Schneier on Security
A blog covering security and security technology.
« UK Terrorism Law Used for Non-Terrorism Purposes |
| Liabilities and Software Vulnerabilities »
October 19, 2005
U.S. Regulators Require Two-Factor Authentication for Banks
Two-factor authentication is coming to U.S. banks:
Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
Here's more details.
This won't help. It'll change the tactics of the criminals, but won't make them go away. I've written about that already (the short version is that two-factor authentication won't mitigate identity theft, because it's not an authentication problem -- it's a problem with fraudulent transactions), and also about what will solve the problem.
Posted on October 19, 2005 at 2:51 PM
• 63 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wow, I'm the first!!!!!
Bruce, your thesis that "two-factor won't help" has been discussed extensively in this forum. Frankly, I am tired of it, and I won't repeat the arguments that have been brought forward here on many occasions. What I would like to suggest is the following:
1. Please respond to your critics instead of repeating the same ol' story all over again
2. Present some empirical, real-world evidence. Two-factor-authentication is not a theoretical issue. It has been tried and perfected for many years in several countries so if it "doesn't help", then there should be some empirical evidence that fraud rates are not affected by the use of a well-designed two-factor system. If there is any such evidence, please let us know. If not, let us know.
Bruce's continual point is that technology, no matter how good, isn't a substitute for intelligent beings making intelligent decisions about security. Security is a process, not a product.
Unfortunately, Bruce has a very bad habit of pointing out things and saying "This is what bad looks like" while rarely, if ever, pointing out or suggesting solutions and saying 'This is what good looks like".
People looking to improve their own security merely by reading Bruce's column have to figure out what good security is by process of elimination, it seems.
Bruce seemed pretty clear to me. Two-factor authentication does in fact solve a problem with authentication. The trouble is that the problems we're facing are not, generally, authentication problems.
Inevitable car metaphor: It's like replacing the tires when your car doesn't have an engine. Even though your car may technically benefit from new tires, it won't make the car go.
It's never been a problem of authenticating the bad guy. Now the bad guy has two proofs of his identity and will get what he wants even easier now. What is needed is an authentication device that only works for the original real guy. Something like a pin number that can't be shoulder surfed, guessed, or easily reset by the bad guy.
oops. I'm the anonymous of previous.
"Bruce has a very bad habit of pointing out things and saying "This is what bad looks like" while rarely, if ever, pointing out or suggesting solutions and saying 'This is what good looks like".
'Practical Cryptography' has at least the intention of doing so:
From the introduction:
"We don't give you dozens of of choices; we give you one option ant tell you how to implement it correctly".
Although it may not solve the problem, in some cases it is certainly better than not having it. At least if done right.
What is not known in the story is the original requirements of the regulation. It would have specified how and with what technology to do authentication and across all services. Thankfully it was negotiated down to a "best that could be done" result.
I just can not believe that American banks only use user names and passwords as authentication method. Is that a common factor with all US banks, or just a few who do no take security seriously?
All banks here in Sweden have "good" security, requiring two factor authentication in the form of an ActivCard+PIN, one time passwords + PIN or other similar techniques such as certificates.
I can't agree that 2 factor won't help prevent a phisher lifting a username/pw with a keylogger on a person's computer assuming you're dealing with typical OTP schemes. (I support strong authentication systems for a large company so yes I'm biased.) I can't agree that it's not better than what is currently there. But it certainly doesn't help identity theft scenarios where someone is opening a credit card account in someone else's name. In which case, the strong authentication credential will be given to the identity thief like candy. A strong credential loses it's meaning if it's easy to obtain. Additionally, true security should have a systems approach, where it is applied at all layers, versus the "one gun" approach that simply requiring strong authentication provides.
For instance, if a bank requires strong authentication , the bank should apply some reasonable logic regarding the use of that credential - i.e. if a bank transaction goes over a certain amount, the bank should email the registered account holder or call the registered account holder's phone, etc before allowing it. I think some of the logic that banks have applied to traditional transactions should hold true for digital transactions. If you've ever tried to deposit an out of state personal check for over $10,000, you know the logic I'm talking about.
@ac: "Bruce seemed pretty clear to me." Bruce is being clear. Nobody denies that. Please don't try to answer questions that nobody has asked.
Bruce has been clear, his critics have been clear, and I think I have been clear, too: I challenge Bruce to
1. respond to critics;
2. offer empirical evidence for his claim that "two-factor won't help" against online fraud.
Of course, he may choose not to. In which case I will simply regard his claim as unsubstantiated.
Bruce, aren't you confusing "not perfect" with "not worth doing"? Surely it will help, raising the bar high enough that a large portion of the not-so-bright criminals will no longer find phishing worth while.
@Brian: "But it certainly doesn't help identity theft scenarios where someone is opening a credit card account in someone else's name." Of course not. And it won't help against hurricanes and global warming, either. Who has ever made such claims?
Bryan Sowell, What logic are you talking about?
Given this story http://www.goodthink.com/$$tablecontents.html
Is it really that hard to deposit a large check?
Apparently it depends on the bank.
Two factor authentication could resolve some issues by making authentication time based, and requiring two factor authentication. That would reduce man in the middle/replay attacks. However, given that the actual crimes I know of are credit/debit card based, check based, or use copies of ATM cards, none of them are internet banking based yet.
How is two factor authentication for internet transactions going to help resolve those issues?
Credit cards: the problem isn't that we've played fast and easy with SSNs for years, the problem is that CC companies will give out a credit card in return for a SSN and DOB. Hey, why not. They make money on them.
