Schneier on Security
A blog covering security and security technology.
« Company Continues Bad Information Security Practices |
| SecurityFocus Interview »
May 10, 2005
Phishing and Identity Theft
I've already written about identity theft, and have said that the real problem is fraudulent transactions. This essay says much the same thing:
So, say your bank uses a username and password to login to your account. Conventional wisdom (?) says that you need to prevent the bad guys from stealing your username and password, right? WRONG! What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details? Your username and password are only valuable insofar as the bank allows anyone who knows them to take your money. And therein lies the REAL problem. The bank is too lazy (or incompetent) to do what Bruce Schneier describes as "authenticate the transaction, not the person". While it is incredibly difficult to prevent the bad guys from stealing access credentials (especially with browsers like Internet Explorer around), it is actually much simpler to prevent your money disappearing off to some foreign country....
When something goes wrong, the bank will tell you that you "authorised" the transaction, where in fact the party who ultimately "authorised" it is the bank, based on the information they chose to take as evidence that this transaction is the genuine desire of a legitimate customer.
The essay provides some recommendations as well.
- Restrict IP addresses outside Australia
- Restrict odd times of day (or at least be more vigilant)
- Set cookies to identify machines
- Record IP usually used
- Record times of day usually accessed
- Record days of week/month
- Send emails when suspicious activity is detected
- Lock accounts when fraud is suspected
- Introduce a delay in transfers out -- for suspicious amounts, longer
- Make care proportional to risk
- Define risk relative to customer, not bank
These are good ideas, but need more refinement in the specifics. But they're a great start, and banks would do well to pay attention to them.
Posted on May 10, 2005 at 4:24 PM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details?"
Actually there should be mention of those that are using stolen bank accounts to launder money. In this case it wouldn't matter what monies the victim's account had since the purpose is not to steal money but to steal identity. It may not be a popular thought, but that doesn't mean it doesn't happen and shouldn't be accounted for.
Some of the recommendations listed are rather outdated for the "man of today". For example there are those that enjoy banking at 1am. The Internet is open 24/7 by design, putting limitations on such an idea is putting a limitation on yourself as an individual.
Also who in the world isn't familiar with the constant flow of "phishing emails" from fake banks that state your security is at risk if you don't update your records because someone has just attempted to login to your account. Secure transactions were never meant to happen over email and spammers and their ilk are taking advantage of those trusting email all too much.
"If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details?"
Because that same account may have $10,000 in it tomorrow.
I suspect that most banks won't listen to any recomendations no matter where they come from.
For instance, my own UK bank has recently tried to send me a new ATM card, but unlike the old mag stripe one it's a new fangled "Chip-n-Pin".
I for one do not want this as it is not just an ATM card but a debit/switch card and unlike the old ATM card is usable throught most of the world. The introduction of these Chip-n-Pin cards has also seen an increase in fraud which has been reported several times in the press....
The reason I don't want these fancy new features is that I have no use for them I am quite happy with a cheque book and ATM card. Also I have had money taken from an account at another bank several years ago. That bank of course admitted no liability. I finally got the money back when it was pointed out that the signature used for the transaction was very clearly not mine and did not match the one on the back of the card (UK law protects the individual if the signature is seen to be fraudulant).
Well I explained all of this to my current bank and there stock answer "It's a legal requirment to have Chip-n-Pin". When this was pointed out to be incorrect the next answer was "We only issue chip and pin cards". When this was pointed out to be incorrect as well the next answer really amazed me "We cannot down grade your account to have just the ATM card you will need to close it and open a new account". When I asked about the standing orders and direct debits on my account the answer came back "You will have to make those arangments yourself as we can take no responsability for them".
On investigating this a bit further I have found out that the reason the banks like the Chip-n-Pin system is that it removes the protection the consumer has under law.
Basically if the pin is used to validate a transaction then all the protection you currently have in the UK under law is neatly bypassed.
So I suspect that as usual the Bank would rather blam the customer than reduce proffits by spending money on real security.
One problem with these 'safeguards' is that they make it harder for me to get my money when I need it. I've had a credit card blocked in the past because of a 'suspiscious' pattern of activity. What happened? I went on holiday, and made cash withdrawals from machines that I don't usually use!
Fortunately, I was only away for a long weekend, and was home by the time my card was blocked. If I'd been away longer, I'd have been stuck abroad with no access to cash or credit! Oh, and the transaction that failed was topping up my mobile phone credit - so I couldn't even phone the bank easily!
"Send emails when suspicious activity is detected"
. . . which will get dumped into the bit bucket along with dozen or so phishing spams I recieve daily.
Most vendors here in the UK will swipe a card if the chip fails. so if you can damage the chip on your card (without damaging the magstrip - any suggestions?) you can protect yourself from having it used in that way.
As for the suggestion, "Send emails when suspicious activity is detected;" such emails would disappear into the cloud of hundreds of such bogus emails I receive each month.
And I've had similar experiences as Ian describes. When I first got my one and only credit card, they froze it several times because I made purchases out of state or out of the country. I finally had them add a note that I traveled frequently so they'd stop freezing it for "suspicious" behavior.
I did detect one unexplained purchase for under $10 once. I protested the charge, filled out the forms, and they removed it from my account. Never happened again.
I've not long received my own chip and pin card and had the same thoughts as Clive.
I've watched the customers in front of me at the supermarket and it is increadibly easy to see someones pin as they type it in.
I would have less of a problem with the cards if a signature was needed in addition to the pin.
And yes as mentioned the new cards shift the liability for fraud away from the Banks to the consumer, that was a bloody shock wasn't it.
Chip and Spin is a very accurate description.
Several years ago I walked into a store and bought a computer and monitor on my bank card. I returned home and brought in the boxes, and the phone rang. It was my bank wanting to know if the transaction was legitimate, since I'd done something outside my normal patterns.
This is a fine example of the right way to do things!
