Schneier on Security

piglet • May 11, 2005 4:22 PM

Here’s a suggestion, Bruce: why not make all bank accounts publicly accessible without any passwords and stuff, and then hire thousands of personnel to monitor all the activity and make sure all transactions are legitimate? This is absurd, but it’s the logical consequence of your theory. Even if the bank implements restrictions and monitors suspicious behavior, this cannot replace access authentification; it can only complement it. Authentification is a must, and it had better be GOOD.

Of the recommendations you cite, most are simply nonsense. Send out email alerts? So the attacker will care to change the adress to a bogus one. Worse, banks shouldn’t communicate with their customers by email in any case. Never. Email is not safe for sensitive information. It risks being overlooked or discarded as spam, or the adress might not be up to date. And worst of all, if customers start to trust email messages from their bank, they will also fall for phishing emails. Banks are working hard telling their customers not to trust any email pretending to come from the bank. This “security recommendation” is really really crap.

Most of the other are impractical as well as ineffective, like blocking access from outside the country (the attacker will hijack a computer in the country) and at certain times of the day (rolleyes). Monitoring activity patterns will either produce too many false positives and thus be annoying (see Ian Eiloart’s comment), or be ineffective. Introduce delays could hurt the customer who needs the payment to be on time.

The only restrictions that do make some sense – restrict the max amount according to the customer’s needs and don’t allow international transfers – are not even mentioned. Wow. Sorry Bruce but this article only shows that you still don’t grasp the security implications of online banking.

piglet • May 12, 2005 10:41 AM

@Carl Sampson: “If a security measure works sometimes, and is otherwise relatively painless, it’s well worth adopting.”
Please explain why those so-called security measures “work sometimes”. Some of them are simply stupid, like the cooky idea (users who care about security are likely to disable cookies). Some can easily be circumvented by a smart attacker so they will be more likely to prevent the customer doing legitimate business than preventing fraud. Another problem is that a monitoring system that produces too many false positives won’t help because people will stop taking them serious. Anonymous wrote: “It turns out these are fraud alerts as well, though they only do a check daily and the message isn’t terribly helpful. Unfortunately I get them every few weeks since I travel quite a bit, but it’s nice to know they’re making the effort.” I just wonder whether Anonymous really cares about those alerts any more.

Bruce always argues that security needs to be evaluated in context. In this case, he is far from his own postulate. He says effectively that it isn’t worthwile to care about secure, two factor authentication; but banks can prevent fraud by sending their customers emails if they make a transaction on wednesday instead of friday. This nonsense needs to be debunked before people start to take it serious just because Bruce said it. Bruce’s argument against better online authentication goes like this: “The real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses. Two-factor authentication will force criminals to modify their tactics, that’s all.” (March 15) How can you recommend restricting IP adresses and “odd times of day” if you believe the real threat are real-time attacks via the user’s own computer?

piglet • May 16, 2005 9:56 AM

“In addition, he suggests it might be user configurable, so for example if you were going to travel to the US you could temporarily allow US addresses.”

There are problems with making too many things user configurable.
– It’s making the system more complicated for the user which is not in general good for security (think of all those internet security options that most users don’t understand anyway). It’s a bad idea to depend on the user making the right configuration, and keeping it up to date.

• Configurations that can be changed online can themselves become attack targets.
• Moreover, bank customers may not like the idea of their bank recording usage patterns, even if it is for their security. Customers understand clear and logical rules, like “no international transactions”.

By the way: The approach you describe – “the attacker needs to be able to imitate my pattern” – is similar to “security by obscurity”. The “security” consists in a set of rules that the attacker presumably doesn’t know. But he might guess them, or just be lucky (if he’s lucky one percent of the time, it will be enough). So it won’t work.

piglet • May 16, 2005 2:26 PM

“Umm, that’s the whole point. If his transaction isn’t a sufficiently good imitation of me, it will be double-checked, and probably refused.” Well, you wrote before: “Further, many of the critical comments seem to suffer from the misapprehension that McGowan is talking about immediately blocking transactions which do not meet a standard pattern.” This is the whole point. We are talking about immediately blocking the transaction that seems unusual. If you don’t block it immediately, the attacker has already won. But you can’t do that just because it’s the first time the customer is using a different computer, or working at un unusual hour, or sending money to an unknown recipient. It might make sense in some cases to contact the customer manually, but what if he can’t be reached (no cellphone, not at home)?

In my view, only two of the characteristics of a transaction are actually useful for the purpose discussed, the amount and the recipient. Fixing a limit is an obvious thing to do. Many internet banking platform don’t do international transfers. In some cases the customer has to register each recipient with the system. This makes sense. Letting the system guess whether a transaction looks suspicious doesn’t.

piglet • May 17, 2005 9:10 AM

Paul,

I am sorry that in this forum frequented by a variety of people who think about security related questions, most contributors have criticized your ideas (but Bruce agrees with you, so of course you can ignore those other whiners). It’s a pity that instead of defending your ideas awith arguments, or reviewing them in light of criticism, you start crying how new ideas, even the good ones, are always rejected. Maybe, but it doesn’t follow that all new ideas are good.

“until you are willing to spend effort thinking about ways to solve the problem, then you will indeed be correct that the problem will not be solved.” I think your approach lacks a proper risk analysis. In your article, you only refer to very obvious fraud attempts (“a login from Nigeria, at 3am, on a Sunday, requesting a transfer of 100% of my money to an account in Lagos”). But most cases won’t be as easy to spot, so you need to justify how your scheme would be helpful against more sophisticated attacks, especially as it is known that attackers will adapt to any countermeasures.

“Solutions”: Personally, I take two-factor authentication by transaction codes as the minimum security level any online banking system should offer. I have pointed this out repeatedly in this forum. Bruce has pointed out that such a protection could be attacked by “impersonation” – Trojans taking over the banking session – but it certainly is effective against your average Nigerian phisher. Moreover, most of your suggestions will be useless against an “impersonation” attack since it will fit the usage pattern perfectly (except for the money recipient). That’s why I specifically criticized Bruce (see my post @ May 12, 2005 10:41 AM) for being inconsistent.

piglet • May 18, 2005 12:47 PM

Paul, here’s my advice, take it or leave it: stop complaining and start appreciating the value of critical feedback, whether you agree with it or not.