Banks: the problem isn't that people give away their passwords to crooks. As we saw last week with the bank head who put a sack full of money under a bathroom stall, people will put their SecureID card in the mail and offer to put their hand on the scanner for the crook. Phishing will go away when it's not proffitable, and it won't be proffitable if banks look for strange patterns, like Wilma in Idaho withdrawing 10K from an Internet Cafe in Moscow. When the phishers have to go to an immense amount of work to get a measly $50, it won't be worth it anymore.
I think 2-factor will help, by making it harder for crooks but I agree with Bruce in that it's a long way from a solution.
"This won't help."
You should read your own blog about Agenda :-)
This is of great help to those who want to be seen to be doing something.
I read the article he linked to regarding two-factor authentication not working and it's greatly exaggerated. The only way to take advantage of a smart card using PKI would be the trojan method, but that ONLY works while the person is logged in. In other words, you can't passively collected passwords/authentication data and use it at your leisure like you can with single factor authentication. So basically the attacker has to sit there waiting for the person to login (which is annoying if you want to defraud many people), and then quickly perform some transactions before they log out.
It would be a lot easier just to try to order a replacement smart card and intercept it before the person opens their mail
But you *can* passively perform trojan monitoring of a slew of computers, waiting for one to do what you need it to do. Computers are good for this sort of wholesale surveillance.
This is not a movie-plot scenario, either. Precisely these methods are used already for gathering spam bot-nets. Once you have a few thousand slave computers logged into your private IRC channel and waiting for orders, how simple to tell each one to just let you know when the user is acessing their banking details.
And this approach is only the unimaginative one.
@zwack: Another one repeating the same stupid line: "How is two factor authentication for internet transactions going to help resolve those issues? (credit/debit card fraud etc.)" It isn't, and nobody claimed it would.
But if you really believe that "none of (the fraud schemes) are internet banking based yet", wake up. Of course there are online banking fraud attacks, and well-designed authentication schemes are effective to counter those attacks. End of message.
I can't figure out what it is that Bruce said that people have an issue with.
1. The context here is online transactions, so we leave credit cards etc. out of the discussion.
2. 2 factor suffers from the Man in the Middle weakness, including where a separate channel like SMS is used as the second factor. Bruce refers to "active" attacks where the man in the middle operates with the input credentials in real time and simply passes the 2 factor burden onto the user. If the 2nd factor is on the same channel (e.g. internet) as the first factor, it is simply passed on by the man in the middle. If it isn't, as in the SMS case, even better - the user inputs the 2nd factor in the other channel only aiding the Man in the Middle attack. As long as it is active and in real time, the attack works.
3. Yes, it will take time for the crooks to evolve their methods. This evolution will be significant only when a critical mass use time based 2 factor approaches. The crooks won't bother to evolve their methods until their ill gotten revenue is really impacted. So there is a window of lessening fraud for early adopters. Bruce states as much. It is only a matter of time - that too coding time for the crooks.
4. Trojans are more insidious and go well beyond what 2 factor protects against. But proactive and improving fraudulent transaction *detection* will curb even that to a large extent.
So Bruce is simply saying that we need to look beyond 2 factor authentication, which seems quite rational.
The security of banking websites can be apalling. I've recently started using a program to create and keep track of randomly-generated passwords, and for my online banking the restriction for the password was no more than 12 characters, as few as 4, and only alphanumeric characters.
Many, if not most posters here (including Bruce) appear not to have carefully read the FFIEC document. It does not require two-factor authentication across the board. It requires a risk-based approach to the development of strong authentication, making strong statements about two-factor authentication only for two Internet applications: access to sensitive personal information and interbank funds transfer. For the remainder, financial institutions are required to design effective authentication schemes appropriate to the risks, which are certainly likely to include two-factor schemes but are not necessarily required to. In no way is this regulation a blind push to two-factor authentication, and I think it's fair to say that Bruce and the news article he cites are both guilty of a straw-man fallacy in their representatation of the issue.
Ian's comment above is apropos to this regulatory approach. Banks and regulators alike are likely aware of the sophistication of man-in-the-middle and Trojan threats. Those that are have developed stronger countermeasures in addition to two-factor authentication (e.g. account activity monitoring for fraud detection) that help to mitigate these threats. The trouble is that, as with any application, there are undoubtedly many legacy Internet banking applications with weak single-factor authentication schemes that started out years ago being difficult to compromise for gain, because their functionality was so limited, but have gradually added functionality that make them viable targets for wholesale identity theft or fraudulent funds transfer. The approach this regulation is taking helps to shore up this gap.
It's also important to remember that sophisticated attacks man-in-the-middle or Trojan such as Bruce describes that specifically target Internet banking are still rare. It's one thing to Trojan or XSS a thousand zombies, but quite another to be able to compromise any arbitrary two-factor scheme in any particular financial institution. It's orders of magnitude easier to compromise single-factor schemes on a wholesale basis, which is therefore a more clearly present threat, and one which the regulation addresses, at least temporarily, by upping the ante.
"Unfortunately, Bruce has a very bad habit of pointing out things and saying 'This is what bad looks like' while rarely, if ever, pointing out or suggesting solutions and saying 'This is what good looks like.'"
In this case, though, I did write about what good looks like.
Are you sure about your information regarding
Swedish banks? Nordea (in Norway, at least) uses only username/password authentication.
"In this case, though, I did write about what good looks like."
I don't agree. Your blanket liability recommendations linked above ('what will solve the problem') make no detailed technical or procedural recommendations and would likely have enormous unintended consequences. I think your critics are noting that you are saying that two-factor authentication won't address certain threats, and are looking for recommendations on technological and procedural controls that will. I think this is a fair expectation. Stating that this is a transaction verification problem, or that this should be the exclusive problem of the banks, only begs the question.