"I finally had them add a note that I traveled frequently so they'd stop freezing it for "suspicious" behavior."
Imagine a world where everyone added this notification. It seems like we would be back at square one.
It also seems like by "de-tonguing" the boy who cried wolf isn't the answer. We just need a better wolf-detector (patent pending)
In Germany every online transaction needs its own Transaction Number (TAN). A list of valid numbers for your account is snail mailed to you. If you enter a wrong TAN three times or phone the bank (if you suspect the list is compromised) they block the list and issue a new one.
In Ireland transactions can only be made to accounts which you have to set up by phone. Though I personally think the security questions I get in those phone calls are not very secure to start with, it prevents people from transferring money out of the country, for example.
You're absolutely right about this.
The idea that there is an "identity theft" crime and problem is one being pushed by the credit card companies and credit agencies. The goal is to shift the responsibility for preventing fraud from themselves - who bear that responsibility under the law - to the customer.
It's absolutely outrageous.
On the other hand, the rise of identity-theft insurance policies offers some tiny smidgen of hope. The insurance companies _will_ compile data about how the credit agencies and credit card companies respond to fraud, and they will sue them to recover payments to their insureds.
Schneier, you really should think about trying to become a columnist. With Bill Safire gone, there's no public voice on these issues any longer.
"If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details?"
Because a bank account is, in itself, a very valuable thing to control. It can be used for money laundering; it can be used to build a false credit record; it can used to obtain a credit card or a bank loan. It can be used to "prove" identity when attacking the true target.
It is getting more and more difficult for legitimate customers to open bank accounts because of tightened anti-laundering measures. But that's not a problem if one can steal an online bank account. A captured bank account is a marvellous cleansing device for dirty money.
"What you are trying to prevent is the bad guys STEALING YOUR MONEY."
Not just -- one also needs to prevent the bad guys from stealing one's reputation and identity.
I have heard that banks in the USA differ from those in Europe in that when a fraudulent transaction occurs in the USA the bank has to take the loss, while in Europe the owner of the account has to take the loss. Is this true?
I don't think the sugestions actualy improve security. Fraud could well be commited on the busy hours of the day, where it would probably be better hiden amongst the legitim transactions.
IP restrictions are quite useless too, since one of the benefits of online banking is that you can do transaction while abroad. An open proxy within the area of restriction could be used to sircumvent these mesures.
Logging the IP used while doing a transaction, does not improve security. It helps investigation though. But, there are enought open proxys, worm loaded PC's and ways to cover your trail. And you have to take it as granded that an attaker *will* use them.
I think the only usefull authentication mechanism to protect transactions, is a two factor authentikation, like done in germany, where you need a tan (transaction authentication noumber) for perfoming a transaction.
Still someone could brake into my home and steal the tan list, install a keybordloger to get my login data. But it is very unlikely that this will go undetected, and the attecker has to invest quite large resources and be willing to take a great risk.
Human 'stupidity' is still a risk. But none of the proposed mesures counters that. They don't not prevent users from entering their authentication (what ever form this may have) data into a spoofed website.
Here are some (ex-)banker's observations - until 2 years ago I was an application architect and in charge of Internet-channel risk management for US Bankcorp in Minneapolis. I am no longer with the bank so I'm not a management stooge! However, I can say that while I was there the bank was *extremely* concerned about all forms of customer-targeted fraud / identity theft / account takeover / money laundering and was spending millions per year to address it.
First, credit card transactions are relatively easy to validate per pattern and we did so with a very high rate of fraud capture. Basically, you can only (a) buy something, (b) take a cash advance, and (c) make a payment with a credit card. Deposit accounts (checking and savings accounts, to you non-bankers) in contrast support a vast array of payment vehicles including checks, debit cards, ATM in and outs, EFT and direct-debits, branch transactions, web transactions, phone banking transactions, and wires, among others. Patterns of fraudulent transactions are very difficult to spot compared to those of credit cards, although we were working on several projects to try to do so.
Second, it IS reasonable for customers to be responsible for not selecting obvious pins / passwords, losing their cards and not telling the bank, and paying attention to their accounts. Everybody owns a piece of the security chain and everybody - customers, banks, card associations, merchants - needs to do their part, because it IS a chain.
Third, market forces can't be ignored. When we tightened some things down, some customers would squeal. Its easy for an engineer (like me) to say, "let them squeal, its for their own good" but the reality is that its a cost-benefit issue as much as anything else, and reality is that banks eat millions per year in reimbursing customers for fraudulent transactions, to maintain their goodwill.
"Human 'stupidity' is still a risk."
Nothing, including security, will ever be made foolproof. That's because they keep making bigger and better fools.
I'd like it if bank security people would learn from their marketing counterparts - it'd be really nice if they could stop using their telemarketing systems to offer unwanted financial services and start using them to call my cellphone to confirm when a transaction is submitted which isn't on a whitelist (just being able to say "confirm any time you receive something from someone I haven't done business with in the past" would be a big step up) or at least send an SMS telling me what happened.
The thing has been forgotten here is that for most US Banks, the range of things one can do with online access to an account is actually quite limited. You can't send wire transfers (with the notable exception of citibank, which explains why it is very popular for phishing) and most banks do not allow any sort of money transfer in or out of the account online at all. What you can do (and this is where most phishing goes) is change the address on the card (for purchasing items online) request a new card after changing the address (for atm withdrawals if the customer has given you their pin or you have enough information to change it via a telephone call) and view the balance (so you know how much you can spend). Unfortunately, it is possible to do all these things and more via a telephone call to most banks with just the card number, card holder's name, billing zip code, and mother's maiden name. Online access where you can change the address on the account is just icing on the cake for the knowledgable criminal. The really scary part though is that you can purchase all that info and MUCH more for as little as $30 per identity. So if you are a criminal who is just starting out, you don't even have to learn to spam your phishing emails, since you can just buy the info from a vendor.
