizen) to use their web site, you have to have additional information. For me, I have to provide:
- a membership number
- a secret word (they ask for letters or numbers from the secret word)
- a passcode
- an account number
It takes several forms, but I don't have yet a third bulky RSA key to carry around.
How about just have people answer 10 questions and then use 3 of those answers, things like, your favorite color (blue, no green), car color (fun for those who do not have a car), or favorite movie. Stuff that no db keeps.
Just a thought.
...tizzyd
If the fraudster can get a trojan onto your machine, it could record all the keystrokes that you use. Including the login to your email to get the key to validate the transaction.
When did we switch the subject to women?
As a capitalist pig, I have to ask why the federal government is mandating this... theft is a crime and if too much theft occurs, the banking industry will respond because it is losing money (and it will thus be hard for the banks to get insurance). I can understand how the federal government might offer different terms for FDIC insurance to banks with two-factor authentication, but why mandate the change to all banks?
If the fraudster can get a trojan on your machine, he can collect your keystrokes, including the answers to those questions and then he will be able to "validate" fraudulent transactions as if he were you.
http://www.schneier.com/blog/archives/2005/03/the_ failure_of.html
Also, is this simlar what we have had in sweden for a couble of years for our banking systems? We have a personal badge that we enter a pin and a temporary code to get a new temporary code to be able to authenticate??
------- In the end there are no begining
sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.
Just because the banking overseers and some bankers agree that this measure could reduce identity theft, it doesn't follow that this two-level ID system will actually come into wide usage. Sure they passed a regulation mandating it at a time in the future.
But this mandate can be quietly suspended, extended, or admended when it becomes apparent to the people who live in the real world how difficult it would actually be to get working.
But even if it does come to pass, and you do have put your eyeball up against a laser to get $30 cash from your ATM, you can always take your money out of the idiot bank and put it into another one that doesn't impose such draconian madness. Like a bank that is outside the USA. If you had put most of your money in a Canadian bank last year, your money would be worth 35% more given the rise in the Canadian dollar to the American dollar.
Need cash? Then use a PayPal debit card that is linked to your Canadian bank account. Have your paychecks automaticly deposited into your Canadian bank account. Have a local bank account that is for check writing only and doesn't require invasive biometrics to access.
I doesn't hurt to get some money out of the USA. With the USA being the world's biggest debtor nation, the entire world hating the USA, and new alteratives like the Euro available as a benchmark global currency, it's not as if the US dollar is going to be rising in value against the other major currencies. And the rise of inexpensive global communications networks and accessible easy-to-use private-bank international debit cards like the PayPal card makes all the financial tranaction work nearly transparent. Fuck the little corner bank and their eyeball machine!
I can get an SSL certificate to BankSecurity.com (change "Bank" to your bank's name). So no pop-up will kick in. But the site will not be what the user thinks it is.
With IPv6, the bank would send you a random 512 digit number, encrypted with your password+IP_address. Since the man-in-the-middle would not have the same IP address as you, or your password, he would not be able to use that connection for his own transactions.
But a trojan key-logger would still be able to collect your keystrokes and defeat it. In order to defeat keyloggers AND man-in-the-middle attacks, you need to use an entirely different channel, pre-configured, to validate the transaction.
Or use the above IPv6 scenario with the key fob to prevent the key-logger from capturing your password.
since most computers still come with a 56k dialup modem why dont banks offer a private phone number for the modem to dial to their customers, it would sure improve privacy and security becuase a direct line to the bank would bypass ISPs & the WWW that normal channels use for internet connections...
Politics is Treachery, Religion is Brainwashing
1) With two banks and four non-bank financial firms, I DO NOT want 6 dongles.
2) I want to be able to use PC, Mac or Treo
3) I want to be able to travel - the suggestion to look at IP location was moronic!!!! I want to be able to access bill pay and balances when I am travelling for business or pleasure
If this is as much a failure and inconvenience as those hellish CVV2 codes on my debit card, I'll explode. What use is a second number if it's on the same card and in teh same forms as the first number? Furthermore, what's the use of a second number if it's UTTERLY INVISIBLE after a week of use? Piece of crap.
*Prevented from ordering harvey danger album 'cus he can't read his CVV2 number and is pissed.*
Not at all... SecurID works for example by a challenge/response system typed in on the keyboard. Last I heard linux supported keyboards out of the box :)
Client certificates are just too hard to manage for most people.
Don't let anyone fool you. ... you will get in. ... may delay you ... but I doubt it.
If you gain physical access to a device
These n-factor authentication schemes
Step 1: Remove hard drive from device.
Step 2: Run away really fast.
Step 3: Rule the world.
Our government seens to be copying everything from america these days (cf FTA etc) so hopefully they will follow suit and require finantial institutions here in oz to do this.