It's another agenda question. The problem which needs to be solved is the _customer's_ problem. If the banks take the customer's potential losses, then that problem is solved immediately. The customer will not lose any more.
Now we have substituted a different problem (how should banks protect themselves against fraud). But that is a much better known and easily handled problem. They have been doing it succesfully for years. Credit card companies do it every day. What's really important is that they will stop having competitive pressure from other banks who cut costs by really not caring.
Well, of course I am not one hundred percent sure, but all banks that I have heard of and used have two-factor authentication.
But, and a big but here, you are often allowed to login using a username/password kind of system, but then you are not allowed to do much except view your accounts and transfer money within your own accounts.
Sorry, @csrster, but AFAIK, no bank in the UK is using 2 factor authentication. Yet. Indeed, no-one was interested in doing so until the cost of doing so fell below the cost of compensating customers for the fraud. In fact, 2 factor authentication may be against the customer's best interest (like "chip and pin") because the banks will now have a reason to force the cost of the fraud onto the customer.
Explicitly regulating for security seems like madness; the organisation that is best placed to work out the risk/cost is going to be the financial institution itself. Long-term it hinders the customer, as standardising security technologies removes a way to differentiate between banks, and their banking products. I'd much rather make sure the bank is clearly liable for losses so that it is incentivised to build good web applications and processes, and make sure its clients have good AV, security and secure delivery of their cards and account correspondence.
(I told one bank that I closed down my account because their web banking terms unreasonably shift the burden of proof onto me)
Overstrict regulations may have the side effect of undermining the business of account aggregators like Yodlee - which is perhaps desirable from a banks' point of view, though not its their users 8-)
Making a comparison with Nordic banks' use of two-factor authentication isn't really fair. This started many years ago, just like they adopted chip & pin on credit cards way before most other countries. My understanding of the rationale behind this (as an "insider" at the time) was it was based on seeking out and adopting "best practice" in web banking at a time when 40-bit encryption was the best we could get, and was helped along with a good dose of paranoia rather than any actual measurable risk.
Naturally, like fraud, these costs are passed onto the customer; Nordic countries have, IMHO, inflated banking fees and bad interest rates.
Bruce's point about two-factor just forcing the attackers to change tactics is demonstrated nicely here:
Exec summary: phish, fake 1-2 failed logins, and you have their next one-time password(s), then it's a race to the real site, so stall them on your phishing site.
Similar in concept to the Mitnick attack.
Evolution is faster than one expects.
ING Direct, although probably not perfect, has already done advanced logins. First off, your login is a number that they generate for you.
Next, they randomly select criteria from your bio that you have to answer when logging in. (Zip code, last 4 of your SSN, first 4 of your SSN, etc)
Then, you have a pin code that you have to enter, but rather than just enter the pin code, they have a touch pad that you enter in the pin code on. Each number corresponds to a set of letters (different on every login) which are what are used to validate your pin code.
Not sure if it's perfect, but it makes me feel slightly more warm and fuzzy.
It's called Pin Guard... here are the details:
We are constantly re-evaluating our security measures to stay one step ahead of evolving internet and computer security threats. As a result, we are implementing a new PIN entry process called "PIN Guard", to help protect you by more securely disguising the entry of the PIN.
Encrypting Your PIN during the Login Process
We currently employ Secure Socket Layer (SSL) encryption to shield data during its travel from your PC to our servers, protecting it from observation while on the internet. PIN Guard adds an additional layer of security by encrypting the actual data entry, protecting it from potential threats to the confidentiality of your PIN.
"The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second."
In other words, what he's saying is that it needs to be turtles all the way down.
Just putting an extra shell on the top turtle isn't going to solve the problem.
I understand the argument that the customer's problem needs to be solved. To a large extent, at least in the USA, this happens anyway with respect to actual fraud, in that banks investigate and customers are frequently made whole anyway owing to reputational concerns. With respect to phishing and related identity thefts, the burden is still on the customer, but just saying that the banks should be liable is only the starting point- the threats are still there and at a practical level the banks will have to address them. Shifting a problem back onto the banks doesn't solve it.
Your last point, that banks that do a poor job must be made to care, is likely an intended effect of this regulation. Regulators can't change the liability structure, but they can interpret existing regulations to change bank behavior. I agree with Erasmus that it's not a good idea to regulate explicitly for security, but as I noted above, that's not what this document has done, at least not to the extent that is being reported.
I disagree on the idea that this won't help. Right now, what we have is far worse. Shared secret systems are a joke, especially when the secrets are mostly public.
Two factor authentication isn't going to solve all of our problems. However, making criminals change tactics takes the script kiddie types out of the equation for a while, until the means of defeating the new system are more well known. We won't know how large the impact would be unless we try it, but we do know how large the impact is from the existing system.
More importantly, this is a step in the right direction. It's not going to solve all of the problems it's being claimed to solve, but it's getting the institutions and people interested in enhancing security. Shooting down this idea has the inevitable result of keeping the existing system.
Many people in these large financial institutions have very little experience in security. Do you want them to keep the existing security model? Criticizing this improvement (is there any disagreement that this would be an improvement?) does exactly that.
The people who make decisions on what security measures to implement are often not security experts. As far as they're concerned, there is a cost associated with this solution. That cost may be acceptable if there is a benefit. If the experts say that this solution is bad, that sounds like there is no benefit.
Large institutions seem to be incapable of significant changes. The scope of the project would be far too large to get everything done right. Making steps in the right direction is the only realistic way to get change out of a structure that is strongly opposed to change.
The dabate avbout the technical efficacy of two-factor ID is somewhat moot, because, as Bruce states, there are more ways to skin this cat. That is due, in no small part, to the fact that banks are not interested in securing my individual account as much as they are interested in securing huge numbers of accounts. Their principle security goal is plausible deniability on individual accounts while concentrating on preventing account access and theft at the wholesale level.
