Banks to Use 2-factor Authentication by End of 2006

Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."

Re:One more damn thing to carry around

[LordPhantom]

Isn't that like, say, carrying around an ATM card like we do right now? Sure, a "sooped-up" ATM card if it had a rotating pin, but still an ATM card nonetheless - how is this -more- difficult than what we do now? I usually have my wallet handy somewhere, so is it really that big a deal?

Second factor Windows-only?

And what are the chances that the second factor (USB tokens or fingerprint readers, most likely) will have drivers for minority operating systems? I use Linux as my only operating system. Until now, I had no problems accessing my bank account or my credit cards online. Now, I fear I may have to start visiting the bank branch in person...

The reason for my suspicion is that I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.

Re:good idea, in my opinion.

[hazem]

I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful.

If you want to keep it that way, the best thing you can do is commit a little fraud.

File a police report (this is the fraud part) saying something like you were on mass transit, carrying copies of your tax returns. You set them down, and then when you turned around, they were gone. "someone took them"

With this police report, file for a permanent fraud alert on your credit reports (all 3). This will almost immediately stop all credit card offers and will prevent someone from being able to open instant-credit in your name. You can still get credit, but it takes a little more time and takes a little more proof of who you are.

The sad thing is that to get this "opt-out" in the credit-reporting system, you have to commit a crime. Without doing so, you can only get a 3-month "opt-out". Lovely country it is where we have to commit crimes to protect ourselves from crime.

Re:And it won't work.

[gujo-odori]

Yes, you can still try a man-in-the-middle-attack. However, security is not a binary condition (you're either totally secure or wide open), it's relative. AKA, I don't have to outrun the bear, I only have to outrun you. This is also the principle behind car alarms: there are car alarms that can be defeated, some more easily than others, but the main point of a car alarm is to make my car a more difficult/less attractive target than the one next to it.

Similarily, what does a Smartcard authentication system over https do for you, as opposed to a simple username and password over https?

It raises the bar, while also making people without a Smartcard more attractive targets. Compromising a username and password is fairly easy - people fall for phishing attacks all the time. If a Smartcard and PIN are also needed, a man-in-the-middle attack doesn't do you much good. You can't get my PIN (you'd also need a keystroke logger on my computer for that) and even if you had it, unless you also stole my Smartcard you'd still be SOL.

Not to mention that a man-in-the-middle attack is far harder to achieve than sending out a phishing mail or doing a brute-force attack against a weak password. Anyone can send out phishing mails or use a password-attack script; far fewer people have the wherewithal to mount a successful man-in-the-middle attack. So if I have a Smartcard + PIN that I need to use to authenticate to my bank and you don't, I've outrun you. I don't have to worry as much about the bear.

Where I work, we use Smartcards and PINs for authentication to our network, in addition to a userid and a high-quality password that must be changed regularly and may not closely resemble the old one. How does this raise security? In two ways: first, if someone gains unauthorized accesss to a computer inside one of our facilities, they can't do much with it unless they also have a card and PIN. Assuming they stole a card and got inside the building and found a computer in an isolated place and put the card in, they'd still need the PIN, and brute-forcing it would take a while because it's 6 digits minimum (mine is longer). Of course, you also only get a few tries before the PIN is disabled.

The second case is if someone were to steal my laptop in an airport, from my trunk, etc. It has a VPN client to our company network, but that won't do you any good without the Smartcard and PIN, either.

In both cases, our network is made far more secure by using Smartcards and PINs. It is not only the accepted wisdom that "something you have and something you know" is far more secure than a username/password-only system, it is just plain correct.

Many banks in Europe have been using one-time PADs for years; it's about time US banks are getting with the program on security, and disappointing that they're only doing it because somebody made them. If any bank here could offer me Smartcard + PIN or one-time PAD authentication today, they'd have my business right now.