Here's a suggestion, Bruce: why not make all bank accounts publicly accessible without any passwords and stuff, and then hire thousands of personnel to monitor all the activity and make sure all transactions are legitimate? This is absurd, but it's the logical consequence of your theory. Even if the bank implements restrictions and monitors suspicious behavior, this cannot replace access authentification; it can only complement it. Authentification is a must, and it had better be GOOD.
Of the recommendations you cite, most are simply nonsense. Send out email alerts? So the attacker will care to change the adress to a bogus one. Worse, banks shouldn't communicate with their customers by email in any case. Never. Email is not safe for sensitive information. It risks being overlooked or discarded as spam, or the adress might not be up to date. And worst of all, if customers start to trust email messages from their bank, they will also fall for phishing emails. Banks are working hard telling their customers not to trust any email pretending to come from the bank. This "security recommendation" is really really crap.
Most of the other are impractical as well as ineffective, like blocking access from outside the country (the attacker will hijack a computer in the country) and at certain times of the day (rolleyes). Monitoring activity patterns will either produce too many false positives and thus be annoying (see Ian Eiloart's comment), or be ineffective. Introduce delays could hurt the customer who needs the payment to be on time.
The only restrictions that do make some sense - restrict the max amount according to the customer's needs and don't allow international transfers - are not even mentioned. Wow. Sorry Bruce but this article only shows that you still don't grasp the security implications of online banking.
piglet: your comments that banks should never use email to contact customers are dead wrong. Email should not function as an authentication mechanism, but I really appreciate the emails that I get which let me know when some aspect of my account has changed. If someone were to access my account and change my address (the most common prelude to a buying spree) I would know about it immediately. If they were to login and change my email address, login, or password, I would know about all of those too, rather than finding out next week when I try to log into my account. Your out of hand rejection of the medium because it is insecure demonstrates a fundamental misunderstanding of the purpose of most banking email.
"Several years ago I walked into a store and bought a computer and monitor on my bank card. I returned home and brought in the boxes, and the phone rang. It was my bank wanting to know if the transaction was legitimate, since I'd done something outside my normal patterns."
Years ago, I was buying a bunch of stuff for work at a computer store, about USD7000 instead of the usual USD100 purchases I made there. When they ran the card, my cell phone rang within 30 seconds -- it was American Express calling to make sure the transaction was legit. I gave some details as requested and the charge was approved before they hung up. Wow!
I also have a debit card from my local bank, and every now and then I get a phone call with a recorded message telling me they "have an important message; please contact your local branch." It turns out these are fraud alerts as well, though they only do a check daily and the message isn't terribly helpful. Unfortunately I get them every few weeks since I travel quite a bit, but it's nice to know they're making the effort.
"Your out of hand rejection of the medium because it is insecure"
Not only insecure. "It risks being overlooked or discarded as spam, or the adress might not be up to date", and if you look at some of the comments above, I'm not the only one who is saying that. If your bank relies on email notification as a *security measure*, good luck to you.
"demonstrates a fundamental misunderstanding of the purpose of most banking email." I don't get any banking email, which is appropriate.
Good name in man and woman, dear my lord,
Is the immediate jewel of their souls:
Who steals my purse steals trash; 'tis something, nothing;
'Twas mine, 'tis his, and has been slave to thousands:
But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed.
(Othello, III ii)
This is off topic, but my bank today service charged me five dollars for an account that had no money in it. I am wondering what service they thought they were providing.
All these suggestions for complicated data processing patterns and fraud detection and identity verification systems... so confusing... so complicated...
Make it easier for individuals to recover fraudulently taken money from the credit card companies and banks, and to correct erroneous credit agency reports, and let the individuals recover their attorneys fees and consequential damages.
The crime of "identity theft" will disappear in a week.
This reminds me of how there used to be periodic brownouts regularly in many neighborhoods of New York as power lines would break, equipment fail, and so forth.
ConEd insisted up, down, and sideways that it was an impossible problem to solve, and they had lots of technical expertise to prove it.
The brown-outs stopped within a year of New York's adopting a fine (I think it was $20,000) for out-of-service time.
This is eminently NOT a technological problem. It is one of law and public policy, and it is one we can solve any time we choose.
"When they ran the card, my cell phone rang within 30 seconds -- it was American Express calling to make sure the transaction was legit. I gave some details as requested and the charge was approved before they hung up. Wow!"
What happened here is Two-Factor-Authentication manually by cell phone. Bruce has suggested to distinguish between authenticating a transaction and authenticating the person who initiates the transaction. I doubt that this distinction really makes sense.
The problem is, it's impossible for banks to know which transactions are fraudulent and which are not. Checking for "unusual patterns" won't work. How about when you go to a vacation somewhere or discover some new (web)shop and want to purchase some stuff from it? They can only check for "abnormal" activity (excessive, etc.) which any criminal knows how to avoid triggering. There isn't really any other solution than notifying owner of his/her card immediately whenever it's used and let the owner decide if the transaction was fraudulent or not. Another thing is mandating that any purchases can be shipped only to card holder's home address(es).
Some thoughts on these ideas, the IP address thing got me upset :).
* Restrict IP addresses outside Australia
- Very very Bad idea, one of the real strengths of internet banking is being overseas & being able to do things, having a way to turn overseas access on/off would be a good thing however. ( as an aside my New Zealand bank warned me when I accessed from the US, not much help if I was a bad guy though ).
* Restrict odd times of day (or at least be more vigilant)
- more vigilant maybe, impractical otherwise.
* Set cookies to identify machines
- Is that really a good idea ?, how would you deal with say company computers, internet cafes or shared family systems.
* Record IP usually used
- What are you going to do if not usual, additional security ?.
* Record times of day usually accessed
- email/sms if oddities would be great, but can be legit & out of email/sms range.
* Record days of week/month
- Done anyway.
