Banks to Use 2-factor Authentication by End of 2006

Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."

One more damn thing to carry around

[DrRobert]

I am really sick of all the convient things in life suddenly become too cumbersome to use. I would really, really hate to have a hard token to carry around. IT has so many band features:
1. I have to carry it around
2. I may lose it
3. It will probably break
4. Its code could be duped

Too little security, too much inconvieniece

Re:One more damn thing to carry around

[ScentCone]

Too little security, too much inconvieniece

But I'm betting you wouldn't sign a waiver relieving them of liability if you opt out of using their T-FA...

Re:One more damn thing to carry around

[LordPhantom]

Isn't that like, say, carrying around an ATM card like we do right now? Sure, a "sooped-up" ATM card if it had a rotating pin, but still an ATM card nonetheless - how is this -more- difficult than what we do now? I usually have my wallet handy somewhere, so is it really that big a deal?

Re:One more damn thing to carry around

[Tumbleweed]

how is this -more- difficult than what we do now

What, you have a magnetic-strip card reader attached to your computer? Sure, no problem - we'll just mandate that all computers that want to access a bank online have to have one, or whatever hardware doohickey they decide to require.

THAT's the real problem with this proposal. Much like extending Daylight Savings Time, politicians have no idea what impact this has on the real world - programmers that have to code this stuff, and in this really BAD case, new hardware that even the end user is required to now purchase.

Bleh.

good idea, in my opinion.

[yagu]

I would embrace T-FA. I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful. But for modest investment and great added peace of mind, I look forward to this.

Ironically, in the slashdot article reference to T-FA, the wikipedia gives as a downside to T-FA:

..., According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief access to their information. On the other hand, opponents argue that, (among other things) should a thief have access to your computer, he can boot-up in such a way as to bypass the physical authentication processes, scan your system for all passwords and enter the data manually, thus - at least in this situation - making T-FA no more secure than the use of a password alone....

I think this actually strengthensstill does not ensure the intrude has access to one of the two pieces (something you know, and something you have).

Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of.

For a little more work or inconvenience, I think this adds much security.

Re:good idea, in my opinion.

[hazem]

I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful.

If you want to keep it that way, the best thing you can do is commit a little fraud.

File a police report (this is the fraud part) saying something like you were on mass transit, carrying copies of your tax returns. You set them down, and then when you turned around, they were gone. "someone took them"

With this police report, file for a permanent fraud alert on your credit reports (all 3). This will almost immediately stop all credit card offers and will prevent someone from being able to open instant-credit in your name. You can still get credit, but it takes a little more time and takes a little more proof of who you are.

The sad thing is that to get this "opt-out" in the credit-reporting system, you have to commit a crime. Without doing so, you can only get a 3-month "opt-out". Lovely country it is where we have to commit crimes to protect ourselves from crime.

My bank already does this

[thewils]

At least so they said in that email they sent me...

Great, if they keep it compatible

[Kelson]

Sounds great, as long as they don't take the opportunity to lock out their actual customers.

Good ideas:

• Hardware that doesn't actually need to be plugged into the computer (such as the token with constantly-changing access codes)
• Hardware dongle that plugs into the USB port and talks to the computer using standard USB protocols

Bad ideas:

• Hardware dongle that requires you to install drivers. Even if they commit to producing cross-platform drivers, there's always going to be some obscure platform that they didn't think was worth implementing. (See today's article on the lack of 64-bit Flash for an example of why this is an issue.)
• Smart cards for the next few years, until readers are as ubiquitous as USB is today. Lots of computers still ship without memory card readers, and I shouldn't be forced to buy one to do something I can already do without it. (In my case I'm just stubborn, but you can bet there will be people for whom the money to buy a card reader is money that they'd rather spend on, say, food for that week.)

Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.

Re:Security or Laziness?

[erick99]

And then driving home in your horse and buggy?

Second factor Windows-only?

And what are the chances that the second factor (USB tokens or fingerprint readers, most likely) will have drivers for minority operating systems? I use Linux as my only operating system. Until now, I had no problems accessing my bank account or my credit cards online. Now, I fear I may have to start visiting the bank branch in person...

The reason for my suspicion is that I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.

Australian Bank

[Cave_Monster]

There is a bank here that already has implemented this strategy. They offer small devices that display an ever-changing PIN that you must enter alongside your user ID and password to login to their website. They provide two options, one is a small device that simply requires you to press the button for the PIN to be displayed. The other is slightly larger but requires you to input a seperate PIN into the device before it displays the other PIN needed for their website. The extra size is simply to accomodate the keypad.

Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.

Silly

[jesser]

This will cost every Internet banking customer money, time, and convenience. (RSA fobs are not free; if your bank gave you one for free, it will have to pass the cost on to you in some way.) Meanwhile, it will not significantly reduce the impact of phishing or pharming attacks; it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.

