Court Rules Passwords+Secret Questions=Secure eBanking

An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."

One-time pads

We've been using one-time pads in Finland for a long time, and they do the job.

What's the issue?

Re:One-time pads

well. Here in the US we don't feel like spending money on security.

Re:One-time pads

[ekhben]

I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.

One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.

So why do the banks resist the idea?

Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

Re:One-time pads

i don't want to buy an iPad, use it one time, then throw it away.

Re:One-time pads

[QuasiSteve]

Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

I'm curious.. what is the other channel?

Here in NL there's two major forms of online banking authorization (separate from the account login, of course), both are a challenge/response type, and both perform the challenge in the browser.

The first one, the response is either on a paper sheet you have (which you can then move to a computer file or whatever if you want to spend some time typing it in) or is sent to your cellphone along with the amount (so that no transactions can sneak in without it being shown in the same text).

The other one, the response is something generated on an external device - looks like a little calculator - after entering the challenge.

In both cases, the response is also entered into the browser.

Despite these more-or-less two-factor authorizations, I'd consider this to be a single channel.

I'm not sure what other channel could exist either... a custom application that communicates over an SSL'd connection or secure FTP or whatever could just as well be targeted by malware authors.. perhaps even moreso considering its focused purpose.

A true separate channel would probably be a modification of the aforementioned challenge-via-text method to also send the response via text. Or calling the bank and checking with an employee that the order as you see it on your screen is indeed the order pending and then proceed to provide the response to the presented challenge. The former could be automated, the latter.. not so much?

So I'm curious what the 2nd channel in your banking situation is.

Re:One-time pads

[MightyMartian]

Maybe we can let the TSA take over computer security. You can have a couple of brawny perverts in front of every computer reading to cup your genitals before you go to pay some bills. Add in a X-ray machine to toast your testicles, and you're ready to go!

Re:One-time pads

[Dodgy+G33za]

Don't underestimate the power of the money that can be made by subverting online banking.

If the machine on which you do banking is not secure it becomes very hard to secure a transaction unless you have a true second channel. For example confirm a transaction with an SMS or phone call, although with smart phones this can no longer be guaranteed to be a second channel.

The latest generation of man-in-the-browser malware sits between the user and the bank and can alter transactions that the user has legitimately entered and authorised, as well as hide the evidence of the results.

At a recent AUScert conference in Australia we heard that such malware can also add additional form fields so that the user confirms their phone number, and use that as a vector to infect their smartphone by exploiting smartphone OS vulnerabilities. Once they have both PC and phone infected, it is game over as far as two factor authentication with the phone is concerned.

This problem can be solved in a very simple (technically, not politically) way, and that is to clean up international banking so that the money trail can be followed. Make the bank that failed to identify the one that ends up with the money liable for repayment (and that includes the likes of Western Union), and in the event of a failed bank make the country in which the bank is registered liable.

Failing that make operating system and software manufacturers liable for security flaws in their products. We do it with cars, so why not software?

Re:One-time pads

[AK+Marc]

I have my bank send me a text with a code I put in the browser for online transactions above a certain level. Sure, it all goes through the browser at some point, but a one-time use code texted to my phone that won't work for another transaction even if someone was at my computer watching everything I put in will not allow them to then compromise my account at all. I could bank with that on a public computer and nobody could get anything out of my account.

Re:One-time pads

[wvmarle]

It seems Europe in general is way ahead of the US when it comes to security in on-line banking.

My on-line banking (with a Dutch bank) goes back some 18 years now. The first system I used required dial-in to a dedicated telephone number using a 2400 baud modem (I didn't have Internet options yet - not even dial-up - and 2400 baud was not the fastest available but at the time quite normal), logging in with user name and password to a telnet like system, and to authenticate each transaction I had to enter a number from a list that was written on a separately mailed paper. So two-factor already, while the whole environment was a lot safer by then.

A few years later they created an off-line application, where you could enter all your transactions. Saved a lot on telephone costs. That dedicated number was long-distance of course.

Another few years later, and an Internet option appeared. Not long after I got a dial-up connection. Same two-factor security.

Other banks started using a separate calculator to create the one-off numbers. This was a physically separate device, not on the computer itself.

And all of the above was over ten years ago already. The system has remained basically the same (I'm still using that paper list - for living overseas and not having a Dutch mobile number), now using a calculator or having the one-time code sent to your mobile phone. Still: two-factor, physically separate.

Bank fraud, also e-banking fraud, is unfortunately still not unheard of in Europe. A lot is related to credit card fraud, but also e-banking accounts still end up being hacked. No security is perfect, but the relative rare occurrence of such incidents indicates it's pretty good.

I really wonder when the US will catch up.

Re:One-time pads

[Snarky+McButtface]

I can handle my own genitals when in front of a computer screen.