* Send emails when suspicious activity is detected
* Lock accounts when fraud is suspected
- Done anyway no ?
* Introduce a delay in transfers out -- for suspicious amounts, longer
- Tough, how do you know it's suspicious.
* Make care proportional to risk
- means what ?.
* Define risk relative to customer, not bank
Some nice ideas, but you have to be practical too, a bank which halts an account for abnormal activity & an incredibly annoyed customer returns from being out of email/sms contact is going to loose customers very fast indeed.
It would be nice to be able to have your internet banking like a firewall & set IP address/MAC address and alot of ideas, but that would be very frustrating if you wanted access from a new place.
Maybe it's multiple tiers of verification, based on previous transactions etc, like the phone verification if there are abnormal events occuring, but I'm not sure this is an easy problem.
How to destroy the chip on a plastic smart-card:
This method has been tried twice, once with a contact card and once with a proximity card, and worked in both times. Beyond that I cannot guarentee anything.
1. A strong light-source (optional)
2. Two operational hands, including thumbs and fingernails of said thumbs.
1. Locate the chip in the card. This could be done with the strong light source behind the card. If you do not have a light source strong enough, you can try to reflect light off the card and notice a small square (3mmx3mm) where the plastic is very slightly warped. It's not hard after you do it once.
2. Apply the two thumbs to the chip, so that both fingernails are touching and aligned with the center of the chip.
3. With the remaining fingers, curve the plastic card in more and more, while applying pressure to the chip with the fingernails. Do it slowly, until it gives. When it gives, you will feel the chip breaking through your fingernails.
4. Repeat, but this time align your fingerprints with the other axis of the chip. This time you may not feel the chip break, because the force necessary to break the chip is considerably lower. Make sure you don't break the card.
5. TEST the card. It should be inoperable after step 3, step 4 is an overkill.
A lot of the comments I'm seeing here seem to be along the lines of, "there are cases where this security measure won't be effective, so it's a bad security measure."
If you take this approach, you'll never implement any security measures. If a security measure works sometimes, and is otherwise relatively painless, it's well worth adopting. It may not prevent the fraud against your account, but if it prevents fraud against an other account, it's still been effective.
Sure, you might not get that warning e-mail about your account. Perhaps your e-mail service is so bad that you have only a 50% chance of getting it. But that's still a heck of a lot better than the 0% chance you have of an e-mail not being sent.
By the way, given my usage patterns, the measures outlined in the article would have a pretty good chance of catching fraud against my account, without inconveniencing me much at all.
Oh, as well: can someone explain to me why the measures outlined in the article don't stop money laundering or other activities that don't involve stealing money from the owner of the account? If you can't transfer more than a few hundred dollars out of the account without a fraud alert, for example, it seems to me that you've not going to be laundering a whole heck of a lot of money though that account.
"can someone explain to me why the measures outlined in the article don't stop money laundering or other activities that don't involve stealing money from the owner of the account? If you can't transfer more than a few hundred dollars out of the account without a fraud alert, for example, it seems to me that you've not going to be laundering a whole heck of a lot of money though that account."
No bank can reasonable set such a low limit (a few hundred dollars) on an account. One may be quite reasonably earning four to ten thousand pounds a month (it's not average, but it's not impossible). One may be quite reasonably putting twenty thousand pounds into an account to finance a car purchase. One may be quite reasonably putting two hundred and fifty thousand pounds into an account as part of a real estate transaction, much more if one lives in an expensive part of the country.
Even though many bank customers never need to make international transfers, some do (immigrants, guest workers, small-scale importers). It's simply not that easy to discriminate right from wrong.
After all -- if all overseas transfers or large transactions were fraudulent, then banks wouldn't offer them in the first place, regardless of whether online banking were being used or not.
Darrin Chandler wrote:
" It was my bank wanting to know if the transaction was legitimate..."
It was somebody saying they were calling on behalf of your bank. They probably were, too.
I had such a call and was very pleased in principle but wanted to make sure that the caller was legitimate so only gave partial information, asking them for some details before giving more information myself. The caller was obviously unused to such calls not being taken at face value - explaining in a slightly aggrieved way that the call was for my own benefit. She didn't seem to grasp the distinction between my wanting to be sure she was legitimate and my being somehow hostile.
Perhaps it should be the other way round. If the bank calls a customer who doesn't make any effort to check who the caller is then the bank should flag that customer as being at possible risk of fraud and needing more attention in future.
Maybe they do - I haven't had any more calls of that type. It could also be because I haven't made "suspicious" transactions or, worst possibility, because I've been flagged as not wanting, or not being willing to put up with, such calls.
Taking a look at the following proposals, my usual usage pattern will mean that I will have a really high risk score:
* Restrict IP addresses outside Australia
I travel a lot and usually in 3/4 different countries so ...
* Restrict odd times of day (or at least be more vigilant)
Always taking a look at my bank accounts late at night.
* Set cookies to identify machines
No cookie is staying long enough on my computer: it's bad security.
* Record IP usually used
I do not have a fixed IP, the ISP of my girlfriend is not the same as mine (different IP range), and then again I'm travelling.
* Record times of day usually accessed
* Record days of week/month
Same problem as odd times, I'm accessing my bank account when I need to do it, not on a regular base.
I guess that at some point the system will make me either disable the security. Or the guy managing my bank account will disable it after the nth alert.
@Carl Sampson: "If a security measure works sometimes, and is otherwise relatively painless, it's well worth adopting."
Please explain why those so-called security measures "work sometimes". Some of them are simply stupid, like the cooky idea (users who care about security are likely to disable cookies). Some can easily be circumvented by a smart attacker so they will be more likely to prevent the customer doing legitimate business than preventing fraud. Another problem is that a monitoring system that produces too many false positives won't help because people will stop taking them serious. Anonymous wrote: "It turns out these are fraud alerts as well, though they only do a check daily and the message isn't terribly helpful. Unfortunately I get them every few weeks since I travel quite a bit, but it's nice to know they're making the effort." I just wonder whether Anonymous really cares about those alerts any more.
