Slashdot Mirror
Banks to Use 2-factor Authentication by End of 2006
Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."
I am really sick of all the convient things in life suddenly become too cumbersome to use. I would really, really hate to have a hard token to carry around. IT has so many band features:
1. I have to carry it around
2. I may lose it
3. It will probably break
4. Its code could be duped
Too little security, too much inconvieniece
I would embrace T-FA. I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful. But for modest investment and great added peace of mind, I look forward to this.
Ironically, in the slashdot article reference to T-FA, the wikipedia gives as a downside to T-FA:
I think this actually strengthensstill does not ensure the intrude has access to one of the two pieces (something you know, and something you have).
Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of.
For a little more work or inconvenience, I think this adds much security.
At least so they said in that email they sent me...
Once I was a four stone apology. Now I am two separate gorillas.
Sounds great, as long as they don't take the opportunity to lock out their actual customers.
Good ideas:
Bad ideas:
Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.
And then driving home in your horse and buggy?
http://www.busyweather.com/
And what are the chances that the second factor (USB tokens or fingerprint readers, most likely) will have drivers for minority operating systems? I use Linux as my only operating system. Until now, I had no problems accessing my bank account or my credit cards online. Now, I fear I may have to start visiting the bank branch in person...
The reason for my suspicion is that I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.
Sounds great, but what about forgetful people? So called "Strong Authentication" or 2-factor authentication sounds great in theory. Rather than just cracking your password, a woodbe theif would also have to steal a physical item from your posession. However most people are dumb and forgetful, they would put a piece of scotch tape on the physical item and write their password onto it so that when the woodbe theif pick pockets them, then they don't have to even bother trying to crack their password. Sounds great in theory but it dosen't work - like communism. In summary, it is the authentication for communists.
... and in the DRM, bind them.
Because BOTH methods of identification will be travelling over the SAME channel (your Internet connection), this will still be subject to man-in-the-middle attacks.
But because it will be a cool "encryption" key, people will not know that they aren't "secure".
The only way to improve the security is to use a different channel (example: the bank calls your phone to have you verify the transaction)
-or-
The site relays the information to you using your IP address as part of the encryption (this won't work with NAT/PAT/Masquerading, but will be feasible with IPv6).
Straight from the FFIEC's mouth.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
have the customer register an email account, perferably by going into a branch.
then when they login into the system, it sends a temporary use code to the email address.
Not used in 5 minutes, to is no longer anygood.
Older then 30 minutes, your logged out, the number is no longer any good.
In the email, you jsut send the number. If all banks used the same sender to send the code, then people intercepting it would not know what bank it came from.
The Kruger Dunning explains most post on
Before these banks implement high-tech security, they ought to consider common sense security. How many banks have I walked into where the back of the computers are exposed for a would be "hacker" to slip a keystroke recorder onto the PS/2 port? How many banks have I walked past on the sidewalk and their windows are wide open with no blinds and you can see directly onto the monitor with account numbers, etc on them? How many banks have I called and asked for information about my account and they failed to verify my identity before answering questions about my personal information?
Too many.
The wikipedia link claims that TFA contrasts to a system where only the password need be known. That may be a problem with some systems where the username is essentially public (i.e. *nix), but for online banking access, the username need not be easily guessed or based on any personal information, just unique.
Isn't requiring two non-obvious pieces of information (non-personally identifiable username + password) a form of two factor ID? (yes, I know the traditional mantra of "something you have/know")
If not, why is an ATM card and PIN considered to be, knowing the ease with which mag stripes can be copied? It's not like there should be high confidence the ATM card stripe is proof of possession of a unique object, as might be the case with a SecureID or retinal scan.
"National Security is the chief cause of national insecurity." - Celine's First Law
Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.
So does this mean that all banks will be required to have machines that read TFA?
-- I prefer the term "karma escort."