My bank recently started handing out samples of candy as an incentive to use my debit card as my form of ID. So instead of using the time of the few tellers they have left to actually confirm my identity by checking an ID such as my driver's license, they rely entirely on the more sppedy second factor to provide "security" As was pointed out by many in an earlier thread in this forum, pin numbers for deit cards can be gained through measures which are essentially undetectable. This approach solves two problems for the bank, namely providing the appearance of security and easing crowding. The customer is left with a bag of candy and a slightly fuzzy feeling, but is actually less secure through this implementation of two factor ID.
Making banks take responsibility for ease of access to data is a reasonable requirement.
For example, USBank's website has user/password requirements. However, the requirements do not fit any reasonable security requirement and the data is passed in clear text. Pretty simplistic, and extremely foolish.
With a simple exploit of the browser and buffer overflow, you could see the transaction (I tested it a few month's back.)
Making banks take responsibility for poor practices related to atm card distribution and usage tracking would be nice.
I'm not a fan of USBank for several reasons. But they aren't unique. I've been through the Mercantile, Roosevelt, Firststar/bank(?), USBank mergers and changes and its been hell. Mistakes made and corrected, reappeared and at each problem they expect me to pay for something that originally was the bank's error, etc.
Add that banks regularly send you "new" atm cards. I have two people on the account, and I would get multiple cards without a request as they merged, changed names, implemented 'security', or upgraded something, and have gotten four cards at one time due to error.
All without request, against a savings account I asked to have no cards issued and delivered to a mailbox.
Oh, and the 'old card won't work after X date' failed every time.
So at one time there were six cards issued to my account, all able to debit my account.
Or the time that they had issued new cards on a checking account, and had two other accounts debiting my account not their own.
This was right after a merger/db upgrade, etc.
This was just another 'error' (at least after fighting with them and finally getting them to trace all the damn transactions back, which of course they wanted to charge me for the research, they finally accepted that there was a problem and the money ended up back in my account.)
Fixing this mess took several months, meanwhile my bills weren't paid, checks bounced, and although they covered the fees charged against my account, they couldn't do a damn thing about the damage to my profile, etc.
One time there were multiple transactions made against a savings account.
These were made at several generic teller machines which I never would use as well as a location 100 miles from my home (which occurred within minutes of a transaction I made locally.)
Several transactions for cash withdrawal of max amounts were made within minutes of each other, one right after the other between two highways at every locations with these generic teller machines (thus getting around the 'max allowed per day' constraints by the bank.)
The bank 'personal assistant' not only implied it had to be a family member, but that I was just screwed. So much for culpability.
This was a debit card on a savings account, so it didn't have the credit card coverage. Maybe that was why the bank didn't seem to care a bit that it happened.
So basically, eventhough I was diligent about reviewing my statement and noticing multiple strange transactions at locations I didn't visit, transactions that break the bank's constraints on usage, and multiple transaction occuring within minutes over large distances, it couldn't possibly be anything but a family member.
I'm sure its all my fault since it was a debit card against the savings account.
Oh, wait, I requested that no card be issued, but they still sent them. Still, not their fault, I should have realized they sent them to my old address eventhough I had changed addresses on my account, and hadn't requested cards.
Two-factor authentication solves only some of the problems banks face with security. New attacks that circumvent two-factor authentication are already being deployed. Now, while it can be worth implementing partial security in exchange for partial payoff, you need to look at the bigger picture. Is it really worth making a massive investment in two-factor security if criminals will just change their tactics, only causing a minor reduction in fraud?
Quoth Bruce in the linked post, "But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."
Instead of defending against one single type of attack that leads to fraud, can we better spend the money attacking the core of the problem (fraud) instead of a particular attack (authentication)? While two-factor authentication may reduce attacks, what's the opportunity cost?
Re: two-factor authentication doesn't help
I think piglet, et. al. are missing the point -> two-factor authentication is a band-aid, not a cure. It's also a bad band aid, for other reasons.
Bruce's point (I believe) is that you can implement something like this, at a significant cost (both to roll the technology out in the first place *and* in supporting it afterwards), and any benefit you realize from the technology will erode away in very short order.
So, in one sense, he is wrong, because you will see a benefit in the short run. In another sense, he's right, because you're going to lose that gain quickly, and probably before you recoup the cost of rolling out t-f-a.
Re: empirical evidence
You want to be careful here -> you can haul out all sorts of statistics about the efficacy of t-f-a in some other country, but this can be a very bad way of analyzing the problem. It's been a long while since I've taken statistics, but what I remember most is that statistical analysis with cross-populations results are very very tricky, usually don't work, and are normally only used to promote an agenda :)
Right now, we have the fraudsters as some subset of the general population. Here (in the US), they get away with techniques that would be foiled someplace where they practice t-f-a. However, you can't generalize the efficacy of t-f-a by just looking at the fraud rate somewhere else and saying, "Look, they implemented a t-f system and their fraud rate dropped by 40%" and expect the same success rate here.
Maybe their fraudsters just stopped defrauding their population and started defrauding ours, because it was easier. The total population of fraudsters is going to be somewhat constant relative to the general population. If we roll out t-f-a, all the fraudsters are going to have to change their methods, but they most certainly will.
In other words, two-factor authentication may present a distorted image of "working" now, because not everybody uses it.
This is essentially the "home burgler alarm" problem. Countries that have t-f-a have a burgler alarm, the U.S. doesn't. So the sneak thief rips us off. If we implement a burgler alarm, then everyone in the neighborhood has one, and now the sneak thief has to change his attack profiling. It might take him a while to read up on how the burgler alarms work, but we're going to be right back where we started (as a population) relatively quickly.