Bruce always argues that security needs to be evaluated in context. In this case, he is far from his own postulate. He says effectively that it isn't worthwile to care about secure, two factor authentication; but banks can prevent fraud by sending their customers emails if they make a transaction on wednesday instead of friday. This nonsense needs to be debunked before people start to take it serious just because Bruce said it. Bruce's argument against better online authentication goes like this: "The real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses. Two-factor authentication will force criminals to modify their tactics, that's all." (March 15) How can you recommend restricting IP adresses and "odd times of day" if you believe the real threat are real-time attacks via the user's own computer?
Here is a link to quite possibly the funniest prank ran against the credit card companies. That little signature on your card is pretty much worthless.. does anyone really ever check it?
@Kieran & @Arik
In the old days to destroy a smart card chip all you needed was a 9v dry cell battery (PP3 in the UK) you just connected it across the various gold contacts both ways around untill you either saw a flash in the card (the bonding wires burning out) or the card where the chip was got hot.
I guess today a microwave oven would probably do the same thing (not tried it so remember the usual warnings ;)
I am not sure that destroying the chip in the Chip-n-Pin card will actually solve the problem. I have been told that if the chip does not work the check-out bod can run the mag strip through the POS terminal in the normal (old) way and you then type in the PIN number on the console....
So I guess you will have to lie and say the chip never worked so you have not remembered the PIN, so please check the signiture properly...
"If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details?"
In addition to other comments on this sentence, I'd like to point out verification schemes which involve placing small (
The "risk management" methods advocated in the article will result in false positives, which will have to be dealt with in a way that does not annoy customers and impede legitimate transactions. And as others have pointed out, thieves will figure out how to avoid triggering any alarms - meaning the false negative rate will also be too high. It has also been noted in the previous comments by a former banker that "patterns of fraudulent (banking) transactions are very difficult to spot compared to those of credit cards." So just because risk management methods may work well for credit card transactions does not mean they will work equally well for banking transactions.
Why is it not obvious that the best way to prevent online banking fraud is to make sure that unauthorized persons are prevented from conducting fraudulent transactions in the first place? This gets back to the basic problem of verifying the identity of the initiator of each transaction. In other words, authentication. Or at least, verifying that transactions are initiated by an authorized peron. Seems like this ought to be a no-brainer. The risk management methods in the article may work in some cases, but in many cases they will be inadequate.
Perhaps what Bruce and the banks are saying is that better forms of authentication are simpy too expensive, or too cumbersome, or not foolproof enough. If that is the case, then let's devote our energies to solving the real problem by developing better forms of authentication.
To make _my_ internet-banking more secure
my bank needs just to switch to HTML.
Two years I stopped a broken transaction in
the last moment because my browser displayed
The following should say it all:
<BODY BGCOLOR="#ffffff" TEXT=#000000 LINK=#FFFFFF VLINK=#ffffff ALINK=#0000ff>
Playing games by checking IP's or unusual times is completley silly.
My bank also locks accounts if the
is entered wrongly three times.
"pin" is also limited to 4-6 chars,
no spaces or special characters allowed.
(I normally use mcookie for passwords)
Since accounts at the bank are like
serial numbers it's easy to DOS many
accounts by simple scripting.
Oh, I forgot to mention that the start-page
is .../cgi-bin/... which is phishing friendly.
A lot of respondents to this article have made their analyses look rather superficial by making strongly critical--even sarcastic--comments which are actually already addressed in McGowan's proposal, thus giving the impression that these remarks have been made precipitately without actually reading the article.
For example, with regard to IP restrictions, some have commented "what if I am travelling abroad?". Hmm, I think McGowan addresses that right after the part where he says: ``"Oh, but you might be travelling", I hear you say...''
Further, many of the critical comments seem to suffer from the misapprehension that McGowan is talking about immediately blocking transactions which do not meet a standard pattern. If you think that, then you evidently have not given the writer the basic respect of even glancing at his work before rubbishing it, because it is obvious he is _not_ saying that. His actual proposal can be likened, perhaps, to a SpamAssassin-like score, with various additional precautions to be taken if you exceed a certain threshhold, and any of a choice of mechanisms for configuring it (he never quite pins this down, but hints at both user input and Bayesian analysis).
Some have also observed that due to the proliferation of zombie networks, spoofing an IP has never been easier . However, that is irrelevant; just as with Bayesian filtering, any given pattern may be easy to imitate, but the attacker needs to be able to imitate *my* pattern. That is hard, because he first have to discover the pattern, on a case-by-case basis. In order to do that, he would have to capture all of my transactions over a period of time, without anyone wising up, or him missing any that somehow slip through to the real account. And then when he has done all that, and figured out how to perfectly simulate my behavioural patterns (or at least well enough to fool the monitors), he still has the obstacle that I just do NOT send money to Lagos. Ever. Sure, there are ways to get around even that, but we've at least graduated from the warded-lock security grade of the current daft systems to at least a deadbolt and some sort of alarm; instead of being able to effortlessly bankrupt hundreds of folk whose only crime was not being Internet savvy (and believing the bank's spiel that they didn't have to be), the attacker now has to target and work on individual victims for days--lower profit, higher risk, fewer victims.
McGowan's proposal is just that--it specifically calls itself a "Draft for comment", and there are certainly some areas that could be improved. But the basic principle is sound: if all of my previous transactions have been for under $1000, in Melbourne during business hours, and suddenly a machine in Nigeria requests transfer of 100% of my money to a Lagos account, something is obviously wrong. The very least the bank should do is ask me if it's OK. (Indeed, before they went the cheap-and-nasty internet banking route, they would have.)
