Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Ways to Determine 'Something You Have'?

Posted by Cliff on from the plus-what-you-know-and-what-you-are dept.

Steve Cerruti asks: "My credit union is implementing multi-factor authentication for online banking. They are following guidelines provided by the Federal Financial Institutions Examination Council as outlined in Authentication in an Internet Banking Environment (PDF). As you are already required to enter a password, 'something you know' is covered. 'Something you are' has significant technical hurdles while 'something you have' is familiar to credit unions in the form of ATM cards. My credit union chose to implement 'something you have' as a two dimensional lookup table that they email to an address you supply when you initially log in to the online banking service, further access is blocked until you enter a code from the table. New Measures to Make Online Access Safer describes the plan and a short video (FLV) provides further details." For the security conscious among us, do you think this is a decent way to implement the 'something you have' portion of a well secured system, or are there better ways to do it?
Their plan can best be compared to single use scratch off cards. However, I am unsure of what constitutes "something you have" in this example. If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access. It would therefore be possible for the authorized owner and the attacker to both possess the table simultaneously. Does this system provide multi-factor authentication or is it simply a convoluted mechanism for sharing yet another secret?

Off topic questions:
Is depending on near instantaneous access to email a reasonable thing to do?
If you were dealing with this situation, would you implement a Firefox extension or a cell phone application to reduce the level of effort for banking access?"

24 of 103 comments (clear)

  1. RSA SecurID by pdbaby · · Score: 4, Informative

    RSA SecurID is an excellent "what you have". It displays a number that changes every minute, so there's no need for a special interface. Your server has the seeds, so it can figure out what number's being displayed on a given SecurID at any given moment in time.

    --
    Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
    1. Re:RSA SecurID by Chanc_Gorkon · · Score: 2, Insightful

      Paypal is offering it or will be soon: http://news.com.com/2100-7355_3-6149722.html

      --

      Gorkman

    2. Re:RSA SecurID by larien · · Score: 2
      The biggest problem with this is that at any point in time, any one of those organisations can now spoof themselves as you because they now know the "thing you have", i.e. your RSA code. While you can probably assume that a couple of banks would be secure enough, can you guarantee they're all secure? What about employee X from bank A? He could steal money from your account at bank B with a bit of data engineering.

      I also don't think that RSA don't run the software back-end - I work in a bank which uses RSA secure-id to control access to various DMZs - I think that we own & run those servers, although RSA supply & support the relevant software on them.

    3. Re:RSA SecurID by Sven+Tuerpe · · Score: 2, Interesting
      If you don't think a window of opportunity of several minutes is preferable to a nearly unlimited window of opportunity, you've either got a severe ideological bias towards the nonexistent utopian solution, or you're a broken robot incapable of tears.

      What I really think is that the length of this window of opportunity does not matter at all. There are reports that universal phishing kits exist already, making it really simple for anyone not only to create a phishing site but also to mount a man-in-the-middle attack. This makes coordinating with your money laundering agent the most difficult and time-consuming part of the entire attack.

      Furthermore I think that those solutions are superior that give the user better control over transactions carried out on his or her behalf. SecureID fails to achieve that. It just makes authentication slightly stronger where identity never was the primary issue.

      --
      http://erichsieht.wordpress.com/category/english/
    4. Re:RSA SecurID by Dare+nMc · · Score: 2
      I don't want to have to carry one for work, one for my

      I like the guy who put a webcam on all of his secureID cards. IE very difficult for others to find out it is his webcam, then they have to figure out which one does what...
      So at home, he has physical access to all the FOB's, on the road he still has access in a pinch. They still serve their job since it verified that IT passed the fob. Now, all he needs is to host several honeypot webcams, so if they enter a id from one of them his accounts are alerted.

      speaking of Honey Pot, why doesn't anyone provide HoneyPot Credit Cards. IE I know I have a AMEX, and discover, Throw in a go to jail card that is Visa, MasterCard, and Sears/Macys... in my wallet. They steal my wallet, they got over a 50/50 chance of using the fraud alerting card, even before it is reported. So if a thief car jacked, and killed their victim they still wouldn't know which cards are OK, and would get caught.
  2. Could be worse by earnest+murderer · · Score: 3, Interesting

    My banks idea of security is entering a word in an image like you see on so many sites these days.

