Court Rules Passwords+Secret Questions=Secure eBanking

← Back to Stories (view on slashdot.org)

Court Rules Passwords+Secret Questions=Secure eBanking

Posted by samzenpus on Wednesday June 8, 2011 @12:42PM from the nobody-knows-your-mother's-maiden-name dept.

An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."

26 of 284 comments (clear)

Min score:

Reason:

Sort:

One-time pads by Anonymous Coward · 2011-06-08 12:49 · Score: 4, Insightful

We've been using one-time pads in Finland for a long time, and they do the job.
What's the issue?
1. Re:One-time pads by Anonymous Coward · 2011-06-08 12:52 · Score: 4, Insightful
  
  well. Here in the US we don't feel like spending money on security.
2. Re:One-time pads by ekhben · 2011-06-08 13:06 · Score: 5, Insightful
  
  I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.
  One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.
  So why do the banks resist the idea?
  Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.
3. Re:One-time pads by Anonymous Coward · 2011-06-08 13:19 · Score: 3, Funny
  
  i don't want to buy an iPad, use it one time, then throw it away.
4. Re:One-time pads by QuasiSteve · 2011-06-08 13:40 · Score: 3, Interesting
  
  Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.
  I'm curious.. what is the other channel?
  Here in NL there's two major forms of online banking authorization (separate from the account login, of course), both are a challenge/response type, and both perform the challenge in the browser.
  The first one, the response is either on a paper sheet you have (which you can then move to a computer file or whatever if you want to spend some time typing it in) or is sent to your cellphone along with the amount (so that no transactions can sneak in without it being shown in the same text).
  The other one, the response is something generated on an external device - looks like a little calculator - after entering the challenge.
  In both cases, the response is also entered into the browser.
  Despite these more-or-less two-factor authorizations, I'd consider this to be a single channel.
  I'm not sure what other channel could exist either... a custom application that communicates over an SSL'd connection or secure FTP or whatever could just as well be targeted by malware authors.. perhaps even moreso considering its focused purpose.
  A true separate channel would probably be a modification of the aforementioned challenge-via-text method to also send the response via text. Or calling the bank and checking with an employee that the order as you see it on your screen is indeed the order pending and then proceed to provide the response to the presented challenge. The former could be automated, the latter.. not so much?
  So I'm curious what the 2nd channel in your banking situation is.
5. Re:One-time pads by MightyMartian · 2011-06-08 14:02 · Score: 4, Funny
  
  Maybe we can let the TSA take over computer security. You can have a couple of brawny perverts in front of every computer reading to cup your genitals before you go to pay some bills. Add in a X-ray machine to toast your testicles, and you're ready to go!
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
6. Re:One-time pads by Dodgy+G33za · 2011-06-08 14:09 · Score: 3, Interesting
  
  Don't underestimate the power of the money that can be made by subverting online banking.
  If the machine on which you do banking is not secure it becomes very hard to secure a transaction unless you have a true second channel. For example confirm a transaction with an SMS or phone call, although with smart phones this can no longer be guaranteed to be a second channel.
  The latest generation of man-in-the-browser malware sits between the user and the bank and can alter transactions that the user has legitimately entered and authorised, as well as hide the evidence of the results.
  At a recent AUScert conference in Australia we heard that such malware can also add additional form fields so that the user confirms their phone number, and use that as a vector to infect their smartphone by exploiting smartphone OS vulnerabilities. Once they have both PC and phone infected, it is game over as far as two factor authentication with the phone is concerned.
  This problem can be solved in a very simple (technically, not politically) way, and that is to clean up international banking so that the money trail can be followed. Make the bank that failed to identify the one that ends up with the money liable for repayment (and that includes the likes of Western Union), and in the event of a failed bank make the country in which the bank is registered liable.
  Failing that make operating system and software manufacturers liable for security flaws in their products. We do it with cars, so why not software?
7. Re:One-time pads by AK+Marc · 2011-06-08 14:11 · Score: 3, Interesting
  
  I have my bank send me a text with a code I put in the browser for online transactions above a certain level. Sure, it all goes through the browser at some point, but a one-time use code texted to my phone that won't work for another transaction even if someone was at my computer watching everything I put in will not allow them to then compromise my account at all. I could bank with that on a public computer and nobody could get anything out of my account.
  
  --
  Learn to love Alaska
8. Re:One-time pads by Snarky+McButtface · 2011-06-08 14:42 · Score: 5, Funny
  
  I can handle my own genitals when in front of a computer screen.
9. Re:One-time pads by pirho13 · 2011-06-08 14:45 · Score: 5, Insightful
  
  As the previous poster said, we don't like spending money on Security.
  Now Security Theater, that's entertainment!
10. Re:One-time pads by jonwil · 2011-06-08 15:22 · Score: 3, Insightful
  
  No it couldn't because the idea is that you enter the transaction details (amount and account number) into the little calculator thing.
11. Re:One-time pads by SharpFang · 2011-06-08 20:15 · Score: 3, Informative
  