1. As an aside, the proliferation of these networks is a really serious problem in many areas of on-line security, and before too long we're going to have to make a really serious effort to stop it. It's not as hard as it sounds, if the will was there. You identify a compromised machine, turn up with a warrant to examine it and tap its connection, and work your way backwards from there (perhaps from multiple compromised hosts simultaneously). The source may make it harder by "undernet" style routing, but you'll get him eventually.
> * Restrict IP addresses outside Australia
> - Very very Bad idea, one of the real strengths of internet banking is being overseas & being able to do things, having a way to turn overseas access on/off would be a good thing however. ( as an aside my New Zealand bank warned me when I accessed from the US, not much help if I was a bad guy though ).
He is talking about overseas IPs being regarded as highly suspicious, not totally blocked. So they would warn you, just as your bank did (and as most don't bother to do). In addition, he suggests it might be user configurable, so for example if you were going to travel to the US you could temporarily allow US addresses.
> * Restrict odd times of day (or at least be more vigilant)
> - more vigilant maybe, impractical otherwise.
> * Set cookies to identify machines
> - Is that really a good idea ?, how would you deal with say company computers, internet cafes or shared family systems.
Please, please tell me you don't really do banking from internet cafés?!?
> * Record IP usually used
> - What are you going to do if not usual, additional security ?.
Yes, exactly. It will increase the estimated probability that this transaction might be fraudulent. How much it increases it depends on how regular my habits were previously, and how far afield the new address is.
> * Record times of day usually accessed
> - email/sms if oddities would be great, but can be legit & out of email/sms range.
Email/SMS: yes, exactly. (Although a voice call would be better, or course they could never be persuaded to do that since it would involve paying a salary to someone.) Can be out of email range: how can you be out of email range whilst making an internet banking transaction?
> * Record days of week/month
> - Done anyway.
The point is to pattern match this to other recorded data. For example, I might only use my work IP address at lunch time on weekdays, and my home address in the evenings or on weekends. Also, I might only use the work address for paying utility bills and similar transactions, while I but stuff on-line on the weekends.
> * Send emails when suspicious activity is detected
> - Email/sms
> * Lock accounts when fraud is suspected
> - Done anyway no ?
Nope. Shocking, isn't it? The bank takes the view that they need a court order or some such to deny you access to your money. This is quite true, but freezing internet access to my money is _not_ the same thing as freezing access to my money; anywhere in the world I can get an internet connection, I can put my ATM card into a Maestro networked ATM and get cash out. It might be occasionally inconvenient, but if the alternative was a 10% probability of me being taken to the cleaners, I'd say they did the right thing.
> * Introduce a delay in transfers out -- for suspicious amounts, longer
> - Tough, how do you know it's suspicious.
That's the whole point of the proposal. A Nigerian machine trying to transfer 100% of my money to a private account in Lagos is extremely suspicious. A machine in Indonesia transferring $500 to a Jakarta hotel might or might not be suspicious, depending on my prior activity patterns. Analysis of past behaviour--for example Bayesian analysis--is needed to assign probability estimates.
> * Make care proportional to risk
> - means what ?.
The riskier the transaction, the greater the care that should be taken. For example a transfer of a really large sum to a country with no extradition agreement and an infamous history of fraud, should be treated as inherently dangerous, because it is. And a purchase of goods with a high resale value should be seen as riskier than books or lingerie, for example.
> * Define risk relative to customer, not bank
> - whatever.
Meaning the reason the current systems are so screwed up is that banks try as hard as possible to offload all risk to the customer, and then claim to wash their hands of it. "What would WE know about security? We're just a bank, we only exist to keep your money s... erm, ah, ticking over at really low interest."
Thanks Roger, you hit the nail on the head and saved me the trouble of explaining it all again. ;-)
What I also state, early in the article (for those with not much time to read all the way through) is that this is not intended in any way to be a panacea for the prevention of phishing. It is intended to encourage thought and discussion. Like I said, the bad guys are thinking very hard about ways to steal your money, until we are willing to devote as much effort to thinking of ways to prevent them, then they will get away with it.
@Roger, Paul: "a SpamAssassin-like score, with various additional precautions to be taken if you exceed a certain threshhold, and any of a choice of mechanisms for configuring it (he never quite pins this down, but hints at both user input and Bayesian analysis", "just as with Bayesian filtering, any given pattern may be easy to imitate, but the attacker needs to be able to imitate *my* pattern. That is hard, because he first have to discover the pattern, on a case-by-case basis. In order to do that, he would have to capture all of my transactions over a period of time, without anyone wising up, or him missing any that somehow slip through to the real account."
That is all very clever, but the attacker doesn't want to imitate me, he just wants to steal my money. Basically, he wants to initiate one single transaction in my name. If your protection scheme cannot prevent him doing this, what is it worth? It may at best send a warning to the legitimate customer, but they will find out anyway. And even that poses problems because however clever your system, it must either produce too many annoying false positives or too many false negatives.
"In addition, he suggests it might be user configurable, so for example if you were going to travel to the US you could temporarily allow US addresses."
There are problems with making too many things user configurable.
- It's making the system more complicated for the user which is not in general good for security (think of all those internet security options that most users don't understand anyway). It's a bad idea to depend on the user making the right configuration, and keeping it up to date.
- Configurations that can be changed online can themselves become attack targets.
- Moreover, bank customers may not like the idea of their bank recording usage patterns, even if it is for their security. Customers understand clear and logical rules, like "no international transactions".
By the way: The approach you describe - "the attacker needs to be able to imitate *my* pattern" - is similar to "security by obscurity". The "security" consists in a set of rules that the attacker presumably doesn't know. But he might guess them, or just be lucky (if he's lucky one percent of the time, it will be enough). So it won't work.
"That is all very clever, but the attacker doesn't want to imitate me, he just wants to steal my money. Basically, he wants to initiate one single transaction in my name"
Umm, that's the whole point. If his transaction isn't a sufficiently good imitation of me, it will be double-checked, and probably refused. He loses, I keep my money.