    Those images are distorted so a computer can't just OCR the thing and brute force passwords (my understanding anyhow). This seems to have worked out well enough that you see it everywhere and brute forcing passwords is less of an issue (if at all).

    Curiously my bank decided to implement this functionality differently. The background is a grey colored word, and it's always the same word. The "code" is always black.

    I'm no genius but to the best of my knowledge this isn't much beyond an exercise in vigorous masturbation. Security through song and dance if you will?

    --
    Platform advocacy is like choosing a favorite severely developmentally disabled child.
  3. What it boils down to by Rosco+P.+Coltrane · · Score: 3, Interesting

    I watch the video and it sounds like a lot of PR talk and buzzwords to me.

    At the end of the day, assuming the computers and networks between you and the credit union are secure (they're not, but let's forget that), the only problem they have is to make sure you're Mr. John Doe, legitimate holder of the account you're trying to access ("who you are"). Period. All that matrix and multi-identification stuff is just a variation on the same theme.

    Up to now, "what you know" (a password) was assumed to be representative of "who you are", with the single point of failure that someone else might be able to know what you know as well (being your password that's too simple, or someone looking over your shoulder while you type in the password). This was a reasonable assumption because you can't separate someone with this someone's knowledge.

    If they want to do better than that, they'll have to use biometrics (DNA analysis, fingerprinting, iris scanning, etc...) or some sort of permanent electronic tagging (RFID implant). That's plain as day. So if your credit union isn't providing you a fingerprint scanner or telling you to go to your local vet to get a RFID implanted, you can safely assume that their new ultra-super-duper solutions are a variation of what's already been implemented before, perhaps a little better, perhaps not, but definitely a lot of PR fluff.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:What it boils down to by Beryllium+Sphere(tm) · · Score: 2, Insightful

      >If they want to do better than that, they'll have to use biometrics

      You can improve on passwords without breaking a sweat. What they've done is switch from a brittle login protocol to one that is closer to the random challenge/signed response that you'd want if there were a computer instead of a human on the other end.

      Not only does it block offline phishing, notice that it's even safe from a keylogger.

      Still vulnerable at several points to several attacks but a real improvement nonetheless.

  4. X509 Client Side Certificates by mechsoph · · Score: 3, Insightful

    Require an X509 client side certificates. That should make access to the account practically impossible unless an attacker can get access to the certificate.

    The only way to access the certificate would be to compromise the client machine, and if that happens your probably fucked regardless, right?

  5. Two ways already used in Europe by enos · · Score: 5, Interesting

    A Danish bank mails you a card with 50 4-digit numbers. This is your one-time pad of sorts. When you log in to your account it asks you for, say, #23. You provide it, and it never asks for it again. When you're down to 20 numbers left or so, the bank automatically mails you another card. The card is something you have.

    BPH (Polish bank) has your cell phone number on file. They do bank transfers, which are used over there a lot more than here, you can pay people directly like that (like an electronic check), even buy skype credit directly with it. When you attempt a transfer the bank sends you an SMS with a code you have to supply to the website. The cell phone is something you have. Trouble with this is that in the US some people have to pay for incoming SMSes. In the rest of the world that's usually free.

    --
    boldly going forward, 'cause we can't find reverse
    1. Re:Two ways already used in Europe by Midnight+Warrior · · Score: 2, Interesting

      LISTEN to this chap! E-mailing the list is bad because that communication is in-band. It took the phone companies much frustration to move it's signaling out of bands. When payphones and the switches did all their communication in-band, then phreakers could manipulate the line via blue boxes or red boxes. If someone is running malware on one of your client's workstations, they could see the e-mail come across and later copy it for their own uses.

      Out-of-band communication works because an attacker needs access to both communication channels. Usually, the cost of doing so is extremely high and is a very good countermeasure. In enos' descriptions, the mentioned out-of-band communications are a pad of numbers mailed through the postal system, which is slow and usually not preferred by marketing folks, but still quite effective.

      The second case was the SMS message, like Google uses for G-Mail. The disadvantage here is that a) it costs money in the states, and b) not everyone has an SMS capable device.

      A similar, but third alternative would require the customer to call the toll-free number on the back of their card, type the last four digits of their card, and three digits given in-band. The cost associated with war dialing an ANI-backed, bank phone number is EXTREMELY high, as the police have great motivation to go after people trying to steal from a bank.