The base problem doesn't go away. The base problem is indeed fraudulent transactions, not authentication.
I think Mike has hit on one of the big problems w. US banking systems - e.g mergers & acquisition. WADR the US retail banking environment is v. immature in many ways compared to Europe - inter-state consolidation has only been allowed for the last few years and its full of tiny Mom & Pop banks & FCUs. If an IT dept is diverting its efforts into consolidating disparate systems from the last merger then its no wonder that end-user security processes take a low priority.
Of course, the regulator can't (or won't) dictate the speed of mergers, so it looks at the side effects.
Reader X, what is the implication on a bank that does not implement t-f-a? Does liability shift onto the institution if they do not implement the Regulator's suggested "best practice" (versus "good practice"). Or does their cost of capital increase under an increased Basel II risk premium?
It may as well be explicitly mandatory in those cases.
@Pat Calahan: "The base problem doesn't go away. The base problem is indeed fraudulent transactions, not authentication." Please stop that nonsense. It's like saying, the problem isn't signature faking, it's fraudulent cheques. Of course, but then people want to know how you can prevent that fraud.
If Bruce is right, and those who support him are right, then here's a suggestion: give up the passwords. Set all your passwords to 12345. We know that passwords are not effective, we know there are a lot of easy attacks against password protected online banking. So why bother about trying to set good passwords? You bother because it makes fraud a little more difficult than it would be without passwords. Now, the advantage of two-factor over one-factor with a good password is much greater than the advantage of a good password over a bad, or none at all. So if you really believe that making fraud (at least one kind of fraud) a lot more difficult isn't worthwile, then you might as well do without any protection - it's just not worthwile. If the crooks want to cook you, they will anyway. It doesn't help to lock your door, your bike, your car, whatever. Why do you use virus-protection software? No software can guarantee 100% protection, so why bother anyway?
The other thing is that people who make claims about TFA should bother to get some information before opening their mouth. Many are still talking as if TFA were a theoretical issue. Folks, the USA isn't the rule for how to do online-banking. Several European countries have been using TFA for at least 10 years, and successfully. It has been argued that specific attacks can outdo TFA but this depends on the TFA design. Some systems use TFA only to log into the site, after which transactions are not protected. In this case, phishing can be effective - the attacker just has to catch an additional password. More strongly designed systems resist this kind of attack. Moreover, you should recognize that an attack on TFA must be successful within a very small time window, and it has to be rather perspicuous (in one scenario, a Trojan catches the TAN code and then closes down the internet session). Further, I see no reason why it shouldn't be possible to strengthen TFA eve more if it should prove necessary. If this becomes an arms race, why not. Security always is an arms race against ever more sophisticated attacks. If you prefer to stay with your stupid stone age passwords, that's fine with me. I am happy to work with banks which take security seriously.
Again Pat: "Bruce's point (I believe) is that you can implement something like this, at a significant cost (both to roll the technology out in the first place *and* in supporting it afterwards), and any benefit you realize from the technology will erode away in very short order."
Is there any evidence for such a claim? I don't think so, and I don't agree with the cost argument (to be sure, it is more expensive to upgrade a badly designed system than to do it right in the first place, but this is no argument in favor of not doing it right). Your argument about the "home burgler alarm" problem may or may not be true but you should understand that it applies to any kind of security measure. Whatever approach you adopt towards online security, the fraudsters will always adapt to it. Bruce has suggested something like more extensive checking of transactions. Why not, there is no contradiction between that approach and
implementing good authentication. However, it is ridiculous to pretend that the fraudsters won't be able to adapt to that, too. In essence, you are arguing for not doing anything.
My last post. I have read the register article about the clever new attack against TFA:
"Recipients were directed to several fake websites, thought to be based in South Korea, and asked not only for their account details, but also for the next password on their list of one-time passwords. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use."
Well, this only confirms that the weakest security link is still the human. If you are stupid enough to fall for such a trick (a real banking system would never ask for "the next one"), we really have a problem. However, there are remedies. The Swedish bank used one-time transaction codes, each one valid until used up. In a better system (http://www.bekb.ch/en/index/bank_zugang/bankingviainternet/bekb_bankingviainternet_neues-login.htm),
a code card with numbered codes is issued and the system asks each time for a randomly chosen code from the card. Many kinds of attacks are thus thwarted.
The guidance doesn't say banks must all implement two-factor authentication, but that they must have demonstrably good reasons for not doing so, particularly for high-risk applications such as Internet access to payments. Five years after GLBA, there are still significant variances between institutions in how they assess risks, and the whole two-factor issue is hung on this inconsistent structure. While the standards of due care will undoubtedly shift in favor of two-factor authentication in most cases, they won't be hard and fast, and in any event the impact of noncompliance will vary with the specifics of the situation of each institution. Basel II capital costs could certainly increase, but that doesn't affect every bank, only Basel II participants, and in any event I don't know that anyone really knows yet. It will also be interesting to see how this will affect FDIC insurance premiums.
A thought on improved two-factor authentication (although I doubt it is a new one).
Scenario: You log into your online banking. You command a transfer of money to an external account to pay a bill. The bank's computer hashes the tranfer information (account, amount) into a challenge string which it sends to you. You type the challenge into your magic-decoder keyring, and it gives you a PIN. You type the PIN into your computer, and the transaction is authorized.
This prevents the man-in-the-middle attack (most effective as a trojan-in-the-middle):
You tell the bank to transfer $20 to your babysitter. The trojan on your computer intercepts this, and tells the bank to transfer $2000 to Bad Guy. The bank asks for a PIN from your magic-decoder keyring. You type it in, thining you're authorizing paying Emma, but instead it authorizes paying Bad Guy.
