Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banks to Use 2-factor Authentication by End of 2006

Posted by samzenpus on from the proof-positive dept.

Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."

4 of 313 comments (clear)

  1. Great, if they keep it compatible by Kelson · · Score: 4, Interesting

    Sounds great, as long as they don't take the opportunity to lock out their actual customers.

    Good ideas:

    • Hardware that doesn't actually need to be plugged into the computer (such as the token with constantly-changing access codes)
    • Hardware dongle that plugs into the USB port and talks to the computer using standard USB protocols

    Bad ideas:

    • Hardware dongle that requires you to install drivers. Even if they commit to producing cross-platform drivers, there's always going to be some obscure platform that they didn't think was worth implementing. (See today's article on the lack of 64-bit Flash for an example of why this is an issue.)
    • Smart cards for the next few years, until readers are as ubiquitous as USB is today. Lots of computers still ship without memory card readers, and I shouldn't be forced to buy one to do something I can already do without it. (In my case I'm just stubborn, but you can bet there will be people for whom the money to buy a card reader is money that they'd rather spend on, say, food for that week.)

    Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.

  2. Australian Bank by Cave_Monster · · Score: 4, Interesting
    There is a bank here that already has implemented this strategy. They offer small devices that display an ever-changing PIN that you must enter alongside your user ID and password to login to their website. They provide two options, one is a small device that simply requires you to press the button for the PIN to be displayed. The other is slightly larger but requires you to input a seperate PIN into the device before it displays the other PIN needed for their website. The extra size is simply to accomodate the keypad.

    Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.

  3. my bank already implemented a low tech version by PhiberOptix · · Score: 4, Interesting
    I received a mail from my bank with 70 different 3 digit codes.
    01-252 06-743
    02-053 07-064
    03-113 08-766
    04-963 10-244
    05-855 11-111 ...
    everytime i login, it asks for a pin number(which can't be typed in the keyboard, you have to pick the numbers in the screen keyboard with your mouse), a secret phrase and a random code from this card.

    sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.
  4. Burden of Proving Fraud Shifted to Customer by Ron+Bennett · · Score: 4, Interesting

    I'm surprised no one mentioned it yet - bank customers that choose to use (likely have no choice eventually) two factor authentication may be in for a nasty surprise ... I bet, much like Verified by Visa, the onus of proving fraud will be further shifted to the customer - banks will contend that two factor authentication is super-duper secure and any security violation must be solely the customer's fault.

    Speaking of fault ... two factor authentication, as proposed, is faulty from the start ... sure the barrier for fraudsters is a bit higher, but not by much ... a variant of the traditional man in the middle attack is all it takes...

    Keys, etc are no good if the fraudster takes control of the victim's computer itself ... and even worse, the fraudster may not even have to program a complicated trojan, since many folks already use software (or unknowingly have it installed) that allow for remote access.

    Banks are going to love this - sure the key tokens, etc are going to be a hassle for them to distribute, etc, but in the longrun banks will be able to shift more of the risk to the customer unless consumer groups speakup ... perhaps they have ... if anyone here knows more, please reply - thanks!

    Ron