Slashdot Mirror
Banks to Use 2-factor Authentication by End of 2006
Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."
Sounds great, as long as they don't take the opportunity to lock out their actual customers.
Good ideas:
Bad ideas:
Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.
have the customer register an email account, perferably by going into a branch.
then when they login into the system, it sends a temporary use code to the email address.
Not used in 5 minutes, to is no longer anygood.
Older then 30 minutes, your logged out, the number is no longer any good.
In the email, you jsut send the number. If all banks used the same sender to send the code, then people intercepting it would not know what bank it came from.
The Kruger Dunning explains most post on
Before these banks implement high-tech security, they ought to consider common sense security. How many banks have I walked into where the back of the computers are exposed for a would be "hacker" to slip a keystroke recorder onto the PS/2 port? How many banks have I walked past on the sidewalk and their windows are wide open with no blinds and you can see directly onto the monitor with account numbers, etc on them? How many banks have I called and asked for information about my account and they failed to verify my identity before answering questions about my personal information?
Too many.
Great, when I got mugged before they just wanted my wallet. Now they'll want my left index finger too.
This is another in a long series of laws/policy that servers the "It sounds like we should do this" crowd. Read through the BS and its the insurance (FDIC in the US) behind the banks pushing policy. It does nothing to protect the idenitiy/credit of consumers.
"Get them before they get....
Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.
There are already two factors of authentication required:
1. username or account number
2. password
What is actually being discussed is a third factor of authentication. This would be extremely harmful to usability because people have enough trouble remembering two things. In fact, Jef Raskin suggests in his book "The Humane Interface" that systems should only require 1 factor of authentication--a password. He explains that if a password is made up of real words (such as "book-garbage-soda-airplane") not only will it be easy to remember (good for usability) but that it will be extremely difficult to guess as well as accidentally have two users with identical passwords. For example, if a dictionary of 10,000 words is used to generate a password that contains only 3 words, that would yield 1,000,000,000,000 possible unique passwords.
http://www.schneier.com/blog/archives/2005/03/the_ failure_of.html
Also, is this simlar what we have had in sweden for a couble of years for our banking systems? We have a personal badge that we enter a pin and a temporary code to get a new temporary code to be able to authenticate??
------- In the end there are no begining
sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.
I'm surprised no one mentioned it yet - bank customers that choose to use (likely have no choice eventually) two factor authentication may be in for a nasty surprise ... I bet, much like Verified by Visa, the onus of proving fraud will be further shifted to the customer - banks will contend that two factor authentication is super-duper secure and any security violation must be solely the customer's fault.
... two factor authentication, as proposed, is faulty from the start ... sure the barrier for fraudsters is a bit higher, but not by much ... a variant of the traditional man in the middle attack is all it takes...
... and even worse, the fraudster may not even have to program a complicated trojan, since many folks already use software (or unknowingly have it installed) that allow for remote access.
... perhaps they have ... if anyone here knows more, please reply - thanks!
Speaking of fault
Keys, etc are no good if the fraudster takes control of the victim's computer itself
Banks are going to love this - sure the key tokens, etc are going to be a hassle for them to distribute, etc, but in the longrun banks will be able to shift more of the risk to the customer unless consumer groups speakup
Ron
That's nifty if you can get it, but my state isn't participating:
p (updated as of July 2005).
http://www.bankrate.com/brm/news/cc/20030613c2.as
So if you are in a state that allows it, I think this is an excellent idea. For the rest of us, I guess we will have to fend for ourselves.
Sig under construction since 1998.
The Phishers are requesting not only your personel info, Bank account numbers and PIN they are telling people that they also need the next two one-time PAD codes for test purposes. You know what, people are sending Phishers the requested one-time PAD authentication codes. I believe the Register had an article on this not to long ago.
As Bruce Schneier recently stated this problem will continue until Financial institutions are made 100% responsible for all aspects of this problem. That include the cost of cleaning up the mess afterwards etc. IMHO. Hell, they used to give away toasters, they can afford to give everyone that want's to bank online smartcard readers etc.
The fact that they haven't yet indicates that they aren't so sure then, doesn't it? If it would be in their benefit, why is the government forcing them in to it?
Just who is the "Federal Financial Institutions Examination Council (FFIEC)", under what statuatory authority (if any) do they have to mandate two factor authentication and what penalties will there be if a bank allows customers to continue to use a userid and password alone.
Userid and password is simple, and effective in most cases.
The Feds want more security here, yet if I ask my bank to only accept ACTUAL PHYSICAL checks with my signature on them before honoring them and paying the other banks, it is ILLEGAL for my bank to give me what I want and refuse to accept a "substitute check". It is ILLEGAL for a bank to insist on security which would go a long way towards stopping check fraud, something which I can't protect against.
Whereas phishing attacks require stupidity on the part of the user.
Why protect people from seomthing they can protect themselves against, yet not protect us from something we can't protect ourselves from (people can forge our signature, and anyone getting a check from us has the routing number and account number, which is all they need)?!
If you don't understand the basics of computer security, you shouldn't be allowed to bank on the Internet. If you don't understand the basics of operating a car, you shouldn't be allowed to drive on public roads. Same principle at work here.
Don't take away my convience and require me to carry a smart card (oops, left it at home and can't do some needed banking at work or on vacation - sucks to be me) because of other's stupidity.
Let the stupid people lose their money, get off the Internet and/or go broke and die.
We molly coddle the stupid way too much in this country (USA).
If they must DO SOMETHING, just mandate the banks block *.aol.com at the firewall and be done with it.
95% of the problem will be solved.
Or have the server attempt the common Windows exploits, if they fail, the user isn't on Windows or has actually secured Windows - in either case they likely aren't terminally stupid - and the banking session should be allowed.
Now 99% of the problem is solved.
As for the remaining 1%, guess what, nothing is perfect. Even with 2 factor authentication, once logged in, a malicious hacker with control of your PC can add an illicit transaction request to the banking session.
In any event, people should be responsible for computer security. Secure your damn PC, learn to not trust spammers and scammers and don't be a dumbass.
Or stay off the Internet, and don't cross the street either if you are an idiot.
Just because it CAN be done, doesn't mean it should!
But I'm betting you wouldn't sign a waiver relieving them of liability if you opt out of using their T-FA...
It depends. If the waiver covered them purely for losses incurred through phishing, I would happily sign it. I use only secure computers to get to my bank's web site, and I type the URL by hand. I would rather not carry a token to access just one web site.
On the other hand, if they wanted to extend the waiver to all forms of account loss, regardless of whether it involved an online transaction or not, I'd be more concerned about signing it.
Huh? How often do major credit card issuers take a loss from fraud? Not often. I'm a CC merchant and if I get a chargeback, Visa/Mastercard doesn't eat the loss (even though they authorized the charge)... they just take the money back out of my account and stick me with, what, a $25 chargeback fee? Visa/Mastercard makes money off of fraud.
Visa/Mastercard is one of the biggest racketeering schemes in modern history... They get about 2% of every transaction, $25 off of every chargeback, and the merchant gets to run the risk of fraud... not Visa/Mastercard. What a scam!