Except if the challenge is a hash of the transaction details, the PIN doesn't work for paying Bad Guy (or only does so one time in 10,000.)
It does not solve:
* Someone opens an account in your name and runs up debts.
* Someone obtains your password and your magic-decoder-keyring (possibly by getting a new one posted to a false address)
It does require a magic-decoder, rather than just a card of scratch-and-sniff one-time PINs, which I understand are common in Europe.
Another method I've heard of which works well against trojan-in-the-middle is to use a separate channel (txting) for the challenge-response (assuming the bank's txt has enough info you can confirm the transaction is the one you expect.)
You are not going to stop fraud by tracking fraudulent transactions. I can profile a wealthy individual and make transactions that any 'fraudulent transation alert system' isn't going to detect. What is the solution then? Am I going to get a call from my personal bookkeeper at the bank everytime I transfer X amount of dollars or withdrawal X amount of dollars? What happens when I transfer X-1 amount? Do those go undetected? That seems to be how some individuals are beating the current currency transaction report (CTR) system.
Piglet you are in the right direction. 'Bad People' will always find a way to take advantage of any system. TFA, if you will, is the easiest no-brain procedure to implement in order to reduce the amount and frequency of those systems being comprimised..
About fraud/theft- You can't stop it, you can only try to control it. The best and highly visible security cameras in the world won't stop your bank from being robbed, but it just might cause the robber to think about robbing the next bank (without the cameras) down the street instead...
It's good to see you back to your old self again.
A few days ago I was suggesting that businesses don't appear to be willing or ready for strong authentication and then, whammo! The FDIC regulation changed that with their announcement . The day it was announced I had an exec from a big company (who had been skeptical) put the announcement in front of me and ask me "are we ready to do this?"
TFA was never meant to be a panacea but it has apparently done some good or the banks would have stopped spending money on it themselves for their internal authentication controls. People outside of banking have up until now thought TFA was too expensive...but if banks start to seed things externally, others may find it easy to follow.
As I said before, US consumers would have been foolish to wait for the market to fix itself. US corporate culture, for whatever reason and with very few exceptions, is far too complacent about harm to consumers to be able to offer any kind of real help or vision. In that sense, it seems to me that regulating authentication is a big step in the right direction (executives will have no choice but to accept strong auth as an eventuality) and it most certainly is not mutually exclusive from sourcing the weak links in transactions that lead to fraud.
The bank I am with does the following:
1. The usual account number and password to start logging in.
2. Another password, of which you are asked to enter three digits chosen at random by them.
3. If you want to create a beneficiary to make a payment, they SMS a number to your cellphone which you have to give back to them on the website.
All of this seems pretty secure. I mean it is a lot of hurdles for an attacker to overcome.
Estonian e-banks, pretty well working and used by huge amounts of population, use a static userID, fixed password (which you are forced to change after about every 20 logons) and a rotating-code card with 24 or 30 codes on it, of which you have to enter one random one when logging on, and portions of it when making a payment. You can also log on to the bank with national ID card, in which case the rotating-code-card is not required.
Here's an article about the British ID card that you (and I think some others) will enjoy:
« "A national ID card for the UK is overly ambitious, extremely expensive and will not be a panacea against terrorism or fraud, although it will make a company like mine very happy," said Roberto Tavano, a biometrics specialist for Unisys, a US technology company that has worked on national identity schemes in South Africa and Malaysia.
Unisys, a company with experience in producing ID cards, is expected to be among the companies bidding for tenders if the government gets its way on ID cards in parliament, yet it is critical of the scheme. And it is not alone.
Earlier this week, Microsoft warned that the ID card posed a huge security risk that could increase the likelihood of confidential personal information falling into the hands of hackers and criminals.
Jerry Fishenden, national technology officer of Microsoft UK, told the website silicon.com: "I have concerns with the current architecture and the way it looks at aggregating so much personal information and biometrics in a single place." (...) The government has admitted to "overselling" the case for a compulsory national identity card scheme. (...) In a study in June, the London School of Economics concluded that the scheme as it was currently proposed was "neither safe nor appropriate" and would, over the next decade, cost two, three or even four times the government's estimate of £5.8bn.»
Note that the criticisms are mainly directed against the biometrics and the central database. This is indeed an example of how to do it wrong. It is also an example of the government pressing ahead and ignoring the advice of most of the experts.
P> You bother because it makes fraud a little more difficult than it would be
P> without passwords.
Sure, I'm not arguing that at all.
P> Now, the advantage of two-factor over one-factor with a good password is
P> much greater than the advantage of a good password over a bad, or none at all.
This is certainly the case in specific authentication scenarios, but I don't *know* that this is the case generally (in fact, I doubt it), and a good part of your argument presupposes this to be true in general. We'll have to talk about what constitutes an "advantage" to proceed much on that topic.
There are all sorts of assorted costs with implementing a two-factor auth system. If you're accepting these costs without weighing the benefits, you're following the thought process, "Implement this because it will help" (or "Implement this because other people do it") instead of, "This is worth doing because the cost to implement is outweighed by the savings."
P> The other thing is that people who make claims about TFA should bother to P> get some information before opening their mouth.
Absolutely. I'm not making *any* claims, I'm asking supports of TFA to make some and give me some compelling evidence. I'm asking, "Is this worth it, and can you prove it to me?" and you're saying, "This is worth it, and you don't understand why!" Okay, fine. Explain it to me, I'm willing to listen.
PC> any benefit you realize from the technology will erode away in very short PC> order."