Although in any case, my new account is with an insititution thats probobly too small to be worth trying to phish (Police & Nurses Credit Society)
for whatever the banks do, i'm sure it's the best
coz i would do so if there's millions counting on it
--
http://xrurouni.sytes.net/
The two factor system has always worked well for me. I have no problem making withdrawls using a gun AND a note.
Are you...Are you some kind of genius?
No, ma'am, I'm just a regular Slashdot reader.
They make one your drivers license number, and the other your ss#.
Join the Slashcott! Feb 10 thru Feb 17!
For transactions over a pre-defined amount (and the customer can change it), the bank sends a code via SMS to your mobile phone, with an expiry time to enter it.
OK, you have to have a mobile phone, but how many internet banking users don't?*
*Rhetorical question. No need to enumerate yourselves.
What you can do legally is to freeze your credit reports. You have to do it with each agency and yes it costs a fee, but a nominal one like $15. Then nobody can get your credit information, they will simply refuse it. When you then need credit you call the correct agency and have them temporarily thaw your account. Sometimes it's a time based thing, sometimes it's a code based thing (as in they give you a code to give to the person checking your credit).
Now this of course makes it much harder to get credit. No walking in to a cell store and walking out with a phone. You need to plan ahead, find out who the creditor uses for their credit checks (with few exceptions they use only one of the three agencies) and have them take the steps necessary to make your report available.
However it's quite secure, moreso than a fraud alert, and it's totally legal to get.
I find it very handy to check my finances and do stock trades from my cellular phone. I'd hate to lose that ability.
That's it. No 'reprogramming' involved at all. That's because the interpretation of the TZ variable was already programmed to include this sort of encoded rules.
On the gripping hand, I have no clue what it'll take to fix Windows timezones.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Seriously, SSL and SSH2 are not easy to do a man in the middle attack on that is undectable. More to the point, to do a man in the middle attack, you actually have to be in the middle. J. Random Hax0r can't do it, it has to be someone with access to a link that your connection passes through. That's much harder.
I worry about man-in-the-middle attacks for encrypted channels like not at all. Anyone who has the ability to compramise a major network provider to do that, probably has better thigns to do than go after my info.
Why don't you suggest we submit punched card batch job requests for bank transactions?
Sheesh.
This issue is a bit more complicated than you think.
They are both the same kind of authentication, and thus both have the same venurability. The reason people talk about the something you have/know/are thing is each is strong and weak in a different way:
Something you have (a key, a smartcard, etc) is strong because it has to be stolen to be of any use, someone has to physically take it. You can't just look at a smartcard and have it do you any good, you have to be in physical posession of it. However that's also the downside, it CAN be stolen. Someone can just grab it when you aren't looking.
Something you know (a password or username) is strong because it's stored in your head, nothing to physically steal, nothing to lose. However it's weak because if someone discovers it, you'll never know. They don't need to take anything, just know what it is and they can use it. Also complexity is limited by what you can remember.
Something you are (a fingerprint, an iris scan) is strong because you are unique, and it's a part of you. You never lose it, and peopel can't really fake it because, well, it's a part of you. The weakness is that what you are changes, and the ability to read it isn't 100% accurate, so someone CAN fake it out potentially.
Now, because of this, real strength comes form having two or three of these methods. If you just have passwords, even if you have 3, all someone needs to do is learn them and they are in. However if you need a smart card, a password, and a fingerprint the person has to get an impression of your finger and make a convincing dupe, then find out what your password is, then steal your smartcard, and then use it all before you notice any of this and invalidate the account.
So it's not worthless to have more of the same kind of authentication, but it's not nearly as good as having multiple kinds of authentication.
I'm surprised no one mentioned it yet - bank customers that choose to use (likely have no choice eventually) two factor authentication may be in for a nasty surprise ... I bet, much like Verified by Visa, the onus of proving fraud will be further shifted to the customer - banks will contend that two factor authentication is super-duper secure and any security violation must be solely the customer's fault.
... two factor authentication, as proposed, is faulty from the start ... sure the barrier for fraudsters is a bit higher, but not by much ... a variant of the traditional man in the middle attack is all it takes...
... and even worse, the fraudster may not even have to program a complicated trojan, since many folks already use software (or unknowingly have it installed) that allow for remote access.
... perhaps they have ... if anyone here knows more, please reply - thanks!
Speaking of fault
Keys, etc are no good if the fraudster takes control of the victim's computer itself
Banks are going to love this - sure the key tokens, etc are going to be a hassle for them to distribute, etc, but in the longrun banks will be able to shift more of the risk to the customer unless consumer groups speakup
Ron
The likely candidate is a device like this one, which you carry in your pocket.
It doesn't interface to a computer except by you pressing the button, looking at the number and then typing it into the login screen.
