Monday, August 31, 2009

Not the "Type" of Two Factor Authentication we Need...



An article written two years ago (August 17th, 2007) blasted online banking log-in procedures and still, nothing has changed...even though they mention using true two-factor authentication as a solution way before it got as bad (fraud) as it is today...



Banks are still using the "type" of authentication that hackers love.  What type is that?  You know what the Hellvetica I'm talking about.  The kind you use when you don't swipe!



I thought it might be interesting to "revisit" what was said two years ago in order to demonstrate that online banking has not progressed, while hackers unarguably have.

"A new financial services requirement calling for two-factor authentication should make online banking secure, but one researcher says it's actually making things worse.  At this year's DefCon gathering in Las Vegas, security researcher Brendan O'Connor outlined several scenarios in which online banking has gotten worse, rather than better. Under Federal Financial Institutions Examination Council (FFIEC) guidelines that went into effect at the end of last year, banks are required to provide some form of multifactor authentication of their customers.


That typically means asking the user to provide , something you have (an ATM card), something you know (a PIN) (Editor's Note:  where did "typically" go when  it comes to online banking/online shopping?  Sounds like a "swipe" vs. "type" argument to me...or something you are (a fingerprint scan). (Editor's Note: Been there,  done that


However, O'Connor,found that the new authentication implementations were no better than the traditional user-name and password that were required prior to last year.  (which, BTW is why I always utilize "username" "password" in my rants against typing. 


O'Connor also shared some insight into why, with all these new protections in place, so many phishing sites are still operational today.



FFIEC--what?




Nearly two years ago, the Federal Financial Institutions Examination Council (FFIEC) recommended guidance on authentication for online banking. According to their Web site "The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), and to make recommendations to promote uniformity in the supervision of financial institutions." O'Connor, who isn't an expert on compliance, said that failure to pass an FFEIC audit could make it hard for banks to acquire smaller banks or institutions.
"The guidance specifically says that transaction fraud and identity theft are a problem, and it places the blame squarely on authentication," said O'Connor. ." He pointed to the "three strikes--you're out" rule with most Web applications. Guess the wrong password and you're locked out until you get on the phone to someone. "Attackers aren't getting in by guessing, they're getting in by stealing the credentials or tricking the end-user into giving away the credentials." So adding more credentials won't make sites more secure.  (Editor's Note:  EXACTLY!  A user can "type" in 20 credentials and if a keylogger gets a hold of it, or they have malicious code on their computer, or if they type it into a counterfeit bank website, they are screwed.  So authentication isn't the problem.   Typing is!)







The [FFIEC] guidance specifically says that transaction fraud and identity theft are a problem, and it places the blame squarely on authentication I disagree with entire premise 



Editor's Note:  Here Here.  It's the "type" of  "authentication" that creates the  problem.  More specifically...Consumer's "typing" authentication instead of "swiping" to authenticate their online banking session!. 
The trouble with credentials

Choosing the answer to a security question isn't two-factor authentication; it's one factor--it's choosing something that only you know. But is it? O'Connor said it depends on the question. If it's public record data, then an attacker might also know the value of your mortgage or the year you graduated from college. If it's personal information, then pick a good question to answer. O'Connor mentioned Paris Hilton's choice of "What is the name of your pet?" Everyone knows that.



Then there are the oblivious choices, such as "What's your favorite city?" "If your user ID is CubsFan123," said O'Connor, "it's probably Chicago." Likewise, he said if your user ID is NYCgal576 then the answer to "Where did you go to high school?" is probably New York City. 



Editor's Note: Duh!  Ya think?  So, what can we do?  How about encrypting the data so that hackers just find random gobbledygook. "If they were properly encrypted, it would take until the sun burns out for anyone to decode it."





Read "two year old" article in full at CNET





Reblog this post [with Zemanta]

Disqus for ePayment News