Re:One-time pads

[pirho13]

As the previous poster said, we don't like spending money on Security.
Now Security Theater, that's entertainment!

Re:One-time pads

[dgatwood]

Sure they will, if you have compromised the browser completely.

• You start the transaction that requires you to enter a code.
• Attacker creates a malicious transaction in the background that also requires you to enter a code.
• Attacker puts up a fake copy of the bank's dialog that tells you it will have to confirm the transaction and asks you to choose a phone number for them to text or whatever.
• You do whatever you need to do there.
• Attacker posts the malicious transfer form and performs the query to tell the bank to send out a text message.
• Attacker displays a fake copy of the verification form where you are supposed to enter the info from the text message.
• You enter the verification code.
• Attacker submits the verification code for the malicious transaction.
• Attacker displays a fake "verification code failed message" repeatedly until you tell the bank to send a new code.
• Attacker passes on that request for a new code to your bank.
• Your bank sends a new code.
• Attacker displays the real verification page for your transaction.

At this point, as far as the user knows, the bank just sent a broken code. Meanwhile, $20,000 has been transferred to a bank in Zurich.

Re:One-time pads

[jonwil]

No it couldn't because the idea is that you enter the transaction details (amount and account number) into the little calculator thing.

Re:One-time pads

[AK+Marc]

Does the text message also contain human-readable information with all details about the transaction?

Yes.

Re:One-time pads

[laurelraven]

It's unreasonable to expect banks to have to assume that every connection may or may not be coming from a machine not under the control of their customer.

Maybe it's the whiskey, but I tried five times to parse that...short of taking out a pen and paper and working it out, I'm not sure what you are trying to say here.

Re:One-time pads

[SharpFang]

If the bank attaches transaction details, this is a valid method of circumventing the OTP vulnerablity.

There are exploits in the wild that hijacked MSIE HTML rendering layer. So you want to transfer $15 to your aunt. You type in the amount, the account number, all details match. You press "send" and the trojan sends out the scammer's account number and your total balance as amount to transfer. Now the bank asks you to confirm the transfer - and the trojan displays your aunt's info you have just entered, asking for OTP code. And you sign the transfer to the thief's account with a valid OTP code.

Now the SMS will contain some digits of the account number and you can verify if it's your auntie who will receive your cash, even if your computer has been compromised.

Secure = Secure Enough

[timeOday]

I think this standard is OK, *if* the banks are liable for compromises (as they are with credit/debit cards). Obviously this isn't totally secure, but you have to consider everybody's wasted time when weighing alternatives.

Re:Secure = Secure Enough

[FatAlb3rt]

Unless the questions are like my bank's:
Who is your favorite Disney character?
What is your favorite color?

You stand a good chance to get the right answer for any given account if you go with Mickey / Minnie or red / blue. How is that really security?

Re:Secure = Secure Enough

[definate]

I always answer those questions, with a different password. This results in many people going, "LOL So your mothers maiden name is jks)*8h9*H*(BY?"

This is when those are used for verbal authentication over the phone. Then on top of this, I just need some reasonable password management.

All good!

Re:Secure = Secure Enough

I was doing that with my bank (the 'mothers maiden name' answer I had, while technically correct, wasn't the obvious one), until one day when I had to call in and was informed that my answer was wrong. My mom has an account at the same bank, and somehow they had been able to 'fix' it; I have not been able to change it back. Nor did I ever get an answer as to why the change was made.

Re:Secure = Secure Enough

[definate]

WOW! That's not good. So, they ENFORCED bad security on you. By revealing something which could be found out.

That's insane.

This has a name

[IICV]

There's a name for this sort of security - "Wish it was two factor" security.

And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

Re:This has a name

[ScrewMaster]

There's a name for this sort of security - "Wish it was two factor" security.

And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

Either nobody asked the experts or the judge didn't care. I hope he uses online banking and finds himself with a negative balance some day.

Re:This has a name

[Mashiki]

If there's zero case law on something. Any case law is good. Because it creates both a starting point, and a breech point for other lawyers to prove that the system is faulty. It's not bullshit, well actually it is but not in the way you think. It's bullshit that it's taken nearly 15 years for the first real case to come to light creating case law.

Re:This has a name

[MightyMartian]

I'm sure he's not depositing the check from the banking industry in an American bank account, so it shouldn't be a worry for him.

good

[waddgodd]

From a consumer perspective, the lower the bar is for "effective security measures" the better, because if an attacker breaks ineffective security measures, you're basically on the "caveat emptor" hook, meaning you failed to do due diligence, therefore any losses are yours. If the security's effective, the bank's on the hook for any losses due to theft. Think of it this way, your bank has a wooden safe, and a robber gets in, you try to sue the bank for your losses, the bank says "well, duh, we had a wooden safe, what'd you expect?", and gets off the hook, while if the bank has a steel vault, you sue, and the bank's required by fiduciary duty to cover your loss, even though it's not negligent. Kinda twisted, huh? But then again, look at the rhetoric flying around Washington about the banks, banking law is truly down the rabbit-hole.

why not use some sort of authenticator?