My bank, HSBC, already uses them. I have a red and grey one sitting here on my desk. It's annoying to have to carry it around, but it's not huge, so the main annoyance would be losing it.
By the way, I'm not the only person who thinks these devices are the way it will go. Vasco stock went up 9.36% today.
Only if it's two women sucking your dick while you have beer.
About a month ago there was an article on slashdot about spyware that bypassed SSL. (They of course claim they are not spyware) Just install a certificate of yourself into the machine, then set up all connections to proxy through your machine. Then just generate whatever keys you need to sign any page they connect to.
While keeping the back door wide open.
In order to draft from your account, the only thing anybody needs is your account number. Heck, companies are now allowed to convert your paper checks into "electronic checks" (ie computer drafts) using only the information printed on the bottom of your check. There was something on the local radio station this week (Clark Howard, consumer guy out of Atlanta) about a woman whose $1600 mortgage payment got fat-fingered as $6600 and it took her MONTHS to get her money back - and that was from a reputable place that just made a mistake. What happens when it's a crook?
Tightening up the security needed for internet transactions is not going to make any dent in the security of your bank account.
As I recall the banks always closed at 3pm, except on Friday they were open until 7, but anything done after 3pm Friday was just put in a box and not processed until the next Monday.
I'm told that it was because they didn't have computers back then, so everything was processed by hand, and they used the last 2 hours to balance the books. I don't know that I believe that though - I'm young enough that computers have always been around in banks. (They didn't reach general business until latter, but computers in banks were old news by then)
It is digital info that someone could HACK and reuse, that is referrenced irretrievably to YOU
In a system where the actual image of your finger was stored and linked to your personal information, yes this problem would exist.
But, the systems I've seen (Fancy stuff to be sure) they address this issue a couple of different ways.
1. no "picture" of your finger.
2. fingerprints and personal information are not kept together, or otherwise easily associated.
Some AFIS now anonymize the fingerprint data. I'm honestly not quite sure how that works, but my understanding is if a bad guy did steal templates (representations of fingerprints) and could reconstruct the templates, they don't know to whom(sp?) they belong.
You are a bad guy with Bank XYZ templates who has figured out how exactly to send a template over the internet that doesn't belong to you that the server happily accepts.
Dictionary attack? (many account names, guess password, too many templates)
keyboard sniffing? (one account name, one password, too many templates)
Phishing? (customer unwittingly gives away all secret info, templates useless)
The underlying premise in your nightmare scenario is there's a single source of biometric authentication for all institutions. No consumer would want that and the strong authentication corporations and their customers know this.
Biometric authentication is not perfect security, but it appears to me to be much harder to do bad things.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Your computer
-connects to-
Evil computer
-connects to-
Bank
Now, given how many phishing attacks succeed, getting the average person to connect to the Evil computer seems to be pretty easy. Then the Evil computer forwards the connection info to the bank computer.
Your data -> Evil computer -> bank site
Man-in-the-middleAgain, once you understand them, you will will see how easy they are to setup.
Almost every current phishing site already IS a man-in-the-middle site.
Just because it isn't in real-time does not mean it isn't a man-in-the-middle attack.
Did everyone read TF-A?
From the article:
Could someone find the idiot administrator or politication or member of this council that came up with this idea and give them a nice, firm smack in the head with a laptop computer? It should be easy to pull this off, because obviously anyone who would suggest this has never heard of laptops, and therefore wouldn't see it coming.
God forbid that I ever decide to, say, take my laptop with me on a vacation and electronically pay a bill while I'm out of town so my electricity is still on when I get back or something crazy like that. Or move to a new apartment and be able to access my account while the bank takes its 2 or 3 weeks to decide to process my change of address request. Or be over at a friend's house and check if my direct deposit has gone through before I decide to charge a night out on my debit card.
It's totally inconceivable that I might want to use a technology like, say, the internet to be able to access things remotely. Arghhghghhghhhh!! I just don't get why there are so many dumb people out there who spend their spare time sitting around thinking up ways to make easy things hard.
Why don't they assign each person an X.509 certificate which is used to verify the identity of the user. The certificate could even be protected with a passphrase. They could reissue certificates at a regular interval (like one year), revoke certificates if they are comprimised etc. The certificate would be used during the SSL transaction.
Grrrrr... don't bother me, I'm thinking.
If any bank here could offer me Smartcard + PIN or one-time PAD authentication today, they'd have my business right now
There's so very few of you though.
Does anyone remember the Amex blue? It had some basic authentication and no one wanted to use it. There's no reason a consumer is going to demand this. That's why the U.S. might be the last place in the world to implement EMV. The banks don't want to pay and the consumer's don't want it.
Do a search for NavyCash on google. It just barely scratches the surface of what a smart card should do in this country, except most of the financial network transactions are still done by the mag-stripe on back.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Im not sure if they still do but citibank's credit cards used to have the users photo on it, so the user had the card, signature/pin & also had to match the photo on the card. This was a really good way to prevent your card being misused. Iv never seen any other company's do this but its a good idea that is not too expensive when comparing it to biometric data.
