Slashdot Mirror
Secure Ways to Determine 'Something You Have'?
Steve Cerruti asks: "My credit union is implementing multi-factor authentication for online banking. They are following guidelines provided by the Federal Financial Institutions Examination Council as outlined in Authentication in an Internet Banking Environment (PDF). As you are already required to enter a password, 'something you know' is covered. 'Something you are' has significant technical hurdles while 'something you have' is familiar to credit unions in the form of ATM cards.
My credit union chose to implement 'something you have' as a two dimensional lookup table that they email to an address you supply when you initially log in to the online banking service, further access is blocked until you enter a code from the table. New Measures to Make Online Access Safer describes the plan and a short video (FLV) provides further details." For the security conscious among us, do you think this is a decent way to implement the 'something you have' portion of a well secured system, or are there better ways to do it?
Their plan can best be compared to single use scratch off cards. However, I am unsure of what constitutes "something you have" in this example. If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access. It would therefore be possible for the authorized owner and the attacker to both possess the table simultaneously. Does this system provide multi-factor authentication or is it simply a convoluted mechanism for sharing yet another secret?
Off topic questions:
Is depending on near instantaneous access to email a reasonable thing to do?
If you were dealing with this situation, would you implement a Firefox extension or a cell phone application to reduce the level of effort for banking access?"
Their plan can best be compared to single use scratch off cards. However, I am unsure of what constitutes "something you have" in this example. If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access. It would therefore be possible for the authorized owner and the attacker to both possess the table simultaneously. Does this system provide multi-factor authentication or is it simply a convoluted mechanism for sharing yet another secret?
Off topic questions:
Is depending on near instantaneous access to email a reasonable thing to do?
If you were dealing with this situation, would you implement a Firefox extension or a cell phone application to reduce the level of effort for banking access?"
With a java client taking a password and returning another. A one-time-pad could be trivially implemented, and getting random data to a phone is no problem either.
RSA SecurID is an excellent "what you have". It displays a number that changes every minute, so there's no need for a special interface. Your server has the seeds, so it can figure out what number's being displayed on a given SecurID at any given moment in time.
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
My banks idea of security is entering a word in an image like you see on so many sites these days.
Those images are distorted so a computer can't just OCR the thing and brute force passwords (my understanding anyhow). This seems to have worked out well enough that you see it everywhere and brute forcing passwords is less of an issue (if at all).
Curiously my bank decided to implement this functionality differently. The background is a grey colored word, and it's always the same word. The "code" is always black.
I'm no genius but to the best of my knowledge this isn't much beyond an exercise in vigorous masturbation. Security through song and dance if you will?
Platform advocacy is like choosing a favorite severely developmentally disabled child.
I watch the video and it sounds like a lot of PR talk and buzzwords to me.
At the end of the day, assuming the computers and networks between you and the credit union are secure (they're not, but let's forget that), the only problem they have is to make sure you're Mr. John Doe, legitimate holder of the account you're trying to access ("who you are"). Period. All that matrix and multi-identification stuff is just a variation on the same theme.
Up to now, "what you know" (a password) was assumed to be representative of "who you are", with the single point of failure that someone else might be able to know what you know as well (being your password that's too simple, or someone looking over your shoulder while you type in the password). This was a reasonable assumption because you can't separate someone with this someone's knowledge.
If they want to do better than that, they'll have to use biometrics (DNA analysis, fingerprinting, iris scanning, etc...) or some sort of permanent electronic tagging (RFID implant). That's plain as day. So if your credit union isn't providing you a fingerprint scanner or telling you to go to your local vet to get a RFID implanted, you can safely assume that their new ultra-super-duper solutions are a variation of what's already been implemented before, perhaps a little better, perhaps not, but definitely a lot of PR fluff.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
they use an on page keypad where the numbers change position each time you use it. It defeats keystroke and pointer position loggers.
In terms of "something you have", you could try securid. There are agents and software tokens available for phones and the like. Or say, a security code sent out with every paper statement.
Deleted
Require an X509 client side certificates. That should make access to the account practically impossible unless an attacker can get access to the certificate.
The only way to access the certificate would be to compromise the client machine, and if that happens your probably fucked regardless, right?
A Danish bank mails you a card with 50 4-digit numbers. This is your one-time pad of sorts. When you log in to your account it asks you for, say, #23. You provide it, and it never asks for it again. When you're down to 20 numbers left or so, the bank automatically mails you another card. The card is something you have.
