Feeds

Two-factor banking

Token statement

Securing Web Applications Made Simple and Scalable

People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.

That trust is eroding, however, in light of a massive onslaught of phishing scams on the Internet. The irony is that the security issues surrounding this kind financial theft are by-and-large due to the poor security and social engineering of an individual - and therefore the responsibility for losses are similarly owned by that individual, not the bank.

There are all sorts of toolbars [1] [2] [3], security approaches, and browser extensions that try to mitigate this threat, but they're all ineffective - not because they don't work, but because they'll never get installed on the computers of people who really need them.

The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat. And since the banks have no financial responsibility to do this on their own, the only way this is ever going to happen is by requiring them to do it through legislation.

Some approaches in the banking world

In the US, federal regulators are now requiring banks to have at least two-factor authentication with their websites by the end of 2006.

The Federal Financial Institutions Examination Council (made up of the FDIC - Federal Deposit Insurance Corp, the US Federal Reserve, the US Comptroller the Currency, and others) has very recently issued a press release as well as specific, non technology-specific guidance (PDF) on the need for two-factor authentication. It's an idea being sold to banks and the public as a way to address identity theft in a supposedly proactive manner.

In Sweden, one Internet bank has used the interesting idea of one-time passwords mailed out on a "scratch-pad," but even that novel approach has been attacked and compromised by a recent phishing scam.

There has been some suggestion on the use of drop-down menus on Internet banking sites to thwart the use of keyloggers, but many Trojans also capture screenshots so this approach really isn't very good.

While not quite phishing-specific, here's a funny one for you. Sometimes a con-artist is so slick he can convince a senior people at several major European banks to hand over hundreds of thousands of dollars (or rather, Euros) in the bathroom stall at a public bar. "Psst, I'm a secret agent and I need your help." When they caught up with this guy, he was already suntanning on a beach.

A case for tokens

I've been doing online banking for over five years, and many of our readers have been doing it longer. Five years is more than enough time for the banks to figure out a cost-effective, long-term solution to the problem of stolen passwords (which soon becomes stolen money). Today they secure their internal systems just fine, and they've trained their staff on how to absolve all responsibility when a customer's machine is infected with a Trojan and their bank account has been compromised: "Don't worry, our internal banking systems are quite secure. Have a nice day."

We've all known people infected with Trojans, keyloggers, spyware, and the like. The first thing I tell people when they call for advice is to get off the phone with me and immediately call their bank - reset their passwords or disable Internet access to their accounts altogether - and hope that it isn't too late.

A token is often a small keychain-like device with a non-repeating number that changes every minute. These are made by a number of companies, and they've been used in the corporate world for many years. It's time that (1) banks eat the cost of providing these tokens, (2) more governments besides just the US force the use of two-factor authentication in the banking world, and (3) people understanding security, meaning all of us, lobby their elected officials to get the proper legislation in place.

I have to agree with what Bruce Schneier wrote recently, that pushing all the responsibility from consumers to financial institutions (and most likely, doing it through legislation, if you ask me) is the only way to get this done.

A secure public terminal?

I look at many people's computer as an unsafe public terminal. When I'm invited over to a friend's place for dinner, I'm afraid to do anything on their machine because I know all the nasty things it could be infected with... logging my passwords, stealing my identity, and so much more. I always wonder how badly it's owned up.

If you've ever checked your bank account from a public terminal at an Internet café like I have, you immediately realize two things: one, it's an incredibly dumb thing to do, and two, having a token as a password that changes every minute would dramatically lower the overall risk - regardless of how 0wn3d the machine really is. In certain unexpected circumstances, either using a public terminal or abstaining from access altogether may be the only choice. Where are our tokens?

The average person doesn't understand how phishing works or is prevented, because the security world is so complicated - and yet the risk of losing money through one's Internet banking account is a very simple concept to understand. It's time that more governments around the world step in to ensure that Internet banking remains safe.

Copyright © 2005, SecurityFocus

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.