The linked Wiki article actually states "A common example of T-FA is a bank card". Who knew TFA had another meaning ... I wonder if the banks realize -- so Don't get offending the next time you walk up to the bank teller wicket and are asked for TFA !!! They'll wonder why you are snickering. Woo-hoo
This will cost every Internet banking customer money, time, and convenience. (RSA fobs are not free; if your bank gave you one for free, it will have to pass the cost on to you in some way.) Meanwhile, it will not significantly reduce the impact of phishing or pharming attacks; it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.
How about requiring banks to use https correctly, which would at least reduce the impact of pharming attacks?
The shareholder is always right.
http://www.schneier.com/blog/archives/2005/03/the_ failure_of.html
Also, is this simlar what we have had in sweden for a couble of years for our banking systems? We have a personal badge that we enter a pin and a temporary code to get a new temporary code to be able to authenticate??
------- In the end there are no begining
sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.
Don't let anyone fool you. ... you will get in. ... may delay you ... but I doubt it.
If you gain physical access to a device
These n-factor authentication schemes
Step 1: Remove hard drive from device.
Step 2: Run away really fast.
Step 3: Rule the world.
The two factor system has always worked well for me. I have no problem making withdrawls using a gun AND a note.
Are you...Are you some kind of genius?
No, ma'am, I'm just a regular Slashdot reader.
CVV2 is intended to insure that the owner of the card is physically in posession of the card.
Moreover, anyone maintaining a database with CC #'s (web sites, banks, etc.) cannot store CVV2 codes in their databases beyond the life of a given transaction. Literally seconds. This is how it helps, because anyone that gains unauthorized access to a database with CC's is not going to be able to use those cards at any merchant that requires a CVV2 (95% of any phone or web based business).
What you can do legally is to freeze your credit reports. You have to do it with each agency and yes it costs a fee, but a nominal one like $15. Then nobody can get your credit information, they will simply refuse it. When you then need credit you call the correct agency and have them temporarily thaw your account. Sometimes it's a time based thing, sometimes it's a code based thing (as in they give you a code to give to the person checking your credit).
Now this of course makes it much harder to get credit. No walking in to a cell store and walking out with a phone. You need to plan ahead, find out who the creditor uses for their credit checks (with few exceptions they use only one of the three agencies) and have them take the steps necessary to make your report available.
However it's quite secure, moreso than a fraud alert, and it's totally legal to get.
That's it. No 'reprogramming' involved at all. That's because the interpretation of the TZ variable was already programmed to include this sort of encoded rules.
On the gripping hand, I have no clue what it'll take to fix Windows timezones.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Seriously, SSL and SSH2 are not easy to do a man in the middle attack on that is undectable. More to the point, to do a man in the middle attack, you actually have to be in the middle. J. Random Hax0r can't do it, it has to be someone with access to a link that your connection passes through. That's much harder.
I worry about man-in-the-middle attacks for encrypted channels like not at all. Anyone who has the ability to compramise a major network provider to do that, probably has better thigns to do than go after my info.
They are both the same kind of authentication, and thus both have the same venurability. The reason people talk about the something you have/know/are thing is each is strong and weak in a different way:
Something you have (a key, a smartcard, etc) is strong because it has to be stolen to be of any use, someone has to physically take it. You can't just look at a smartcard and have it do you any good, you have to be in physical posession of it. However that's also the downside, it CAN be stolen. Someone can just grab it when you aren't looking.
Something you know (a password or username) is strong because it's stored in your head, nothing to physically steal, nothing to lose. However it's weak because if someone discovers it, you'll never know. They don't need to take anything, just know what it is and they can use it. Also complexity is limited by what you can remember.
Something you are (a fingerprint, an iris scan) is strong because you are unique, and it's a part of you. You never lose it, and peopel can't really fake it because, well, it's a part of you. The weakness is that what you are changes, and the ability to read it isn't 100% accurate, so someone CAN fake it out potentially.
Now, because of this, real strength comes form having two or three of these methods. If you just have passwords, even if you have 3, all someone needs to do is learn them and they are in. However if you need a smart card, a password, and a fingerprint the person has to get an impression of your finger and make a convincing dupe, then find out what your password is, then steal your smartcard, and then use it all before you notice any of this and invalidate the account.