"And even that poses problems because however clever your system, it must either produce too many annoying false positives or too many false negatives."
Broadly similar schemes are already in place by credit card companies (for which they are basically the _only_ security mechanism), and they do not seem to have unmanageable error rates.
"There are problems with making too many things user configurable. "
Yes there are. That's why this system is basically autoconfiguring through a Bayesian-like system. But it would be useful to give the customer a limited override capability if they expect to suddenly change their habits, e.g. travel overseas. Very few customers will require this feature and it is not essential even for those who do, but would reduce the false positive rate.
"Moreover, bank customers may not like the idea of their bank recording usage patterns"
Umm, 100% of banks already do. Around here it's called a "statement", they usually send you a copy once a quarter. And you're required by law to keep them for seven years in case the tax man wants to have a look, too.
"By the way: The approach you describe ... is similar to "security by obscurity"
No, it's not. Security by obscurity is where your security depends on the attacker not discovering the overall principles of the whole scheme. Small amounts of secret data that vary for every individual case are not "security by obscurity" and are important in security. For example, keeping a cryptographic algorithm secret is a bad idea, but you must keep the keys secret; keeping the source code to login() secret is a bad idea, but you must keep the passwords secret; it's pointless concealing the fact you use an armoured car company, but it would not be a good idea to publish their pick-up schedule. Ideally we try to minimise the amount of data that needs to remain secret in order to provide security (the more secret data required, the more brittle the system), but very few applications manage to get it as small as crypto keys (e.g. Bruce wrote an interesting essay a while ago that considered network topology to be usefully kept secret.)
The information in this case has another interesting property. In one sense, it's like a biometric (one which happens to be particularly difficult for the opponent to scan, and relatively easy to for me to modify if compromised); but it also provides additional security that is unrelated to the opponent's difficulty in compromising my biometric. Namely, if I never send money to Lagos, then he ain't gonna be able to send money to Lagos, no matter how well he spoofs my biometric. So in effect, it also adds ACLs.
"Umm, that's the whole point. If his transaction isn't a sufficiently good imitation of me, it will be double-checked, and probably refused." Well, you wrote before: "Further, many of the critical comments seem to suffer from the misapprehension that McGowan is talking about immediately blocking transactions which do not meet a standard pattern." This is the whole point. We are talking about immediately blocking the transaction that seems unusual. If you don't block it immediately, the attacker has already won. But you can't do that just because it's the first time the customer is using a different computer, or working at un unusual hour, or sending money to an unknown recipient. It might make sense in some cases to contact the customer manually, but what if he can't be reached (no cellphone, not at home)?
In my view, only two of the characteristics of a transaction are actually useful for the purpose discussed, the amount and the recipient. Fixing a limit is an obvious thing to do. Many internet banking platform don't do international transfers. In some cases the customer has to register each recipient with the system. This makes sense. Letting the system guess whether a transaction looks suspicious doesn't.
«"Moreover, bank customers may not like the idea of their bank recording usage patterns"
Umm, 100% of banks already do. Around here it's called a "statement", they usually send you a copy once a quarter.»
This is not the same. You will be surprised how customers react if they get called by the bank: "Excuse me sir but according to our files, you never log into our system on wednesday mornings, and you didn't tell us you would be on holidays, oh and you never bought leather underwear before, so we thought we better check whether everything is all right" ;-)
I am sorry you have wasted your time reading the article. I am more sorry that you have wasted other's time with your dogmatic rebuttal of the ideas put forward.
The article is, and always has been, a set of ideas, it has never claimed to present a complete working solution to the problems of identity theft. It is intended (as Bruce pointed out) as a _start_. It is supposed to get you thinking about ways to solve the problem, not merely spend your energy trying to show why the ideas presented won't work.
It might be worth mentioning at this point that when Wilbur and Orville set out to show that powered flight was possible, everyone _knew_ it wouldn't work, yet flew they did. Their flimsy aircraft was not nearly the same technology we take for granted today when we stand in airports getting upset that we may be delayed by half an hour or so, but it was a great start.
I will say again that until you are willing to spend effort thinking about ways to solve the problem, then you will indeed be correct that the problem will not be solved.
One further note, is that I have actually implemented a very similar system previously with spectacular success. It was a slightly different context, and so the details vary. The system sought to address a problem with fraudulent credit card transactions in an online processing gateway I created. The same techniques I talk about in the article were used, and eliminated 99.95% of fraudulent transactions, with zero false positives. I had an improvement planned that would have mitigated the 0.05% that went through (meaning no-one lost money at all), but the client felt it wasn't necessary, so it never happened.
I can only suggest you take the blue pill, the story will end and you can believe whatever you want to believe. Wonderland is far more complex than you can imagine.
For everyone who has given me constructive feedback, thank you, it is greatly appreciated. I hope in time I can repay your efforts.
What about, rather than emails when transactions occur, and RSS feed that has the last n transactions.
Obviously, it would need some sort of encryption/authentication, but I believe this is possible...
I am sorry that in this forum frequented by a variety of people who think about security related questions, most contributors have criticized your ideas (but Bruce agrees with you, so of course you can ignore those other whiners). It's a pity that instead of defending your ideas awith arguments, or reviewing them in light of criticism, you start crying how new ideas, even the good ones, are always rejected. Maybe, but it doesn't follow that all new ideas are good.
"until you are willing to spend effort thinking about ways to solve the problem, then you will indeed be correct that the problem will not be solved." I think your approach lacks a proper risk analysis. In your article, you only refer to very obvious fraud attempts ("a login from Nigeria, at 3am, on a Sunday, requesting a transfer of 100% of my money to an account in Lagos"). But most cases won't be as easy to spot, so you need to justify how your scheme would be helpful against more sophisticated attacks, especially as it is known that attackers will adapt to any countermeasures.