      In any case, if the customer has to hold onto something, make getting a replacement card as simple as 5 minutes in a branch office. Just let the tellers associate their new scratch-and-sniff card with their account and you're off. If you own your own ATMs, you can even dispense replacements from there for US$1.00 each, just like the deposit envelopes on some machines. Otherwise, they are just mailed for free when the pad of numbers starts to run low.

  6. Zero-Knowledge Proof Authentication Systems... by Sam+Nitzberg · · Score: 2, Interesting

    Hello -

    I tend to like "zero-knowledge proof" based systems.
    Here, you don't exchange an item (e.g. password) directly.
    For example, a server can challenge you (your smart card by proxy) with a randomized value / set of values.
    Your card performs a function, and returns a value.
    If the value doesn't match the accepted value, the challenge has failed. Only your card should return the correct value. However, someone else's might by chance succeed, or there may be an attack.
    So, this type of set of exchanges can be repeated until a (probabalisticly satisfactory threshold is reached). If all the answers are acceptable, you have passed.
    I forget the names of the people who were key in such mechanisms years ago.
    The name quisqatuer (forgive my spelling) was one of them. I think he was French.

    A nice part of such schemes is that (properly implemented), they are highly resistant to a number of forms of attack including sniffers and man-in-the-middle attacks.

    1. Re:Zero-Knowledge Proof Authentication Systems... by tomhudson · · Score: 2, Interesting

      Yes, it works SO well for satellite TV ... oops ...

      A $50 receiver cracks the rotating keys in minutes, a $200 receiver in seconds ... (the latest models run linux, btw).

  7. Two factor pain in the ass by maxume · · Score: 2, Insightful

    From the horse mouth:

    http://www.schneier.com/blog/archives/2006/11/figh ting_fraudu.html

    My CU implemented a system whereby I now have two passwords. I guess they are probably following the law, but I'm not safer from anything now, especially since they put some text by the second password telling me what it is about. One of the better comments from the Schneier post points out that two factor authentication isn't worth much if they both use the same channel. Another goes ahead and calls it multiple single factor.

    One of the better solutions is to require a phone call(ooh, another channel) for 'high risk' transactions. There are problems with that, but at least it adds some security. Fobs and scratch cards are decent too, but they are susceptible to man in the middle attacks(or whatever you want to call them, they just make phisher more sophisticated).

    --
    Nerd rage is the funniest rage.
  8. there's fsck'd and there's FSCK'D by davidwr · · Score: 2, Insightful

    There's a big difference between having your box taken over and used to spam the world, and having your box taken over and your 5-figure bank-account drained.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:there's fsck'd and there's FSCK'D by Workaphobia · · Score: 3, Interesting

      > "But if the client's only point of interaction with the bank is through a single computer, that computer must be trusted. I don't see how you could have a secure system if that only point of interaction is compromised."

      Simple: don't trust that computer. Home computers are general-purpose machines and very few of them are highly secured. A specialized, embedded device with a private key sounds much more trustworthy, and you could still use the untrusted home computer to transmit the resulting encrypted+signed message over the Internet.

      --
      Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
    2. Re:there's fsck'd and there's FSCK'D by mechsoph · · Score: 2, Insightful

      A specialized, embedded device with a private key sounds much more trustworthy

      Agreed, but do the losses due to fraud exceed the costs of issuing an embedded cryptographic device to every customer?

  9. One password - many combinations. by vakuona · · Score: 3, Insightful

    When I call my bank, they never ask me for say, my full telephone pin. They ask for 2 random digits.

    So this gives you passwords within passwords. You can have a fifteen digit number/password, and they ask you for random characters from those. Always try to ask for a different combination, and perhaps ask in more ingenious ways, like the third letter and the fourth from last (which could be the same position as the third - if you had a stupid password).

    You can then keep the password long enough for it to not be too much of a bother to remember. And they can always disable the account if too many wrong tries are made.

    The cleverest thing to do though, is to probably make it harder to do international transfers of cash using accounts, or impossible online. And make it harder to have an account without giving some form of verifiable ID. My bank does that. It is quite silly to steal money online into another local account in my estimation anyway, because you will be caught. Internationally is another issue, because some countries may not cooperate.

    Anyway, how many people do you know who have had their money stolen from their bank accoount online. I guess very few.

