Feeds

Two-factor banking

Token statement

Protecting against web application threats using SSL

People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.

That trust is eroding, however, in light of a massive onslaught of phishing scams on the Internet. The irony is that the security issues surrounding this kind financial theft are by-and-large due to the poor security and social engineering of an individual - and therefore the responsibility for losses are similarly owned by that individual, not the bank.

There are all sorts of toolbars [1] [2] [3], security approaches, and browser extensions that try to mitigate this threat, but they're all ineffective - not because they don't work, but because they'll never get installed on the computers of people who really need them.

The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat. And since the banks have no financial responsibility to do this on their own, the only way this is ever going to happen is by requiring them to do it through legislation.

Some approaches in the banking world

In the US, federal regulators are now requiring banks to have at least two-factor authentication with their websites by the end of 2006.

The Federal Financial Institutions Examination Council (made up of the FDIC - Federal Deposit Insurance Corp, the US Federal Reserve, the US Comptroller the Currency, and others) has very recently issued a press release as well as specific, non technology-specific guidance (PDF) on the need for two-factor authentication. It's an idea being sold to banks and the public as a way to address identity theft in a supposedly proactive manner.

In Sweden, one Internet bank has used the interesting idea of one-time passwords mailed out on a "scratch-pad," but even that novel approach has been attacked and compromised by a recent phishing scam.

There has been some suggestion on the use of drop-down menus on Internet banking sites to thwart the use of keyloggers, but many Trojans also capture screenshots so this approach really isn't very good.

While not quite phishing-specific, here's a funny one for you. Sometimes a con-artist is so slick he can convince a senior people at several major European banks to hand over hundreds of thousands of dollars (or rather, Euros) in the bathroom stall at a public bar. "Psst, I'm a secret agent and I need your help." When they caught up with this guy, he was already suntanning on a beach.

A case for tokens

I've been doing online banking for over five years, and many of our readers have been doing it longer. Five years is more than enough time for the banks to figure out a cost-effective, long-term solution to the problem of stolen passwords (which soon becomes stolen money). Today they secure their internal systems just fine, and they've trained their staff on how to absolve all responsibility when a customer's machine is infected with a Trojan and their bank account has been compromised: "Don't worry, our internal banking systems are quite secure. Have a nice day."

We've all known people infected with Trojans, keyloggers, spyware, and the like. The first thing I tell people when they call for advice is to get off the phone with me and immediately call their bank - reset their passwords or disable Internet access to their accounts altogether - and hope that it isn't too late.

A token is often a small keychain-like device with a non-repeating number that changes every minute. These are made by a number of companies, and they've been used in the corporate world for many years. It's time that (1) banks eat the cost of providing these tokens, (2) more governments besides just the US force the use of two-factor authentication in the banking world, and (3) people understanding security, meaning all of us, lobby their elected officials to get the proper legislation in place.

I have to agree with what Bruce Schneier wrote recently, that pushing all the responsibility from consumers to financial institutions (and most likely, doing it through legislation, if you ask me) is the only way to get this done.

A secure public terminal?

I look at many people's computer as an unsafe public terminal. When I'm invited over to a friend's place for dinner, I'm afraid to do anything on their machine because I know all the nasty things it could be infected with... logging my passwords, stealing my identity, and so much more. I always wonder how badly it's owned up.

If you've ever checked your bank account from a public terminal at an Internet café like I have, you immediately realize two things: one, it's an incredibly dumb thing to do, and two, having a token as a password that changes every minute would dramatically lower the overall risk - regardless of how 0wn3d the machine really is. In certain unexpected circumstances, either using a public terminal or abstaining from access altogether may be the only choice. Where are our tokens?

The average person doesn't understand how phishing works or is prevented, because the security world is so complicated - and yet the risk of losing money through one's Internet banking account is a very simple concept to understand. It's time that more governments around the world step in to ensure that Internet banking remains safe.

Copyright © 2005, SecurityFocus

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.