No, I don't see how it can be described as "relative".
... not through anything you did or did not do ... but just because everyone improved their "security" beyond your's.
If it were so, you could move from "secure" to "insecure"
That's kind of like saying "I don't have to lock my doors, as long as my neighbors don't shut their doors".
No, the principle is that a loud alarm will go off. There is a visual notification of this (the flashing light on the dash) so that the criminal doesn't smash first, then discover the alarm.
But that will not help if you leave valuables in plain sight.
Almost every phishing site out there is already a man-in-the-middle attack, just not in real-time.
Since so many phishing attacks succeed, it would seem that man-in-the-middle is not as difficult as you believe.
Not really. It just moves it from the current not-in-real-time attack to requiring a real-time attack. These can still be automated so all it requires is some effort on the evil programmer's part.
The PIN is captured the same way it is right now. A phishing site.
The smart card code is captured the same way. A phishing site.
That is where you work. That is not the Internet.
Why not just install a key-logger on your computer?
That is where you work. That is not the Internet. Where you work, people would start calling the IT department if the authentication server suddenly stopped working because someone had setup a different one to collect your PIN's.
No. It is only more secure on a network you control.
Once you get onto the Internet, the fact that both forms of identification are travelling over the same channel means that a man-in-the-middle attack becomes a lot easier and harder to detect.
Yes they have. But, again, becau
How many people have accounts at just one financial institution? I have accounts at two credit unions, several credit cards, brokerage firms, etc., and my wife does also. Do you really think the financial institutions will all share a single token (if that's the route they all chose)? Not a chance.
This spyware had access to the client machine (probably as admin, but that wouldn't be absolutely necessary). Once something has access to your machine, it can do whatever it wants: keylogging, proxying, modifying the destination account number on every transaction, etc. The only way to make it secure in this case is to have a separate channel (like phone) that is used to authenticate each transaction.
Once again, the evidence that relying upon a single channel for all the authentication is a bad idea.
... and most people would never know. Even the really smart ones who read /.
A trojan can assist a man-in-the-middle attack
Encryption fobs won't help.
Smart cards won't help.
One time pads won't help.
Not as long as all the authentication information is passing over the Internet. You need a second channel for final authorization.
Two channels is the only way to go.
I don't want to have to pay for it through new or raised fees with my bank either.
Token and smart cards suck because your security is lost if somebody can comprimise them, maybe just by replacing yours with a look alike.
Anything stored on the computer sucks. If I can manage to get control of your computer, I have the ability to access your money and maybe take it.
One solution that seemed obvious to me is using the telephone. I know I've seen some good ideas here but didn't see anyone suggesting this one.
What your bank should do is buy an account with somebody who is offering this service to a bunch of banks and share required (only required) information with that company. That company then sets up an automated phone system (yes we hate them but they're cheap to run compared to actually paying staff) which would use voice recognition and question response to validate your session for one login and give you a required passphrase which is associated with your account for one time access and expires in a pre-determined amount of time.
Why?
- It still costs but then it costs mere fractions of a cent per customer since the company selling the service can handle so many accounts at the same time.
- Its electronic so there is no additional staff to hire.
- It uses bio-metrics which can be improved without selling new hardware or dongles.
- It uses existing available technology and any company can do it.
I'm open to other suggestions but I stand by my original statements. Don't charge me or the bank even an extra dollar for my security. (Per account anyway.) Don't make me carry even more crap around.B) Eliminate all the stupid users. This is frowned upon by society.
The Phishers are requesting not only your personel info, Bank account numbers and PIN they are telling people that they also need the next two one-time PAD codes for test purposes. You know what, people are sending Phishers the requested one-time PAD authentication codes. I believe the Register had an article on this not to long ago.
As Bruce Schneier recently stated this problem will continue until Financial institutions are made 100% responsible for all aspects of this problem. That include the cost of cleaning up the mess afterwards etc. IMHO. Hell, they used to give away toasters, they can afford to give everyone that want's to bank online smartcard readers etc.
At a former employer I was responsible for initiating borrowings and wire transfers into the millions of dollars on a daily basis. The system our bank set up for doing this was they gave me a userid and a random password generating device(it looked strangely like one of those cheapo calculators). To connect to the bank's system you used a piece of software provided by the bank that dialed an 800 number. You got only three tries to get the random password typed in right or you were cut off and your userid was locked out until you contacted the bank to get it fixed, at which point you had to provide a bunch of additional information to verify that you were who you said you were. You would have to tap our phone line to get access to the data stream, and doing so wouldn't provide much more that information about the transactions taking place that day due to the one time nature of the password. In my mind this was a pretty bullet proof system. The only way it could be compromised would be by getting one's hands on the password generator, and of course we kept these locked up. The only risk was of corruption on the inside of the company, and any authentication system will be vulnerable to that.