"Solutions": Personally, I take two-factor authentication by transaction codes as the minimum security level any online banking system should offer. I have pointed this out repeatedly in this forum. Bruce has pointed out that such a protection could be attacked by "impersonation" - Trojans taking over the banking session - but it certainly is effective against your average Nigerian phisher. Moreover, most of your suggestions will be useless against an "impersonation" attack since it will fit the usage pattern perfectly (except for the money recipient). That's why I specifically criticized Bruce (see my post @ May 12, 2005 10:41 AM) for being inconsistent.
"reviewing them in light of criticism, you start crying how new ideas, even the good ones, are always rejected. Maybe, but it doesn't follow that all new ideas are good" The intention of the article was to gather feedback. Review based on feedback will happen, if it hasn't happened fast enough for you I'm sorry, but these things take time. I have never claimed that all new ideas are rejected, nor did I ever claim that all new ideas are good. Those claims are all yours. Please do not put words in my mouth.
I am disappointed at your insistence on clinging so tightly to the examples I give as illustrations. Yes, a 3am transfer to Nigeria is an extreme case. The point I was trying to make (which you evidently missed, or chose to ignore) is that any system which relies entirely on authentication at the login (even two-factor authentication) will miss something so blatantly fraudulent. I am not so naive that I believe any real system will ever have to deal with such easy targets, but grey examples make very poor illustrations when one is trying to convey a concept. Your leather underwear example is a fine case in point. Please, give me a little credit.
Yes, there is no risk analysis in my article. Well spotted. Perhaps you missed the bit right at the top that said "Draft". Perhaps you also missed the fact that the article is not 50 pages long. I doubt you would have bothered to read it if it contained everything you seem to feel is necessary for you to take it seriously. If it is your genuine desire to engage me in discussion on this issue, then my contact details are at the top of the article, you are free to contact me directly at any time. If you prefer to continue to post anonymously to a public forum, then please don't ask me to justify myself to you here, this is not the place.
Paul, here's my advice, take it or leave it: stop complaining and start appreciating the value of critical feedback, whether you agree with it or not.
As all who have chosen to contact me can attest, I do appreciate all feedback, critical or otherwise.
What I do not appreciate, and will not tolerate, is someone who lacks the courage to even put a real name to that feedback telling me how to think, piglet.
Your advice will be evaluated in context, like so many things.
I can only assume from the fact you have chosen not to contact me, as invited, that it is not (and never has been) your intention to engage in any sort of serious debate on this issue.
> is someone who lacks the courage to
> even put a real name to that feedback
> telling me how to think, piglet.
anyone who is even remotely interested in communicating over the internet - and is in the 'security' field - should not be concerned by the fact that some people do not use their real name.
to discredit or ignore someone on that basis is just stupid.
10 Ways of Reducing the Risk of Identity Theft
By John Parsons
1- Check your credit report regularly
2- Secure personal information in your home, especially if you have roommates, employ outside help, or are having work done in your home.
3- minimize the amount of information someone can steal, do not carry extra credit cards, your Social Security card, birth certificate or passport in your wallet or purse, except when needed. Always store your wallet in a safe place.
4- Make sure you have a locked mailbox, post office box or commercial mailbox service. When you are away from home for an extended time, have your mail held at the Post Office, or ask someone you trust to pick it up.
5- Pickup new checks at the bank. Do not have them mailed to your home.
6- Reduce the number of credit cards you actively use to a minimum.
7- Cancel unused bank or credit accounts.
8- Keep a photocopy of all your credit cards, bank accounts, and investments.
9- Never give out your SSN, credit card number or other personal information unless you are sure the source is secure.
10- Do not throw out your credit card receipts in public places always take receipts with you.
See more ways to combat identity theft at www.corporatenarc.com
John Parsons is founder of http://CorporateNarc.Com™. The mission of http://www.CorporateNarc.Com™ is to educate the public in consumer affairs and to provide consumers with up-to-date business information. In addition we hope to ensure better services for the consumer by exposing business fraud and corruption, as well as unfair and deceptive business practices.
This article my be reproduced as long as the author's name and url to http://www.Corporatenarc.com are present at the end of the article.
Article Source: http://EzineArticles.com/
Don’t leave your name and credit rating to chance. Put our Identity Theft Shield to work
for you. To learn more about this amazing offer, contact Esther N. Wheeler, Independent Associate,
at 877-481-4734 Ext#3 today!
I have a question which is this:
A colleague of mine wanted to open a bank account in France (UK resident in France) and requested from a high street bank an opening account form...
The bank stated they did not use such forms. None were available..just 3 documents for identity purposes, were required.
The bank then proceded to used emails to request details and there were NO signed documents at all. One would have thought they would have been required by law to have at least writtten on official headed notepaper to say..
"Thank you for your request to open an account ...etc..but they have NOT just 4 emails to date.
This does throw up a number of concerns related to your discussions here..although my colleage initially went into the bank in person...there are only emails and no other documents, in the process of opening and approving an account ..(I hasten to add that thus far, no account has actually been opened)..
I personally feel that emails are not secure ...certainly as a private individual with reasonable security on their computer I know that it does not stop really clever hackers from sending or intercepting emails...therefore I wondered what advice anyone might give...in order to ensure clear and safe processing of information in the opening up of a new bank account in France. Are there grounds for concern here? and surely banking regulations would INSIST on formal documentation to record "requests to open accounts", and personal documents as proof of identity?
I would appreciate a quick reply if anyone has the time. Thanks.
i need some ones acoount in the us or canada that shows the bank account noumber,bank routing number ,owners name,bank name and other in formation.
There can be a problem when logging someone's IP address. Many people use proxies in order to change their IP’s . If you're trying to keep track of who is visiting your website, it can be very difficult because the same person could be checking out your site, but from a different IP address every time.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.