P> Is there any evidence for such a claim? I don't think so,
P> and I don't agree with the cost argument
I'm not sure who is the pro and who is the con here. Let me put it to you this way... you seem to think that TFA is overall beneficial. I am unconvinced. One of the reasons why I'm unconvinced is because I can see that there are costs here and the benefits may not outweigh the costs -> I'm not claiming that they *are*, I'm asking you to show me that they *aren't*. If you're trying to convince me to change, you need to provide a compelling reason. Just telling me that one of my concerns is irrelevant isn't compelling. I'm perfectly willing to change my position (indeed, I'm not really arguing *for* anything, I'm just asking for those arguing for something to give me a robust argument.)
P> Well, this only confirms that the weakest security link is still the human.
Right! And if you're increasing the complexity of your authentication method, at a cost, and you're not correspondingly reducing the fraud rate, you're wasting money. If the human is still the weakest link, every change in your authentication method is going to only produce a delta net benefit. The more complex you make the method, the smaller the delta is going to be. Once you get to the point that your not impacting the weakest link, you're not doing any more good!
P> It's like saying, the problem isn't signature faking, it's fraudulent
That's exactly the problem. Making the checks (or cheques) difficult to forge improves security. Making the signature harder to forge improves security. Doing traffic analysis on spending patterns to determine the likelihood of an individual cheque being authentic improves security. All of those things can be good things. They all cost something to implement. The best overall security is going to be gained by a combination of methods implemented with an eye to gain, instead of saying, "We'll just make all cheques require a DNA signature"...
M> You are not going to stop fraud by tracking fraudulent transactions.
Of course not. But you can make it a lot harder. Traffic analysis and profiling bad behavior don't catch everything, nothing does. But if tracking fraudulent transactions does no good, why is it that SpamAssassin has cut my spam down from hundreds a day to a couple? Sure, a couple get through. But hundreds are stopped, at very little cost. Certainly *less* cost that trying to implement a method that would require every mail received by my mail server to be PGP-signed.
M> I can profile a wealthy individual and make transactions that any 'fraudulent
M> transation alert system' isn't going to detect.
Yep, and that's where the fraudsters will move. But if you want to make a fraudulent transaction that will pass by the system unnoticed, you're attack method is going to require you to know something about your target, and your fraud amount is going to have to fit into the spending pattern of the target. This will require you to have a lot of intelligence on your target, and most likely greatly reduce the amount you can successfully retrieve in a single fraud instance.
Pat, I'll try to keep it short. My observation is that TFA has been used by many institutions in several countries for many years, and it has proved successfull. I simply don't believe that the cost is significant. I'm sorry that I can't give you figures but I am doing business with banks which charge no fees at all and they haven't gone out of business because of security costs. Given the overall complexity of online banking, I don't see why adding a single security feature should be a significant cost factor, neither for implementation nor for maintenance. I suppose that transaction profiling would be a lot more expensive (it would have to be rather intelligent to do any good). Of course, I can't prove this because there is no real-life experience yet with that kind of system. You are arguing against a proven system and for an unproven one without any supporting evidence. This is what I object to.
You said: "And if you're increasing the complexity of your authentication method, at a cost, and you're not correspondingly reducing the fraud rate, you're wasting money." The fraud scheme discussed in that article was primitive and extremely easy to detect. Unfortunately, the article doesn't state whether the attackers succeeded in getting any money at all. I would be surprised if they did. In any case, I have shown that more strongly designed TFA systems are not vulnerable against that kind of attack.
One general note on the overall benefit of TFA over password that you and Bruce completely miss: in a password only system, once the attackers get hold of the password, they have full control, at least until the victim becomes aware. The attacker has at once much more time, more power and more options and has better chances of escaping before detection. In a TFA protected system, even the worst case scenario is much more benign, the attacker has to work much harder and even if successful, is quite easy to detect. In my understanding, this is the very definition of good security.
Good article. I liked this one too:
"As long as you didn't breach the terms of the contract by leaving your card lying around (which would give implicit authority for use), then you, as the customer, could simply say that the withdrawal was not mandated, and demand your cash back.
How could the banks respond? They'd have to give all the phantom withdrawal money back where they could not show that the customer had typed in the PIN - unless, that is, they claimed that their systems were infallible. Yes, only by going where no computer system had ever gone before could the banks deny that phantom withdrawals were (1) taking place and (2) their responsibility to refund.
You'd think it would be open and shut. You haven't dealt much with banks, have you?"
That's a fair response. I'm certainly *not* a banker, so you probably have more direct experience with financial transactions than I do.
> I suppose that transaction profiling would be a lot more expensive (it would have to be
> rather intelligent to do any good). Of course, I can't prove this because there is no real-life
> experience yet with that kind of system. You are arguing against a proven system
> and for an unproven one without any supporting evidence. This is what I object to.
Not precisely correct, but I'll clarify: I do agree with Bruce that the source of the problem is transaction verification, and I think in the long term if you want to reduce fraud significantly you're going to have to go down this road. Again, I'm not saying that TFA won't help in the short run.
> In a TFA protected system, even the worst case scenario is much more benign, the attacker
> has to work much harder and even if successful, is quite easy to detect. In my understanding,
> this is the very definition of good security.
I suppose that depends on your recovery metrics - what you're trying to protect, and what the cost is to replace it. If the end result in both cases (fraud w/SFA vs fraud w/TFA) is that the defrauded party gets all his/her money back, to the defrauded party the difference is nil. The bank, of course, may think otherwise. But perhaps the bank won't think otherwise -> it depends on how much it costs to maintain the TFA system.
Backing up one step in the whole discussion, though -> we got side tracked into arguing specific methods. Do you agree with Bruce that making financial institutions responsible for the fraud loss will lead them to fix the problem themselves?