It would be simple for banks to provide consumers with a small program to dial via phone line to an 800 number and avoid the problems associated with connecting via the internet. Even if a keylogger were installed on the consumer's computer it would be useless because each password is a one time password.
"Lack of technical competence coupled with the arrogance of power, as usual, leads to no good end."
I wish you'd been around to contribute your perspective to this dialogue. It might have led a more enlightening outcome.
Parity: What to do when the weekend comes.
I have had accounts at two different banks in Finland and in both cases I have had TFA (well three if you count the user ID).
To get at my bank account I have to enter my numerical user ID and PIN. That gets me access to view the account. But to actually do anything I have to enter a third number in response to a numerical challange.
The bank issues a small look-up table on a plastic card or piece of paper. You look up the given challenge number on the card and enter the value in the second column. So effectively you have a one time pad. Simple as hell and quite secure (unless you are a total moron and write your pin in the look-up card).
You, the people stupid enough to reply to a phish message, have just made my life more complicated because you are too stupid to be allowed to use the Internet.
Even after incredible amounts of publicity, you are still stupid enough to pass out your mother's maiden name and your bank card PIN in reply to an email message.
You are really, really, stupid. Yes, you should be ashamed that you are the bottom of the barrel, the lowest of common denominators.
Your brains could be held in a thimble, nay pureed and spread thinly on the head of a pin.
Your elevator fails far short of the top floor, and even if it got there no one would be home. You are as sharp as a marble, as bright as mud, a few shades beyond blonde.
Did I mention that you weren't too smart?
I've used username/password + one time pad when actually doing transactions since 1998 with my bank with no problems at all. Just don't keep everything in the same place, that's just stupid. (Just because we're on Slashdot one can't assume that everyone memorizes their u/p's.)
Just who is the "Federal Financial Institutions Examination Council (FFIEC)", under what statuatory authority (if any) do they have to mandate two factor authentication and what penalties will there be if a bank allows customers to continue to use a userid and password alone.
Userid and password is simple, and effective in most cases.
The Feds want more security here, yet if I ask my bank to only accept ACTUAL PHYSICAL checks with my signature on them before honoring them and paying the other banks, it is ILLEGAL for my bank to give me what I want and refuse to accept a "substitute check". It is ILLEGAL for a bank to insist on security which would go a long way towards stopping check fraud, something which I can't protect against.
Whereas phishing attacks require stupidity on the part of the user.
Why protect people from seomthing they can protect themselves against, yet not protect us from something we can't protect ourselves from (people can forge our signature, and anyone getting a check from us has the routing number and account number, which is all they need)?!
If you don't understand the basics of computer security, you shouldn't be allowed to bank on the Internet. If you don't understand the basics of operating a car, you shouldn't be allowed to drive on public roads. Same principle at work here.
Don't take away my convience and require me to carry a smart card (oops, left it at home and can't do some needed banking at work or on vacation - sucks to be me) because of other's stupidity.
Let the stupid people lose their money, get off the Internet and/or go broke and die.
We molly coddle the stupid way too much in this country (USA).
If they must DO SOMETHING, just mandate the banks block *.aol.com at the firewall and be done with it.
95% of the problem will be solved.
Or have the server attempt the common Windows exploits, if they fail, the user isn't on Windows or has actually secured Windows - in either case they likely aren't terminally stupid - and the banking session should be allowed.
Now 99% of the problem is solved.
As for the remaining 1%, guess what, nothing is perfect. Even with 2 factor authentication, once logged in, a malicious hacker with control of your PC can add an illicit transaction request to the banking session.
In any event, people should be responsible for computer security. Secure your damn PC, learn to not trust spammers and scammers and don't be a dumbass.
Or stay off the Internet, and don't cross the street either if you are an idiot.
Just because it CAN be done, doesn't mean it should!
I thought the real ID act, drafted overnight and passed unread (slipped into a spending bill) was supposed to end the "inconvenience" of multiform identification.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
In Europe many banks send a one-time code to your mobile phone (as a short message) for each transaction. This way the "thing you have" is the phone, which you carry around anyway. In cell-averse US of A, they could alternatively make an old-style phone call and have a machine dictate the code. Some other European banks require custom software on your machine, or a hard token. Sane people generally avoid these banks. Some other banks just give you a stack of cards with a list of one-time-pads on each. Once you consume your cards, you can order some more in the post, or just walk into any branch and have them printed.
The system at my bank is probably one of the most common. A little gadget with a keypad and lcd-screen. Takes a 4-digit pin to start a verification, then the verification itself consists of an 8digit number being scrambled by the gadget, and then used as signature for the transaction. All transactions are https of course.