[snuf23]

I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.

Re:why not use some sort of authenticator?

[Cyno01]

Actually it still does, as you need a separate device thats not connected to the computer in any way.

Calm down

[Charliemopps]

Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.

What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

Re:Calm down

[memyselfandeye]

Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.

Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.

What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

I agree, I mean, it's not like banks want to you easily move money out of an account anyway.

Re:Calm down

[Rockoon]

If your banks security sucks, switch

Switch to another insecure bank? The problem is that this shitty security is industry standard.

And if you don't mind me asking... What was the name of your first childhood pet?

Re:Calm down

[_xeno_]

And if you don't mind me asking... What was the name of your first childhood pet?

Ah-ha, I didn't actually use the name of my first childhood pet!

Because her name was "Meg" and that was too short, since apparently you must answer with at least five characters. So instead I use the name of my second childhood pet.

Except his name was "Max" and that's also too short.

And I'll never tell you about my third childhood pet, a black cat name Licorice! ...oops. I wonder if I can change the answers to my security questions? I guess I'll need to go get a fourth childhood pet now, and make sure to name them something that's at least five letters long.

This is about liability, not security

[Kohath]

The company suing the bank had seen the bank's security measures. They had the opportunity to judge whether the bank's security measures were secure enough for them. The bank should win unless the precautions were unreasonably weak.

You would think everyone involved would be insured against these kinds of losses.

It's time for businesses to get more paranoid

[Beryllium+Sphere(tm)]

If you have a business account where the bank won't cover losses from fraud; if your bank doesn't implement effective security measures; if you have some reason to stay with that bank anyway; if you feel compelled to sign up for online banking:

Use a dedicated computer. They're cheap. You can afford to have one computer that's off limits for web surfing, online videos, dancing cursors and so on. For extra credit put it on a separate LAN segment, and of course you should have disabled Autorun anyway. Set it up so it can only connect to your bank's web site and to Windows Update.

Banking security?

[Wolfling1]

I've worked at a bank where $30,000 was sent overseas by accident in a testlab incident. A testlab!

Banks are monumentally incompetent at securing their environments, so each individual needs to become accountable for the security of anything that takes place outside the bricks and mortar of their bank. Mmy strategy is to distribute my funds across a few different banks.

No password sharing minimises the risks, and distribution minimises the impact.

It's only a District Court case

[DERoss]

A decision by a U.S. District Court is not even binding within the same jurisdiction of that court. Yes, other District Court judges might give the decision some weight; but they are not required to do so.

Only when the U.S. Circuit Court of Appeals upholds a decision from a District Court in that circuit does the decision become binding on all the District Courts in that circuit. Even then, the decision is not binding in other circuits. To be binding throughout the U.S. requires a decision from the U.S. Supreme Court.

Even after the Supreme Court decides, similar cases may arise in which Circuit Court judges conclude the Supreme Court was wrong. Then the process starts all over again until the Supreme Court either upholds its prior decision (most likely result) or overturns its own prior decision (rare but not unknown). For the latter case, look at how long (about a half century) it took the Supreme Court to overturn its prior decision that "separate but equal" segregation was legal for public schools. Attempts to get the Supreme Court to overturn Roe vs Wade (abortion) have been unending for decades.

Conclusion: Living in California, I'm not yet worried about a ruling by a District Court in Maine on this issue.

What are banks for?

[taucross]

If banks can't protect our money, and aren't liable when it goes missing, then what are banks for?

One-time pads bypassed by Zeus and Spyeye

[Mattpw]

Banks resist the idea because all the major trojans wreaking havoc have MITM /MITB capabilities to bypass the tokens and mobile sms in one way or another as well as cost issues. The 2 European banks in the following article were using transaction signing tokens http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians and mobile sms trojans have been around for awhile now http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html You might want to investigate https://www.shieldpass.com/ online authentication cards which are cheap and can do mutual authentication passively. For example specific transaction information can be included in the challenges to stop MITM and the process is passive or visual so the trojans or phishers cant walk a target through a transaction as they did with the first link.

Re:One-time pads bypassed by Zeus and Spyeye

[unrtst]

passwindow (what shieldpass uses) doesn't even have a valid SSL cert. Maybe it's an ok product, but I have trouble trusting a web security provider with an expired SSL cert (and it was only valid from 2011-05-23 - today).

It also completely ignores other auth channels - how about email, ssh, imap, ldap, radius, etc?

