Original URL: https://www.theregister.com/2005/10/19/internet-banking_security/

Two-factor banking

Token statement

By Kelly Martin, SecurityFocus

Posted in Channel, 19th October 2005 08:06 GMT

People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.

That trust is eroding, however, in light of a massive onslaught of phishing scams on the Internet. The irony is that the security issues surrounding this kind financial theft are by-and-large due to the poor security and social engineering of an individual - and therefore the responsibility for losses are similarly owned by that individual, not the bank.

There are all sorts of toolbars [1] [2] [3], security approaches, and browser extensions that try to mitigate this threat, but they're all ineffective - not because they don't work, but because they'll never get installed on the computers of people who really need them.

The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat. And since the banks have no financial responsibility to do this on their own, the only way this is ever going to happen is by requiring them to do it through legislation.

Some approaches in the banking world

In the US, federal regulators are now requiring banks to have at least two-factor authentication with their websites by the end of 2006.

The Federal Financial Institutions Examination Council (made up of the FDIC - Federal Deposit Insurance Corp, the US Federal Reserve, the US Comptroller the Currency, and others) has very recently issued a press release as well as specific, non technology-specific guidance (PDF) on the need for two-factor authentication. It's an idea being sold to banks and the public as a way to address identity theft in a supposedly proactive manner.

In Sweden, one Internet bank has used the interesting idea of one-time passwords mailed out on a "scratch-pad," but even that novel approach has been attacked and compromised by a recent phishing scam.

There has been some suggestion on the use of drop-down menus on Internet banking sites to thwart the use of keyloggers, but many Trojans also capture screenshots so this approach really isn't very good.

While not quite phishing-specific, here's a funny one for you. Sometimes a con-artist is so slick he can convince a senior people at several major European banks to hand over hundreds of thousands of dollars (or rather, Euros) in the bathroom stall at a public bar. "Psst, I'm a secret agent and I need your help." When they caught up with this guy, he was already suntanning on a beach.

A case for tokens

I've been doing online banking for over five years, and many of our readers have been doing it longer. Five years is more than enough time for the banks to figure out a cost-effective, long-term solution to the problem of stolen passwords (which soon becomes stolen money). Today they secure their internal systems just fine, and they've trained their staff on how to absolve all responsibility when a customer's machine is infected with a Trojan and their bank account has been compromised: "Don't worry, our internal banking systems are quite secure. Have a nice day."

We've all known people infected with Trojans, keyloggers, spyware, and the like. The first thing I tell people when they call for advice is to get off the phone with me and immediately call their bank - reset their passwords or disable Internet access to their accounts altogether - and hope that it isn't too late.

A token is often a small keychain-like device with a non-repeating number that changes every minute. These are made by a number of companies, and they've been used in the corporate world for many years. It's time that (1) banks eat the cost of providing these tokens, (2) more governments besides just the US force the use of two-factor authentication in the banking world, and (3) people understanding security, meaning all of us, lobby their elected officials to get the proper legislation in place.

I have to agree with what Bruce Schneier wrote recently, that pushing all the responsibility from consumers to financial institutions (and most likely, doing it through legislation, if you ask me) is the only way to get this done.

A secure public terminal?

I look at many people's computer as an unsafe public terminal. When I'm invited over to a friend's place for dinner, I'm afraid to do anything on their machine because I know all the nasty things it could be infected with... logging my passwords, stealing my identity, and so much more. I always wonder how badly it's owned up.

If you've ever checked your bank account from a public terminal at an Internet café like I have, you immediately realize two things: one, it's an incredibly dumb thing to do, and two, having a token as a password that changes every minute would dramatically lower the overall risk - regardless of how 0wn3d the machine really is. In certain unexpected circumstances, either using a public terminal or abstaining from access altogether may be the only choice. Where are our tokens?

The average person doesn't understand how phishing works or is prevented, because the security world is so complicated - and yet the risk of losing money through one's Internet banking account is a very simple concept to understand. It's time that more governments around the world step in to ensure that Internet banking remains safe.

Copyright © 2005, SecurityFocus