What I'd like however, is the gadget to plug in to USB, so I didn't have to enter all those 8-digit numbers myself.
The US banks lag behind other countries wrt security. As an example, almost all banks in Poland with online access have implemented TFA. Either MD5 tokens or pre-printed one-time passwords.
You use the additional authentication for "dangerous" operations such as transfers to anyone or pre-defining transfers. You can execute the "reasonably safe" operations (transfers to pre-defined accounts) with just a login and a password.
Overall, a very good compromise between security and inconvenience. What I find strange is that banks in the US are so much behind -- most banks here have had TFA for more than three years now.
I was waiting for someone else to say it. :P
The bank could send you a sheet of paper containing one-time keys (4-digit numbers), credit card size. When you log in, you use your username/password combined with a number from the sheet.
This is OS and browser independent. It doesn't break. It doesn't take up much space in your wallet.
That's what my bank does (in Denmark).
/* Count to five, then roll over dead */
Funny though, my bank (ABN-AMRO) has always been using T-FA for its webbanking and it works perfectly fine on both Linux and Mac OS X. It is just a little card-reader that you use in combination with your ATM-card and PIN code to generate the proper response code to a challenge code provided by their site. You have to go through the process again to confirm any transaction you do, which is a bit of an inconvenience, even for a batch of transactions. It nonetheless makes me feel a lot more confident about the safety of their service. But that is the Netherlands for you, the banks here have always tended to err a bit on the paranoid side of things.
-- Spelling and grammar errors tend to be a sign of erroneous thinking.
In the Netherlands most banks have implemented a system like this:
1 go to the banks website
2 enter you account number
3 bank sends you a multi digit (typical 6 to 8 digits) code
4 enable you magic code box with your bank card and a pin number
5 enter the multi digit code from the bank in the magic box
6 send multi digit (6 to 8 digits) response from magic box to bank
7 if all is OK you can go to your account information
At the moment you are authorising payments the banks sends you again a code and you will have to supply the response from your magic box to the bank.
This system is immune for fishing attacks. Every time you log in to your bank account the banks sends you a new multi digit code.
The system is not immune for man in the middle attacks but for large payments my banks asks for an extra authorisation code.
To make the man in the middle attacks realy hard the bank should send the code generated by the magic box if you enter the total amount of money transfered plus the sum of the last (three) digits of the bank accounts the money is transfered to so you can check whether the data you send to the bank has been tampered with before you authorise the transfer. But I am afraid that is too complicated for most users.
I am fairly happy with the system. It is not perfect but it is way better as systems with a list predetermined TAN codes as passwords which are very sensitive to phising attacks.
Nyh
will it run on Linux?
Don't fight for your country, if your country does not fight for you.
Anyone who has ever worked in any sort of bank and experienced even the average authentication systems and mechanisms used on their systems will know that this will descend things into even more chaos. Yer, the systems will be more secure - no one will get in! If it isn't possible though, I doubt whether any guidelines or regulations will make a difference. Most banks totally ignore the vast majority of regulations except the important ones that will cost them a fine.
A lot of this is also a play by Microsoft to force the issue on smart cards, trusted computing and integrating it with Windows so they have a captive, monopoly market in this area.
Of course, this assumes that users not only need to be verified with TFA but, that each transaction is also signed with TFA separately.
This is BTW already what ABN AMRO (in the Netherlands) is doing, but they still use an 8 digit challenge/6 digit response for signing the transactions. So, with windows viruses rampaging, you can't be sure that the transaction you're signing is the one you're executing.
Han-Wen Nienhuys -- LilyPond
I just can not believe that American banks only use user names and passwords as authentication method. Is that a common factor with all US banks, or just a few who do no take security seriously?
All banks(that I know of) here in Sweden have "good" security, requiring two factor authentication in the form of an ActivCard+PIN, one time passwords + PIN or other similar techniques such as certificates.
Whatever they come up with, it will be reverse-engineered and duplicated in software. You'll just run a little command-line program that supplies whatever info the usb key would have. Everyone will have it, and "security" will be back to depending on your password.
The real security of an ATM is not the card, but the ATM itself! A private network. The weakness of Internet banking is anyone can pretend to be an "ATM", or intercept (some) communications.
RSA tokens are about as secure as you can get. Rolling code every 30 seconds. Having worked logging into LTSB's back end ATM infastructure using RSA key fobs, this is a secure connection. You've 30 seconds before the code changes. 5 seconds to read 10 seconds to log in, so an absolute maximum of 15 seconds for someone to steal the code, if they've got the skills to intercept a transmission of encrypted ip, - Thats if the code was entered at the beginning of 30 seconds. Keep the fob with your keys and not in your wallet, with your 9 diget account ID, password, bank card to inform someone which site to use, personal word which you've written down on the back on the account ID card... And your fine.