If financial institutions are responsible for fixing the problem, some of them will undoubtedly adopt TFA systems. Some will do that *and* transaction monitoring, some will do transaction monitoring but SFA, depending upon the service they want to sell and their customer base.
You and I can discuss the viability of different methods, but the ones who can measure the efficacy of the methods, vs the cost to implement, customer satisfaction, etc., are the financial instutions. Forcing them to take over responsibility for the problem will lead to a better combination of methods than simply mandating a particular method across the board, yes? Or no?
"Do you agree with Bruce that making financial institutions responsible for the fraud loss will lead them to fix the problem themselves?"
I wouldn't object to that. However, I welcome the fact that US regulators are finally imposing tougher security requirements on banks. This is a step in the right direction and shouldn't be dismissed. The question is why it comes so late.
"I do agree with Bruce that the source of the problem is transaction verification"
I would like to see a more precise statement of this idea. What exactly is "transaction verification", if not "verifying that the transaction was initiated by an authorised person"? Transaction profiling can be understood as a different kind of authentication (probabilistic, if you like, instead of static). It will be interesting to discuss such an approach in more detail - weaknesses, potential privacy implications, false positives and false negatives, cost, etc. In fact, there has been some discussion: http://www.schneier.com/blog/archives/2005/05/ phishing_and_id_1.html;
and discussions on two-factor issues here: 2005/03/the_failure_of.html
I regret to say that Bruce's take on those issues doesn't match his usual level. Being unaware that online banking with TFA has been in use for a long time, he dismisses the principle out of hand by pulling out of his hat magic Trojans that can do everything you like (and that nobody has yet observed in the wild). Then he goes on arguing that we need to tackle the problem differently, without any serious discussion. Good night.
What Bruce seems to be missing is that the problem is not just fraudulent financial transactions, but the privacy of personal information as well. Even if Bruce is correct and banks somehow come up with a way to prevent fruadulent transactions that doesn't involve two factor authentication, how does that prevent fraudsters who can somehow breach my password from breaking into my account and accessing sensitive personal information such as which accounts I have, and how much money is in them?
It's not enough for banks only to prevent unauthorized financial transactions that move money around. They also need to make sure that bad guys can't break into people's accounts online to access sensitive financial and other personal information. If access to these accounts is protected with nothing more than a password, your private information is still vulnerable.
The only way to keep the bad guys out, it seems to me, is with stronger forms of authentication.
My bank uses the following procedure: I have a user ID and password for logging in. The userID is also masked so that it also remains a secret (people standing nearby can't view it). The website allows only accounts to be viewed. If I have to make a payment, I can enter the payment details, and as soon as I press the "Submit" button, the website displays a "Pending Verification" status for the payment. The bank immediately sends me a 10 digit one-time verification code (OVC) by email which I am required to enter within 5 minutes of submitting the payment request. I retrieve this verification code from my email and enter it on the bank's website and the the transaction is processed. If I do not enter the OVC within 5 minutes, the bank's website displays a message that the OVC has expired and I need to request another OVC (the payment details don't have to be entered again).
The bank also sends me an email after every transaction giving the date, time and dollar amount of the transaction.
I find this method of authentication to be convenient and safe, and I guess it satisfies the two-factor authentication requirement. However, can anyone point out any flaws?
I believe the benefit of two factor authentication is mainly to those of us who are already cautious with our personal information. The majority of Internet Banking fraud is commited against those who are reckless with their info anyway. I'm not saying feed them fish heads, but lets concentrate on education. Finacial institutions are generally poor educator. FDIC produced regs are passed on to customers in verbatim with no layman's translation.
I'm a fan of two factor because I feel as if I do a good job protecting my data and until someone has a better idea, my financial institution should use whatever means available to do the same.
TFA OTP is a proven methodology against Identity Stealing. It has been tested extensively at the enterprise level. The TFA for Internet Banking is a bit different though - it has to deal with masses of people which are not part of the enterprise - they are customers not employees.
The biggest problem is deployment and the the costs of deployment. With Hardware tokens costing between 15 to 100 dollars per person this is almost not practical.
The solution has been introduced to the market as the CAT - Cellular Authentication Tokens. These are already being used by some Banks in Australasia.
The CAT is a software token that runs on mobiles with the capability to manage any number of accounts.
Since the CAT is a free token and can be downloaded from the Internet, there is no deployment problem. The CAT is free for the end users which makes it affordable and with no hidden costs.
Think about the CAT token type as a general key to all devices that require authentication. Not only it can store your Network OTPs, it can also handle your periphery security, provide OTP for your Credit Card and so on.
so this finally rolled out...
the same system exists on my mega-bank credit card and my local credit union....
in both instances I was given the option of chosing 1 of 5 questions 3 times....
what is your pet's name? what is your favorite restraunt? what is your favorite song? etc....
if my browser doesn't have the right cookie I get asked some of these questions... and this prevents man in the middle exactly how?
oh, and now all this info is supposed to be kept secret? damn I'm sure gonna miss my favorite sushi joint, now that I need to keep its name secret, should I really be going there?
sigh... all this just so they can check some more boxes off on FFIEC forms?
hi,i need help i have a project to do about two factor authentication for online banking and my deadline is approaching,my information is few and i have searched everysite i know .if anyone would be kind enough to help me i would owe him or her alot.
Bruce.... How does it feel to know you were right?
Too bad there are too few instances where subject matter experts are consulted when regulation is devised.
Two factor was known not to be the soloution long long before this legislation, thus it does not even rate as "shutting the stable door".
What is required is two way secure authentication on all transactions.
Anything less is exploitable, and sadly we do not appear to have a method to achieve two way secure authentication on all transactions in a way that is both usable and verifiable to the person at contractual risk.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.