So it's not worthless to have more of the same kind of authentication, but it's not nearly as good as having multiple kinds of authentication.
I'm surprised no one mentioned it yet - bank customers that choose to use (likely have no choice eventually) two factor authentication may be in for a nasty surprise ... I bet, much like Verified by Visa, the onus of proving fraud will be further shifted to the customer - banks will contend that two factor authentication is super-duper secure and any security violation must be solely the customer's fault.
... two factor authentication, as proposed, is faulty from the start ... sure the barrier for fraudsters is a bit higher, but not by much ... a variant of the traditional man in the middle attack is all it takes...
... and even worse, the fraudster may not even have to program a complicated trojan, since many folks already use software (or unknowingly have it installed) that allow for remote access.
... perhaps they have ... if anyone here knows more, please reply - thanks!
Speaking of fault
Keys, etc are no good if the fraudster takes control of the victim's computer itself
Banks are going to love this - sure the key tokens, etc are going to be a hassle for them to distribute, etc, but in the longrun banks will be able to shift more of the risk to the customer unless consumer groups speakup
Ron
Just who is the "Federal Financial Institutions Examination Council (FFIEC)", under what statuatory authority (if any) do they have to mandate two factor authentication and what penalties will there be if a bank allows customers to continue to use a userid and password alone.
Userid and password is simple, and effective in most cases.
The Feds want more security here, yet if I ask my bank to only accept ACTUAL PHYSICAL checks with my signature on them before honoring them and paying the other banks, it is ILLEGAL for my bank to give me what I want and refuse to accept a "substitute check". It is ILLEGAL for a bank to insist on security which would go a long way towards stopping check fraud, something which I can't protect against.
Whereas phishing attacks require stupidity on the part of the user.
Why protect people from seomthing they can protect themselves against, yet not protect us from something we can't protect ourselves from (people can forge our signature, and anyone getting a check from us has the routing number and account number, which is all they need)?!
If you don't understand the basics of computer security, you shouldn't be allowed to bank on the Internet. If you don't understand the basics of operating a car, you shouldn't be allowed to drive on public roads. Same principle at work here.
Don't take away my convience and require me to carry a smart card (oops, left it at home and can't do some needed banking at work or on vacation - sucks to be me) because of other's stupidity.
Let the stupid people lose their money, get off the Internet and/or go broke and die.
We molly coddle the stupid way too much in this country (USA).
If they must DO SOMETHING, just mandate the banks block *.aol.com at the firewall and be done with it.
95% of the problem will be solved.
Or have the server attempt the common Windows exploits, if they fail, the user isn't on Windows or has actually secured Windows - in either case they likely aren't terminally stupid - and the banking session should be allowed.
Now 99% of the problem is solved.
As for the remaining 1%, guess what, nothing is perfect. Even with 2 factor authentication, once logged in, a malicious hacker with control of your PC can add an illicit transaction request to the banking session.
In any event, people should be responsible for computer security. Secure your damn PC, learn to not trust spammers and scammers and don't be a dumbass.
Or stay off the Internet, and don't cross the street either if you are an idiot.
Just because it CAN be done, doesn't mean it should!
I was with ya until this comment: I don't think you're describing it correctly.
Man-in-the-middle implies that your communication is going to destination A, via intermediaries B, C, and D. Phishing, and what you describe, implies that for some reason you've been tricked in to setting your end destination as D, who will eventually go to A for you, but you addressed it wrong. Yes, I guess this person is technically "in the middle" of the chain of where you WANT to go, but if you had been smart about saying your correct destination, D would have no way to work unless they were able to hijack your stream the first time and every time thereafter to inject their own cert (I guess only the first time matters, since if they have your info once they can fuck you over royally.. but if it's not the first time you'll get a cert error).
Phishing is NOT man in the middle. It's just social engineering to get people to think that D really is A. This is why anything that matters, you type it in yourself. But, most people don't know to do that, I'm afraid.