If people are complaining about a bank trying to make things as secure as possible, don't use the internet for personal finance - there's always telephone banking.
Mobile phones are commonly used now in Europe at least for just this reason. Mobile text messaging to users with a secure one time password is much preferred my the majority of users. You are much more likely to have your phone with you at all times, you will notice faster if someone steals it or you lose it. This company has been providing one time password stuff for years: http://www.nordicedge.se/
the encryption key is constantly changing: it's like RSA secureID. every minute, the code on your token changes - you can sniff all you want but the result won't be valid for more than 60 seconds...
The question was about common ATM/credit/debit cards, which are NOT smart, but have a simple, easily read/written mag stripe. Possession of a card w/mag strip associated with an account cannot safely be assumed to indicate possession of a unique object, it could easily be a copy. Copies could be easily acquired by any retail sales clerk, and as you say - "they'll never know." That makes it logically no different than a piece of paper with information on it. That PIN is often only 4 numerical digits long, far less secure than most password requirements.
So I'll ask for the THIRD time, why is a mag stripe/PIN considered secure enough, while the combination of both unique and personally unidentifiable username and password are not?
It is very frustrating when people who seem like they should know this subject matter post information which adds absolutely nothing to the discussion.
"National Security is the chief cause of national insecurity." - Celine's First Law
The FFIEC did not tell banks they have to adopt two factor authentication. The FFIEC did tell banks to assess the risk, and "where risk assessments indicate that the use of single factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to to mitigate those risks." So banks may not have to do anything, or if something needs to be done, they can exercise other options besides two factor authentication. Really, all the regulators want is for the risk to be mitigated. They don't care how.
Just to give some more details about how this works.
Most (all?) bank cards in the Netherlands at least, are smart card with a normal magnetic strip. Smart card in that they contain a chip that can be used for authentication (I believe the chip contains its own private key and can do its own encription. it probably has a certain amount of nonvolatile memory.) The magnetic strip is used in shops for point of sale electronic payment.
Online banking. The small calculator device is simply an interface for talking to the chip on a bank pass. You insert the card and the device asks for your 4 digit pincode. Logging onto the website involves entering your bank card number (this is not a CC number). The site then gives you a 7 or 8 digit number which you then enter into the device. The device signs the number and gives a 9-10 digit number which you then submit to the bankwebsite. Assuming all went well, you've in. Transferring money requires another challenge/response. Transferring a large amount of money (>2000 euro I think) requires signing certain digits from the destination account number. (This guards against a man in middle fiddling with your money transfers, they can't set the destination account number).
All in all I think it is a very good and well thought out system. The devices are all the same, and all bank passes came standard with chips. The website even works well on Firefox and Konqueror.
Incidently, the smart chips can also be used as electronic purses ("chipknip?", think electronic payment, micropayment) that you 'charge' up with money at an ATM and then can use in shops by putting the card in a chip reader and pressing one button to confirm the transaction. Despite the amount of advertising spent by the banks on this, it still hasn't caught on. I've never used it, I've never seen anyone use it though.
cheers,
--
Simon
Entrust IdentityGuard is a cool solution (IMHO) for this type of two-factor authentication. "Bingo Cards" for banking!
24.VF 2887
25.XE 7598
26.MM 4747
So when I log in I'm asked "Does the key 26.MM exist on your card?" - if it doesn't I'm not supposed to enter my password. There's still some kind of middle man attacks possible (if I trust the wrong SSL certificate), but it helps a bit.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
Bingo!.
Outbound interactive voice systems is the answer.
You enter your transaction on your internet banking site.
The Bank phones you on a previously set up number, reads the target account and the amount, and gives you a one time passcode (6-8 digits)
You enter the passcode into the web to authorise the transaction.
MITM attacks now need to hijack your phone line AND your PC simultaneously. The attacker can steal the one time passcode but because the phone system verifies the amount and target account with you, he can't use it to do anything other than what you want to do.
Simple, cheap and very secure (depending on how secure the bank is at setting up the phone numbers). This solution should last at least until VOIP makes attacking your phone number easier.
I don't understand why this isn't obvious to everyone (and esp not to the mods, or maybe it is and that is why the parent post scrapes a miserly +1)
The very nature of strong, well-implemented TFA makes man-in-the-middle attacks impossible.
:(
With something like SecurID (which is now very sucessfully implemented @ E*Trade and places like the Federal Gov't), you can have the path, you can capture every keystroke to get my PIN, but unless you get the token (which I'm reporting missing the second I lose it) and the PTB don't know it's lost, you've got nothing. That's the whole idea behind shared secret Pseudo-random number based authentication.
I've talked to guys for whom 2048-bit RSA keys weren't strong enough and who would never conceive of using anything short of one-time pad out-of-band authentication for things like email and whatnot, but they were f$%&ing weirdo conspiracy theorists; not at all like the joe schmoe who just wants to check his balances and pay bills online.