BPH (Polish bank) has your cell phone number on file. They do bank transfers, which are used over there a lot more than here, you can pay people directly like that (like an electronic check), even buy skype credit directly with it. When you attempt a transfer the bank sends you an SMS with a code you have to supply to the website. The cell phone is something you have. Trouble with this is that in the US some people have to pay for incoming SMSes. In the rest of the world that's usually free.
boldly going forward, 'cause we can't find reverse
Hello -
I tend to like "zero-knowledge proof" based systems.
Here, you don't exchange an item (e.g. password) directly.
For example, a server can challenge you (your smart card by proxy) with a randomized value / set of values.
Your card performs a function, and returns a value.
If the value doesn't match the accepted value, the challenge has failed. Only your card should return the correct value. However, someone else's might by chance succeed, or there may be an attack.
So, this type of set of exchanges can be repeated until a (probabalisticly satisfactory threshold is reached). If all the answers are acceptable, you have passed.
I forget the names of the people who were key in such mechanisms years ago.
The name quisqatuer (forgive my spelling) was one of them. I think he was French.
A nice part of such schemes is that (properly implemented), they are highly resistant to a number of forms of attack including sniffers and man-in-the-middle attacks.
From the horse mouth:
h ting_fraudu.html
http://www.schneier.com/blog/archives/2006/11/fig
My CU implemented a system whereby I now have two passwords. I guess they are probably following the law, but I'm not safer from anything now, especially since they put some text by the second password telling me what it is about. One of the better comments from the Schneier post points out that two factor authentication isn't worth much if they both use the same channel. Another goes ahead and calls it multiple single factor.
One of the better solutions is to require a phone call(ooh, another channel) for 'high risk' transactions. There are problems with that, but at least it adds some security. Fobs and scratch cards are decent too, but they are susceptible to man in the middle attacks(or whatever you want to call them, they just make phisher more sophisticated).
Nerd rage is the funniest rage.
There's a big difference between having your box taken over and used to spam the world, and having your box taken over and your 5-figure bank-account drained.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
When I call my bank, they never ask me for say, my full telephone pin. They ask for 2 random digits.
So this gives you passwords within passwords. You can have a fifteen digit number/password, and they ask you for random characters from those. Always try to ask for a different combination, and perhaps ask in more ingenious ways, like the third letter and the fourth from last (which could be the same position as the third - if you had a stupid password).
You can then keep the password long enough for it to not be too much of a bother to remember. And they can always disable the account if too many wrong tries are made.
The cleverest thing to do though, is to probably make it harder to do international transfers of cash using accounts, or impossible online. And make it harder to have an account without giving some form of verifiable ID. My bank does that. It is quite silly to steal money online into another local account in my estimation anyway, because you will be caught. Internationally is another issue, because some countries may not cooperate.
Anyway, how many people do you know who have had their money stolen from their bank accoount online. I guess very few.
Maybe you should send me your userid, password and that table and I'll let you know if it's secure.
For sale: Signature. One owner. Low miles. Always garaged. New punctuation, just installed!
This is reasonable for medium security levels, and banking never has needed higher ones for smaller day-to-day transactions. However emailing these to the cunstomer is completely wrong and a massive risk! It is not so much that the email could be intercepted, but it could still be on the users computer if somebody breaks in and the user can effortlessly print it as often as liked. Also an automated search for this "token" should be easy to implement. Emailing this is worse than not doing it at all, IMO.
The right way to do this is to use old-fashioned snail mail. The swiss bank I have my "Girokonto" with (checking account, except nobody uses checks here, they are considerd historic artefacts at best) did it that way after they had some problems with phishing with the older, linear code lists. No problems so far for over a year.
Sorry, but the bean-counter that decided on email compromised the system completely....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Have we really become so damn busy (or lazy) in today's society that we can't work a trip to the bank into our day? Sorry, but I would never do online banking -- too many pitfalls, too many points in the system where someone can hack in, too much agony trying to clean up your account afterwards. I don't care what kind of security is put in place -- sooner or later, someone will figure a way around it. If I need to transfer, withdraw, or pay out any significant amount of money above a typical ATM withdrawal, it's damn sure worth my time and effort to physically travel to the bank. In fact, I insist on it -- and insist that they verify my identity in person before they start manipulating my money.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
>If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access.
Only if they phished your email password at the same time as your online banking password, sorted through your old email, found your Matrix chart still there and not yet deleted, and downloaded it for their use.
Not your average phishing scam at all, and it's probably easier for a phisher to set up a real-time man in the middle attack where they relay your bank's challenge to your browser and feed the bank your reply (and then transfer your balance to Elbonia). Which script kiddies can do now, since there's a published toolkit for setting up realtime phishing.