  If the bank attaches transaction details, this is a valid method of circumventing the OTP vulnerablity.
  There are exploits in the wild that hijacked MSIE HTML rendering layer. So you want to transfer $15 to your aunt. You type in the amount, the account number, all details match. You press "send" and the trojan sends out the scammer's account number and your total balance as amount to transfer. Now the bank asks you to confirm the transfer - and the trojan displays your aunt's info you have just entered, asking for OTP code. And you sign the transfer to the thief's account with a valid OTP code.
  Now the SMS will contain some digits of the account number and you can verify if it's your auntie who will receive your cash, even if your computer has been compromised.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
This has a name by IICV · 2011-06-08 12:53 · Score: 4, Insightful

There's a name for this sort of security - "Wish it was two factor" security.
And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.
1. Re:This has a name by ScrewMaster · 2011-06-08 13:13 · Score: 3, Funny
  
  There's a name for this sort of security - "Wish it was two factor" security.
  And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.
  Either nobody asked the experts or the judge didn't care. I hope he uses online banking and finds himself with a negative balance some day.
  
  --
  The higher the technology, the sharper that two-edged sword.
2. Re:This has a name by Mashiki · 2011-06-08 13:28 · Score: 3, Interesting
  
  If there's zero case law on something. Any case law is good. Because it creates both a starting point, and a breech point for other lawyers to prove that the system is faulty. It's not bullshit, well actually it is but not in the way you think. It's bullshit that it's taken nearly 15 years for the first real case to come to light creating case law.
  
  --
  Om, nomnomnom...
3. Re:This has a name by MightyMartian · 2011-06-08 14:03 · Score: 3, Informative
  
  I'm sure he's not depositing the check from the banking industry in an American bank account, so it shouldn't be a worry for him.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
good by waddgodd · 2011-06-08 12:59 · Score: 3, Interesting

From a consumer perspective, the lower the bar is for "effective security measures" the better, because if an attacker breaks ineffective security measures, you're basically on the "caveat emptor" hook, meaning you failed to do due diligence, therefore any losses are yours. If the security's effective, the bank's on the hook for any losses due to theft. Think of it this way, your bank has a wooden safe, and a robber gets in, you try to sue the bank for your losses, the bank says "well, duh, we had a wooden safe, what'd you expect?", and gets off the hook, while if the bank has a steel vault, you sue, and the bank's required by fiduciary duty to cover your loss, even though it's not negligent. Kinda twisted, huh? But then again, look at the rhetoric flying around Washington about the banks, banking law is truly down the rabbit-hole.

--
Just because you're paranoid doesn't mean they aren't out to get you
Re:Secure = Secure Enough by FatAlb3rt · 2011-06-08 13:14 · Score: 4, Interesting

Unless the questions are like my bank's:
Who is your favorite Disney character?
What is your favorite color?

You stand a good chance to get the right answer for any given account if you go with Mickey / Minnie or red / blue. How is that really security?
why not use some sort of authenticator? by snuf23 · 2011-06-08 13:20 · Score: 5, Interesting

I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.

--
Sometimes my arms bend back.
1. Re:why not use some sort of authenticator? by Cyno01 · 2011-06-08 14:57 · Score: 3, Informative
  
  Actually it still does, as you need a separate device thats not connected to the computer in any way.
  
  --
  "Sic Semper Tyrannosaurus Rex."
Calm down by Charliemopps · 2011-06-08 13:31 · Score: 5, Insightful

Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.

What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
1. Re:Calm down by memyselfandeye · 2011-06-08 13:54 · Score: 3, Insightful
  
  Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.
  Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.
  
  What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
  I agree, I mean, it's not like banks want to you easily move money out of an account anyway.
2. Re:Calm down by Rockoon · 2011-06-08 14:10 · Score: 4, Insightful
  
  If your banks security sucks, switch
  Switch to another insecure bank? The problem is that this shitty security is industry standard.
  
  And if you don't mind me asking... What was the name of your first childhood pet?
  
  --
  "His name was James Damore."
Re:Secure = Secure Enough by definate · 2011-06-08 14:07 · Score: 4, Interesting

I always answer those questions, with a different password. This results in many people going, "LOL So your mothers maiden name is jks)*8h9*H*(BY?"
This is when those are used for verbal authentication over the phone. Then on top of this, I just need some reasonable password management.
All good!

--
This is my footer. There are many like it, but this one is mine.
What are banks for? by taucross · 2011-06-08 15:15 · Score: 4, Interesting

If banks can't protect our money, and aren't liable when it goes missing, then what are banks for?

--
"In the absence of the ability to establish the attribute of truth they tried to establish the noble attributes."
Here in Sweden by jools33 · 2011-06-08 21:05 · Score: 3, Interesting

Here in Sweden - my bank uses a keypad - where the user first must key in a pincode to activate the device. Then to login - you must key in your national security number (userid) - from this the bank generates a code - I key this code into my unlocked keypad - and get a return code. This is I guess similar to the RSA key generation (the device is not supplied by RSA incidentally) - except that the whole activity is locked down by a 4 key pin in my handheld device - which I guess is the key to the code generation. My bank thinks this security is impregnable (the last time I questioned it they laughed at me) - but after the recent RSA hack I really wonder if this is the case. If the generation algorithm becomes common knowledge (ie the security provider is hacked) - then all that is needed is to identify the 4 digit pin code.