Full disclosure: I USED to work for RSA Security, but my options were worthless and they took them away when they laid me off anyway.
There are 4 main systems in place:
The first requires you to carry your little "calculator" with you if you want to make payments. When you receive your calculator you have to enter a specific code to link the calculator to your account.
The second allows you to use the "calculator" from other people, because you have to insert your bank card into the device (most bank card in The Netherlands have a digital chip on the card). So if you are not at home, but you can borrow a calculator, you can make transactions.
The third system asks you to pick a number from a sheet with random numbers. This list is send by the bank via postal mail to you. Once a number is used, it is no longer valid. When all codes are used, you will receive a new list.
The forth system is the easiest. Each time you want to make a transaction the bank sends you a code in a SMS text message to your mobile phone (the mobile number was registered before with the bank). You can than use this number as the reponse.
Most people are used to this kind of authentication and do not find it difficult to use. Electronic banking is also moving towards a unified payment across different banks. They have introduced iDEAL http://www.ideal-betalen.nl/. When a e-merchant is connected via iDEAL than you can click on the iDEAL logo as a payment option. You than select your own bank from a list and you are then forwarded to your normal electronic banking pages from your own bank. You use the same system that you would normally use to transfer money and in the background a noticatication is send to the e-merchant when you have submitted the order.
The former is true, the latter less so in general. The banking problem is one security issue where you only have to outrun the bear. Computer security in general sometimes include problems where you're not trying to outrun the bear, but outrun a hurricane... or the radiation shockwave from a nuclear blast. Warhol worms are freinds to no-one.
//Information does not want to be free; it wants to breed.
I work for one of the largest banks in the US. As a developer, I have access to all sorts of personal information (account number, date of birth, SSN, and yes, even PIN) from the comfort of my own terminal. No amount of added security from the user is going to change that. I basically live in an identity thief's paradise. Banks need to look inward, to their own employees first, before trying to protect the general public.
Fortunately, my bank has recognised the problem, and have started mandating database-level encryption for all personally identifiable customer data (SSN, PIN etc.) Being such a large company, however, this move will take a long time, and some obscure datamart somewhere is sure to fall through the cracks. I guess the real lesson is that your data is only as secure as the people who handle it inside the compnay.
My "assumption" is not an assumption, but a fact - not one card in my wallet is "smart," and I doubt the vast majority of authorization terminals are capable of taking advantage of smartcards, even if they were. Ipso facto, the combination of mag stripe and PIN is considered secure enough for millions of transactions per day.
Wouldn't it make more sense to first require smartcards and readers to be implemented, as such transactions are far more frequent than Internet ones? The whole thing stinks of someone from a firm invested in biometrics or some other pillar of TFA convincing the Feds to implement this rule, with an expectation of increased sales.
"National Security is the chief cause of national insecurity." - Celine's First Law
WHAT is your quest? WHAT is the air-speed velocity of an unladen swallow?
I am not left-handed, either!
where the identification and authentication framework is mandated by law but anyone is free to provide a conformant infrastructure. To use the so-called "Bürgerkarte" (or citizen card) you can actually use anything from a bank card with on-board chip, an eHealth card or even your mobile phone (where you authenticate via your supplier who sends a single-transaction pin as a challenge-response mechanism) and you can use any of the mechanisms for any of a range of services, including, soon, onlne banking. As all implementations all use the same authentication mechanism, you will be able to use your phone to authenticate for eHealth services, and even your card from one bank to authenticate with your account in another...and you can have as many "instances" of the "card" as you want, provided by a range of public and private sector suppliers. Many handware summpliers are getting in on the act and supplying card-readers as standard with new PCs, for those who want...What's more, as there is no personal data on-card and a hashing mechanism before any id token is passed to a eService supplier there is also the strongest personal data protection possible: no one service can scrape any personal data from a transaction http://www.cio.gv.at/identity/ and http://europa.eu.int/idabc/en/document/885/331
Swiss and German Banks have been doing this for years, in varying degrees. Some like Credit Suisse gave out SecurIDs. Others, like the Swiss Postbank and Sparkasse, sent out long sheets of random numbers. The websites required a pin, account number and the next unused number on your list.
It worked very well, and it wasn't rocket science.
And, honestly, it is not as if most US institutions are actually going to comply with this by the deadline. There will be some many inane waivers available that push the deadline back in significant ways, b/c the government is too scared to hold anyone accountable or provide leadership.
Two Factor Authenticationis not the only part of the problem. It does helps a lot for strong authentication of the client. Some other important parts of the problem are:
On the server side, need to make some changes as well.
The bottom line:
I've wasted a lot of money in my life, the rest I spent on motorcycles and women.