One of my local Wells Fargo branches asked for my thumbprint in order to get my balance, after depositing my check. This was despite showing them my ID. They didn't want to see that. When I asked why, and refused to provide a print, I was told to go talk to the manager.
She explained it was a policy to speed up identification, etc.
- When I opened the account in another state, I didn't give a thumbprint. So whoever shows up and sticks a thumb down in my name will be recorded as the account holder of record. They have my driver's license info, but I have moved since then, so any picture ID with my name might be accepted, now.
- A month or so ago, the university I graduated from reported it had been hacked and SSNs and other info for several thousand students and employees were exposed. My information was likely amongst the rest, so it is conceivable that someone may try this.
- This branch claims that all branches are supposed to be doing this, and the policy has been in effect for years, but my usual branch has never asked me for a print.
What makes banks think they can just slide in new verification, and collect data for that verification, without extra warnings, etc.? I would have expected a notice in my monthly statement, or at least on the website, that new security measures were coming. In fact, by not doing this, they provided a great window of opportunity for identity thieves. What makes it better is that because of poor companywide enforcement of the policy, I didn't learn about this on any of dozens of visits to my home branch. So someone could have printed at a branch that required it, and then later, when I needed to do something with my account, I might be asked to provide that other person's print.
For those who missed it, the above post is enclosed in [sarcasm] tags
I could never figure out how anyone could believe that "name of favorite pet" or "last 4 digits of your phone number" or "name of your [insert whatever here]" is a good security question.
Now, to answer the REAL question posed by the article's title:
- the answer is obvious - go to an anonymous clinic in another part of town, use a fake name, and pay the doctor in unmarked bills :-)
How it is done in Norway:
1. You get a keypad in the post, a small (3x2)" thingy with numbers 0-9 and a tiny calculator-style screen.
2. You also get instructions how to set a four-digit PIN code on it for first use.
3. To log in to the internet bank, you enter your personal number (SSN equivalent), and type the PIN into the pad. It gives you an eight digit code.
4. You enter the first six digits of the code. The bank displays the last two, which should match your card's.
Hackable? Phishable? Any flaws? I can't see any, except for a trojan piggybacking on top of your connection, but that's a bit far fetched.
It's what client-side certificates were for in the first place, but the idea seems to been forgotten.
I'd hate to the be the first organization trying to exercise the client-side certificate code...
You'd have to completely and permanently disable non-certificate logins or phishers would would still be in business.
>The cleverest thing to do though, is to probably make it harder to do international transfers of cash using accounts, or impossible online.
But then all the bad guy has to do is pay a cut to local recipients of phishing proceeds who will pass along the funds. No need for the online transaction to go straight to Elbonia in one step.
>some countries may not cooperate.
Notice the destinations are never squeaky-clean places like Finland. It's always some place where it's easier for the crooks to have an under$tanding with law enforcement.
>Anyway, how many people do you know who have had their money stolen from their bank accoount online. I guess very few.
It can't be that many, given that the highest estimate I've seen is USD 500 million annual phishing losses. That's couch cushion change compared to credit card fraud.
A better way would be to put a code on the monthly statement (that changes every statement)- of course most banks are trying to get rid of paper statements so the point is moot, but I think it would be the best way without requiring an actual token.
This may sound complicated, but actually the user experience is quite ok. And you are always reminded if you do something important, because you have to give another secret number.
The only scheme more secure is one I used in Holland. You have a little token that is PIN secured. The bank sends you a 9 digit number, which the token turns into another 9 digit number for authorization. On the whole, I found that rather tedious, and probably not worth the small additional security. Another good option is using SMS, but the cost of an SMS is pretty much prohibitive in Europe.
The big looming danger for online banking is a man-in-the-middle attack. No current scheme offers much protection against that. I think it is only a matter of time until we see some black hats (successfully?) trying this.
The basic problem with emails, tan-numbers etc is that they can be easily copied. So, the fact that you have the item/information does nothing to ensure that noone else has it too. You're much more likely to notice having *lost* something than you are of noticing that someone has *copied* something you posess.
If you could be certain people wouldn't leave them plugged in (many would, despite strict instructions to the contrary) the ideal something-i-have item would be a usb-key that has tamper-proof hardware set up to do one thing, and one thing only: digitally sign any message that is already signed by the bank (or whomever issuer), with a secret key embedded in it.
When the bank wants to ensure you have the item, it sends you a large random number, signed with its secret key. The usb-thingie verifies the number comes from the bank (by verifying the signature) and if yes, signs the number with its own secret key.