And it's only 4 digits, and parts of those digits are sent to the user - enough that one should be able to narrow it down quite a bit.

Worse, there's two huge proximity weaknesses...

* if someone shoulder surfs, they can easily see the code as it's displayed right up on your monitor. They'd have to act fast, but it's definitely not as personal as something displayed on your phone.

* While you have your card blatantly held up on your monitor, anyone could snap a pic of it. Then, they have your passwindow, and can easily make their own copy (it's just a couple black lines on a something transparent).

It does look like a novel and very simple idea, but it's raising way too many red flags.

The Secret to Secret Questions

[zigmeister]

First off, if your machine is controlled by your adversary your probably fucked one way or another regardless of what your bank does if you give your attacker enough time. Also I run windoze 7... feel free to troll me.

With that out of the way I highly recommend using keepass or something similar, not only do you get the obvious benefit of stronger and unique passwords but if a form wants answers to secret security questions, just pick a question, any of them it doesn't matter, and use a long random hex key as the answer, then store it in the notes section of that key entry in keepass, or don't store it at all, your choice. In short, bank security could be better, there are a few creative ideas above me that could be offered on their end like the firewall between your account and other accounts idea, but there are smart things you can do to avoid the pitfalls of these stupid ass "security" questions.

Also, if you want to sync the database across machines, but are worried that your password may not be strong enough in the event that your online service for syncing is cracked into do this:

1) set up a keepass database with both a password and a key file for encryption
2) share the encrypted database through your favorite online syncing service, personal home server, dropbox, whatever
3) set up syncing with online service on each machine you want to access the database
4) put the key file on each machine you did in 3, if you want this to be more secure than just a password you CANNOT share the keyfile through the net, but it literally never changes unlike the database so copy pasta across machines with a usb key or similar manually is easy enough
5) additional note: this will save your password database for a non-trivial amount of time if someone has both your online service's password and your keepass password but cannot access the key file, hopefully long enough for you to realize what happened and change your passwords.
6) as a corollary to that: if your machine is hacked and the hacker is smart enough to search for the keepass database and the key file then your screwed, note that naming the file cleverly, using a clever file type extension, or putting it somewhere obscure does not help since keepass "remembers" where it is, so all the attacker has to do is find where keepass stores that info and the easiest way to do that is simply start keepass...

A true solution

[Kim0]

What you see on your screen may be fake, and what the bank sees you type may be fake too.
The only thing that may not be faked are your identification to the bank, when using one-time-pad.

The obvious solution, which is too deep for bankers and judges, is to secure all the necessary information.

In practice this means having something looking like a calculator which shows each transaction,
having cryptographic secure two-way communication to the bank via the net, and being tamperproof.
A sort of two-way code calculator.

This is only about the current situation.

[houghi]

The bad thing about a precedent is that it will fix at a certain time. Imagine they find something that is secure as we know it, while still being usable. That would be effective today.

Tomorrow some smart person finds a way around that security, making it insecure.

Now the banks will say the day after tomorrow in a lawsuit: We did what was required, while the customer will say that security was not enough.

There is a fairytale of 1001 night

[drolli]

which involves old/new olives. Funnily the judge does not try to verify by himself but call somebody who is a trade of olives and knows about the topic of old/new olives.

Here in Sweden

[jools33]

Here in Sweden - my bank uses a keypad - where the user first must key in a pincode to activate the device. Then to login - you must key in your national security number (userid) - from this the bank generates a code - I key this code into my unlocked keypad - and get a return code. This is I guess similar to the RSA key generation (the device is not supplied by RSA incidentally) - except that the whole activity is locked down by a 4 key pin in my handheld device - which I guess is the key to the code generation. My bank thinks this security is impregnable (the last time I questioned it they laughed at me) - but after the recent RSA hack I really wonder if this is the case. If the generation algorithm becomes common knowledge (ie the security provider is hacked) - then all that is needed is to identify the 4 digit pin code.

My bank's got it right

[Meriahven]

My bank's site requires three things to authenticate me:

1: a user code, 8 characters of randomness generated by the bank (something I and the bank both know)
2: a password, at least 8 character of not-very-randomness generated by me (something the bank can check without actually having to store it)
3: a four-digit number from a printed wallet-size list of one-time codes generated by the bank (something I have)

The password used to be also generated by the bank, but they came to their senses; now that I get to choose it myself, even the clerk who created my account (and possibly caught a glimpse at my one-time password list in the process) does not know everything that is needed to authenticate as me.

The extra trouble is, of course, the exchange of the one-time code lists. This they do by mailing me a new one when there are ~20 unused codes left in the old one, and then I just need to log in to their web site, give the id of the new list, and confirm the list change by a code from the old list.

Not nearly as high-tech as SecurID, but works like a charm.