How about requiring banks to use https correctly, which would at least reduce the impact of pharming attacks?

my bank already implemented a low tech version

[PhiberOptix]

I received a mail from my bank with 70 different 3 digit codes.

01-252 06-743
02-053 07-064
03-113 08-766
04-963 10-244
05-855 11-111 ...

everytime i login, it asks for a pin number(which can't be typed in the keyboard, you have to pick the numbers in the screen keyboard with your mouse), a secret phrase and a random code from this card.

sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.

Two Factor Withdrawls

[faqmaster]

The two factor system has always worked well for me. I have no problem making withdrawls using a gun AND a note.

No fraud needed

[Sycraft-fu]

What you can do legally is to freeze your credit reports. You have to do it with each agency and yes it costs a fee, but a nominal one like $15. Then nobody can get your credit information, they will simply refuse it. When you then need credit you call the correct agency and have them temporarily thaw your account. Sometimes it's a time based thing, sometimes it's a code based thing (as in they give you a code to give to the person checking your credit).

Now this of course makes it much harder to get credit. No walking in to a cell store and walking out with a phone. You need to plan ahead, find out who the creditor uses for their credit checks (with few exceptions they use only one of the three agencies) and have them take the steps necessary to make your report available.

However it's quite secure, moreso than a fraud alert, and it's totally legal to get.

Burden of Proving Fraud Shifted to Customer

[Ron+Bennett]

I'm surprised no one mentioned it yet - bank customers that choose to use (likely have no choice eventually) two factor authentication may be in for a nasty surprise ... I bet, much like Verified by Visa, the onus of proving fraud will be further shifted to the customer - banks will contend that two factor authentication is super-duper secure and any security violation must be solely the customer's fault.

Speaking of fault ... two factor authentication, as proposed, is faulty from the start ... sure the barrier for fraudsters is a bit higher, but not by much ... a variant of the traditional man in the middle attack is all it takes...

Keys, etc are no good if the fraudster takes control of the victim's computer itself ... and even worse, the fraudster may not even have to program a complicated trojan, since many folks already use software (or unknowingly have it installed) that allow for remote access.

Banks are going to love this - sure the key tokens, etc are going to be a hassle for them to distribute, etc, but in the longrun banks will be able to shift more of the risk to the customer unless consumer groups speakup ... perhaps they have ... if anyone here knows more, please reply - thanks!

Ron

Re:And it won't work.

[gujo-odori]

Yes, you can still try a man-in-the-middle-attack. However, security is not a binary condition (you're either totally secure or wide open), it's relative. AKA, I don't have to outrun the bear, I only have to outrun you. This is also the principle behind car alarms: there are car alarms that can be defeated, some more easily than others, but the main point of a car alarm is to make my car a more difficult/less attractive target than the one next to it.

Similarily, what does a Smartcard authentication system over https do for you, as opposed to a simple username and password over https?

It raises the bar, while also making people without a Smartcard more attractive targets. Compromising a username and password is fairly easy - people fall for phishing attacks all the time. If a Smartcard and PIN are also needed, a man-in-the-middle attack doesn't do you much good. You can't get my PIN (you'd also need a keystroke logger on my computer for that) and even if you had it, unless you also stole my Smartcard you'd still be SOL.

Not to mention that a man-in-the-middle attack is far harder to achieve than sending out a phishing mail or doing a brute-force attack against a weak password. Anyone can send out phishing mails or use a password-attack script; far fewer people have the wherewithal to mount a successful man-in-the-middle attack. So if I have a Smartcard + PIN that I need to use to authenticate to my bank and you don't, I've outrun you. I don't have to worry as much about the bear.

Where I work, we use Smartcards and PINs for authentication to our network, in addition to a userid and a high-quality password that must be changed regularly and may not closely resemble the old one. How does this raise security? In two ways: first, if someone gains unauthorized accesss to a computer inside one of our facilities, they can't do much with it unless they also have a card and PIN. Assuming they stole a card and got inside the building and found a computer in an isolated place and put the card in, they'd still need the PIN, and brute-forcing it would take a while because it's 6 digits minimum (mine is longer). Of course, you also only get a few tries before the PIN is disabled.

The second case is if someone were to steal my laptop in an airport, from my trunk, etc. It has a VPN client to our company network, but that won't do you any good without the Smartcard and PIN, either.

In both cases, our network is made far more secure by using Smartcards and PINs. It is not only the accepted wisdom that "something you have and something you know" is far more secure than a username/password-only system, it is just plain correct.

Many banks in Europe have been using one-time PADs for years; it's about time US banks are getting with the program on security, and disappointing that they're only doing it because somebody made them. If any bank here could offer me Smartcard + PIN or one-time PAD authentication today, they'd have my business right now.