*IF* users could be trusted not to leave the thing plugged in, this would be quite secure. To use the bank: insert your bank-key in the usb-port and type your password. There's no need to type your username/userid, the usb-gadget can take care of that part too. So the experience for the user is much simpler than what is currently common.
Someone somehow learning your password (trough phishing say) would be screwed since they don't have the gadget. And someone stealing the gadget would be screwed since they don't know your password. (plus, you're more likely to notice a missing gadget since that'll stop you from using the bank yourself) Since users, unfortunately, *cannot* be trusted not to leave the thing plugged in, we get calculator-like gadgets where the user must manually read the one-time-password from a display and enter it into a webform. Which acomplishes more or less the same thing, but is significantly less convenient.
aptitude install libpam-opie opie-client opie-server
http://outcampaign.org/
Well, that certainly ramps up the security, doesn't it? I'm sure someone with malicious intent is doing the same thing.
I read the artcle headline and for a moment thought I was at MensHealth.com.
Sorry for this blatant plug but I believe it's quite relevant to the discussion.
The company I work for has an authentication product that's more secure than hardware tokens (SecurID) and one-time password sheets.
The product is a J2ME application that you install into your mobile phone. You activate the application in advance by entering a cryptographic key. To authenticate something, you start the application and enter your PIN code, then type in a challenge code given by the remote service (a web page, a VPN gateway, whatever). The application displays some details about the remote system and the transaction, then gives you a response code that you feed back into the remote system.
The application is totally generic (i.e. not personalized until you enter your activation code), uses only tested and tried cryptographic methods, and has been security reviewed by several (OK, two) independent companies. Although the demo is aimed for online banking, there's no reason why the product couldn't be applied to any other situation where reliable authentication is needed.
The product page itself is a little bare but there's more under Press Releases (between November 2005 and June 2006, I believe). There's e.g. a joint press release with UK security lab Qinetiq and an interesting video clip off the German TV news.
Thanks for listening!
... Is that the sound of my karma evaporating?
--Bud
My CU recently added "more security" to my account. I need to jump through a couple of hoops to have them write some kind of cookie to my PC. In order to improve the hoops, they asked me some "password challenge" questions.
When I went to log into my account from a second PC, their system asked me the challenge questions. For elementary school attended, did I answer "jones" or "jones elementary" or "jones elementary school" or "Jones" (you get the idea)
At any rate, since my answers the second time failed to exactly match, my account was locked and I had to call the customer service number to get my account unlocked. They reset my challenge questions, and told me that lots of people are having this problem. As a result the CSRs tell people to answer those questions with a single word, and to USE THE SAME WORD FOR EVERY ANSWER!
This system is broken.
Whatever you do, don't build a broken system.
But Herr Heisenberg, how does the electron know when I'm looking?
A good two-factor authentication system should include host authentication as well to prevent MITM attacks.
n
http://en.wikipedia.org/wiki/Mutual_authenticatio
Otherwise, banks would be better off using OTPs to validate the transactions.
Security through song and dance if you will?
Close - the commonly used term is 'Security Theatre' (or Theater if you're new-school).
It means "I'm implementing a system that looks to someone who doesn't understand security like it might improve safety, but really it just inconveniences everybody".
The TSA is the Andrew Lloyd Weber of Security Theatre.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I'm bedazzled by the sheer ignorance displayed in this thread.
First of all, the rest of the world is already using a pretty secure standard for two-factor authentication called EMV. It's all there, smart card vendors support the standard, card manufacturing plants can produce EMV cards, banking software supports it.
Second RSA IS NOT cost effective in banking. Nevermind the logistics and cost of replacing lost RSA fobs, RSA will use the opportunity to ream the bank an extra-large you-know-what. Where else are you going to go?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Why don't people use these damn things ? Amex has been advertising them for years, we see them in organisational ID cards and other places.
Use them as a PKI device - you have to insert in into your computer when you do a transaction, and ensure they are locked with a PIN.
If you don't have the card, and you don't know the PIN, then you aren't who you say you are. Put your photo on the card so that when you do face to face transactions you aren't relying on a possibly forged signature.
The cards are not that expensive. The readers are not that expensive.
OK supreme idiot, then what is the name of my favorite pet and last 4 digits of my SSN then? Good luck brain dead asswipe.
Anonymous cowards don't have pets. No SSN either.
And of course, being an AC, you have no way of refuting this.
And anyne who posts claiming to be the AC can't prove it was really them, so too bad ...