Slashdot Mirror
Banks to Use 2-factor Authentication by End of 2006
Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."
I would embrace T-FA. I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful. But for modest investment and great added peace of mind, I look forward to this.
Ironically, in the slashdot article reference to T-FA, the wikipedia gives as a downside to T-FA:
I think this actually strengthensstill does not ensure the intrude has access to one of the two pieces (something you know, and something you have).
Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of.
For a little more work or inconvenience, I think this adds much security.
Straight from the FFIEC's mouth.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
CVV2 is intended to insure that the owner of the card is physically in posession of the card.
Moreover, anyone maintaining a database with CC #'s (web sites, banks, etc.) cannot store CVV2 codes in their databases beyond the life of a given transaction. Literally seconds. This is how it helps, because anyone that gains unauthorized access to a database with CC's is not going to be able to use those cards at any merchant that requires a CVV2 (95% of any phone or web based business).
What you can do legally is to freeze your credit reports. You have to do it with each agency and yes it costs a fee, but a nominal one like $15. Then nobody can get your credit information, they will simply refuse it. When you then need credit you call the correct agency and have them temporarily thaw your account. Sometimes it's a time based thing, sometimes it's a code based thing (as in they give you a code to give to the person checking your credit).
Now this of course makes it much harder to get credit. No walking in to a cell store and walking out with a phone. You need to plan ahead, find out who the creditor uses for their credit checks (with few exceptions they use only one of the three agencies) and have them take the steps necessary to make your report available.
However it's quite secure, moreso than a fraud alert, and it's totally legal to get.
They are both the same kind of authentication, and thus both have the same venurability. The reason people talk about the something you have/know/are thing is each is strong and weak in a different way:
Something you have (a key, a smartcard, etc) is strong because it has to be stolen to be of any use, someone has to physically take it. You can't just look at a smartcard and have it do you any good, you have to be in physical posession of it. However that's also the downside, it CAN be stolen. Someone can just grab it when you aren't looking.
Something you know (a password or username) is strong because it's stored in your head, nothing to physically steal, nothing to lose. However it's weak because if someone discovers it, you'll never know. They don't need to take anything, just know what it is and they can use it. Also complexity is limited by what you can remember.
Something you are (a fingerprint, an iris scan) is strong because you are unique, and it's a part of you. You never lose it, and peopel can't really fake it because, well, it's a part of you. The weakness is that what you are changes, and the ability to read it isn't 100% accurate, so someone CAN fake it out potentially.
Now, because of this, real strength comes form having two or three of these methods. If you just have passwords, even if you have 3, all someone needs to do is learn them and they are in. However if you need a smart card, a password, and a fingerprint the person has to get an impression of your finger and make a convincing dupe, then find out what your password is, then steal your smartcard, and then use it all before you notice any of this and invalidate the account.
So it's not worthless to have more of the same kind of authentication, but it's not nearly as good as having multiple kinds of authentication.
Yes, you can still try a man-in-the-middle-attack. However, security is not a binary condition (you're either totally secure or wide open), it's relative. AKA, I don't have to outrun the bear, I only have to outrun you. This is also the principle behind car alarms: there are car alarms that can be defeated, some more easily than others, but the main point of a car alarm is to make my car a more difficult/less attractive target than the one next to it.
Similarily, what does a Smartcard authentication system over https do for you, as opposed to a simple username and password over https?
It raises the bar, while also making people without a Smartcard more attractive targets. Compromising a username and password is fairly easy - people fall for phishing attacks all the time. If a Smartcard and PIN are also needed, a man-in-the-middle attack doesn't do you much good. You can't get my PIN (you'd also need a keystroke logger on my computer for that) and even if you had it, unless you also stole my Smartcard you'd still be SOL.
Not to mention that a man-in-the-middle attack is far harder to achieve than sending out a phishing mail or doing a brute-force attack against a weak password. Anyone can send out phishing mails or use a password-attack script; far fewer people have the wherewithal to mount a successful man-in-the-middle attack. So if I have a Smartcard + PIN that I need to use to authenticate to my bank and you don't, I've outrun you. I don't have to worry as much about the bear.
Where I work, we use Smartcards and PINs for authentication to our network, in addition to a userid and a high-quality password that must be changed regularly and may not closely resemble the old one. How does this raise security? In two ways: first, if someone gains unauthorized accesss to a computer inside one of our facilities, they can't do much with it unless they also have a card and PIN. Assuming they stole a card and got inside the building and found a computer in an isolated place and put the card in, they'd still need the PIN, and brute-forcing it would take a while because it's 6 digits minimum (mine is longer). Of course, you also only get a few tries before the PIN is disabled.
The second case is if someone were to steal my laptop in an airport, from my trunk, etc. It has a VPN client to our company network, but that won't do you any good without the Smartcard and PIN, either.
In both cases, our network is made far more secure by using Smartcards and PINs. It is not only the accepted wisdom that "something you have and something you know" is far more secure than a username/password-only system, it is just plain correct.
Many banks in Europe have been using one-time PADs for years; it's about time US banks are getting with the program on security, and disappointing that they're only doing it because somebody made them. If any bank here could offer me Smartcard + PIN or one-time PAD authentication today, they'd have my business right now.
Actually, that is what's happening in Korea.
What we use is a security card (like one-time pad) and we get a certificate key from a key authority identifying the user by using the one-time pad.
The problem is, everytime there is a news of someone's bank account getting hacked (and there has been few instances of such), the bank blames the user for not handling the security properly and usually will reset the balance.
However, on the other hand, I do see the point of the bank. If the user doesn't take minimum precautions, what is the bank supposed to do?
I was with ya until this comment: I don't think you're describing it correctly.
Man-in-the-middle implies that your communication is going to destination A, via intermediaries B, C, and D. Phishing, and what you describe, implies that for some reason you've been tricked in to setting your end destination as D, who will eventually go to A for you, but you addressed it wrong. Yes, I guess this person is technically "in the middle" of the chain of where you WANT to go, but if you had been smart about saying your correct destination, D would have no way to work unless they were able to hijack your stream the first time and every time thereafter to inject their own cert (I guess only the first time matters, since if they have your info once they can fuck you over royally.. but if it's not the first time you'll get a cert error).
Phishing is NOT man in the middle. It's just social engineering to get people to think that D really is A. This is why anything that matters, you type it in yourself. But, most people don't know to do that, I'm afraid.