    1. Re:One password - many combinations. by tomhudson · · Score: 2, Interesting

      Shouldn't take more than n/2 on average ... and for the two digits, just pick any 2 digits at random, and you have a 1/100 chance of being right the first time. If they give you 3 chances each call, you need, on average, to make 18 calls to get access, no matter how long the actual password is.

  10. Security test by Brewskibrew · · Score: 2, Funny

    Maybe you should send me your userid, password and that table and I'll let you know if it's secure.

    --
    For sale: Signature. One owner. Low miles. Always garaged. New punctuation, just installed!
  11. Re:my cu's solution, for comparison by tomhudson · · Score: 3, Insightful

    For those who missed it, the above post is enclosed in [sarcasm] tags

    I could never figure out how anyone could believe that "name of favorite pet" or "last 4 digits of your phone number" or "name of your [insert whatever here]" is a good security question.

    Now, to answer the REAL question posed by the article's title:

    " Secure Ways to Determine 'Something You Have'?

    - the answer is obvious - go to an anonymous clinic in another part of town, use a fake name, and pay the doctor in unmarked bills :-)

  12. Is anyone already doing that? by Beryllium+Sphere(tm) · · Score: 2, Interesting

    It's what client-side certificates were for in the first place, but the idea seems to been forgotten.

    I'd hate to the be the first organization trying to exercise the client-side certificate code...

    You'd have to completely and permanently disable non-certificate logins or phishers would would still be in business.

  13. Re:I'm not sure if it's something I have or am. by nachoboy · · Score: 3, Insightful

    One of my local Wells Fargo branches asked for my thumbprint in order to get my balance, after depositing my check. This was despite showing them my ID. They didn't want to see that. When I asked why, and refused to provide a print, I was told to go talk to the manager.
    She explained it was a policy to speed up identification, etc.

    The customer service agent didn't implement the policy, she doesn't know why she has to collect the thumb print any more than you do. You assumed the thumb print was to provide confirmation of your identity in order to *authorize* the transaction. This is not the case, and also why they don't really care that they've never collected a thumb print before. The purpose of the thumb print is to provide *evidence* after the fact in case there is a fraudulent transaction.

    Suppose you are head of Wells Fargo's security department. The CEO has mandated that you implement "greater security" and the CFO demands that you do so on a minimal budget. Which of the following do you choose?

    1) Implement a new program requiring millions of customers to come into a physical banking location and establish their authorized thumb print, regardless of their account age, banking history, account balance, or fraud risk. Maintain a secure, reliable, online database of all these thumb prints. Make the database accessible to several thousand banking locations. Implement a near-100% accurate thumb print recognition algorithm. Ensure that all the components in this system can operate at near-instantaneous speed so transactions can be authorized in a timely manner.
    Cost to bank: several hundred million dollars
    Cost to users: hassle for thumb print at each transaction

    2) Implement a new program that requires thumb prints to be taken for each transaction. Thumb prints may be collected on paper, stored at the local banking location, archived only occasionally, and are only ever referenced if a transaction has been flagged as fraudulent. If such a thing does happen, surveillance tapes and the thumb print may be supplied to law enforcement for further action.
    Cost to bank: in the tens of millions of dollars
    Cost to users: hassle for thumb print at each transaction

    Both methods produce essentially the same amount of security, particularly for dumb criminals who may not know that the bank is relying on method 2 and not method 1. I honestly can't say I would have chosen differently either.

  14. Whatever you do, make it work by anomaly · · Score: 2, Interesting

    My CU recently added "more security" to my account. I need to jump through a couple of hoops to have them write some kind of cookie to my PC. In order to improve the hoops, they asked me some "password challenge" questions.

    When I went to log into my account from a second PC, their system asked me the challenge questions. For elementary school attended, did I answer "jones" or "jones elementary" or "jones elementary school" or "Jones" (you get the idea)

    At any rate, since my answers the second time failed to exactly match, my account was locked and I had to call the customer service number to get my account unlocked. They reset my challenge questions, and told me that lots of people are having this problem. As a result the CSRs tell people to answer those questions with a single word, and to USE THE SAME WORD FOR EVERY ANSWER!

    This system is broken.

    Whatever you do, don't build a broken system.

    --
    But Herr Heisenberg, how does the electron know when I'm looking?