Scandinavian Attack Against Two-Factor Authentication

I've repeatedly said that two-factor authentication won't stop phishing, because the attackers will simply modify their techniques to get around it. Here's an example where that has happened:

Scandinavian bank Nordea was forced to shut down part of its Web banking service for 12 hours last week following a phishing attack that specifically targeted its paper-based one-time password security system.

According to press reports, the scam targeted customers that access the Nordea Sweden Web banking site using a paper-based single-use password security system.

A blog posting by Finnish security firm F-Secure says recipients of the spam e-mail were directed to bogus Web sites but were also asked to enter their account details along with the next password on their list of one-time passwords issued to them by the bank on a "scratch sheet".

From F-Secure's blog:

The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at www.nordea-se.com or www.nordea-bank.net (fake sites hosted in South Korea).

The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.

The Register also has a story.

Two-factor authentication won't stop identity theft, because identity theft is not an authentication problem. It's a transaction-security problem. I've written about that already. Solutions need to address the transactions directly, and my guess is that they'll be a combination of things. Some transactions will become more cumbersome. It will definitely be more cumbersome to get a new credit card. Back-end systems will be put in place to identify fraudulent transaction patterns. Look at credit card security; that's where you're going to find ideas for solutions to this problem.

Unfortunately, until financial institutions are liable for all the losses associated with identity theft, and not just their direct losses, we're not going to see a lot of these solutions. I've written about this before as well.

We got them for credit cards because Congress mandated that the banks were liable for all but the first $50 of fraudulent transactions.

EDITED TO ADD: Here's a related story. The Bank of New Zealand suspended Internet banking because of phishing concerns. Now there's a company that is taking the threat seriously.

Posted on October 25, 2005 at 12:49 PM • 67 Comments

Comments

AndersOctober 25, 2005 1:17 PM

The fake mails that were sent out were actually written in extremely bad Swedish. They looked as if some non-Swede had written a very impressive letter in his/her own language, then translated it word by word using the dictionary in the back of a "Tourist's guide to Sweden".

If you are planning a great phishing attack that might render you millions, why don't get an accomplice in Sweden to proof-read the mails? =)

Johan BergOctober 25, 2005 1:30 PM

I received one of those fake mails, I started to examine the mail header directly and found out it came from a SMTP far away from Sweden so the mail went to the trash immediately.

Banks in Sweden never handles any e-mail addresses of their users so I would never trust a mail like that one, especially when the language is very bad.

AndersOctober 25, 2005 1:38 PM

@ Johan Berg:

Actually - my bank (not Nordea) has given me the option of communicating via email. I can ask questions to Customer Service through the Internet banking site and I can get replies through email. That might be a way for attackers to get to gullible bank customers...

NB - the attacker didn't ask for the passwords directly, but through a "new site with better security". If the emails had been written in better Swedish, I think the attack could have worked against a few unlucky ones without the required knowledge of Internet security.

Ed T.October 25, 2005 1:38 PM

@Bruce:

Actually, I think the statement "We will see better examples of these attacks in the future" is more correct. We will also see more of the same lame-o garbage like this one, because some scammers are just plain lazy.

-EdT.

Davi OttenheimerOctober 25, 2005 1:59 PM

"Two-factor authentication won't stop identity theft, because identity theft is not an authentication problem."

Too true. We need more than one control to help protect the almost pervasive amount of identity data floating around.

"Unfortunately, until financial institutions are liable for all the losses associated with identity theft, and not just their direct losses, we're not going to see a lot of these solutions."

Err, close, but that doesn't say regulated.

"Look at credit card security; that's where you're going to find ideas for solutions to this problem."

Ok, that says regulated. You mentioned the act by Congress, but it might be worth also linking to the Payment Card Industry Data Security Standard, which serves as a form of industry self-regulation, meant to protect the image and reputation of the Payment Card through 12 domains of security. In other words, the PCI Standard can be held against those who do not comply, thereby shifting liability, but guess who decides who actually complies? In any regard the standards may also better-protect consumer identity/card information if companies adhere to the spirit of meeting all the obligations:

http://usa.visa.com/download/business/...

Augusto Paes de BarrosOctober 25, 2005 2:22 PM

Phishing is not the only issue. Last month I presented (www.cnasi.com.br) a PoC code for a trojan that changes the destination account data for money transfer done in an especific Internet Banking system. It was done by using Browser Helper Objects (BHO). It didn't have to worry about stealing authentication information, the user was authenticating the bogus transaction, with all the "strong" authentication requirements.

And today I heard a story about an old lady that was visited by an "employee" of her Bank proactively asking her to confirm her password in his laptop, to be able to unblock her card that has been blocked for security reasons...gee

Ari HeikkinenOctober 25, 2005 2:36 PM

Just as redirecting a bank website's main page to SSL enabled one, two factor authentication (OTP) is probably there because it's an easy way for banks to give an impression to their customers about "better" security (while in reality bank's secutity has increased and yours worsened, as in case of abuse the bank can simply claim their use of two factor authentication makes abuse impossible and thus yourself liable). And why would a bank shut down their service because of a circulating e-mail anyway? Probably because they just figured out someone might send fake emails and setup authentic looking fake websites and their security measures weren't designed with that possibility in mind (targeted regular mail would probably work even better).

Chase VentersOctober 25, 2005 2:46 PM

A while back a friend suggested an interesting technique for a PGP IM tool in order to verify key authenticity.

Basically, you generate a visual signature of the remote party's public key from a series of colored bars. The bank could do this and print their colored bars on a card that was handed out to customers. Then, if browsers showed this "flag", the customers could compare the flag to see if the site matched what they expected.

Not perfect, but better than what we have now.

BjornOctober 25, 2005 2:48 PM

Of course this a very weak form of two-factor authentication.
Modern solutions such as challange/response system or the time-dependant calculated challange/response systems would stop this scam. I can probably think up a scam with the latter solution, but since you have to sign away all your transactions at my swedish bank, it probably wouldn't work.

JuergenOctober 25, 2005 3:02 PM

See, that's what happens if the customers don't want to pay for security.

In Germany, banks DO offer a very secure system (HBCI) that uses public-key encryption with Smartcards, with the whole encryption/signing process taking place inside the smartcard and the PIN entered on a separate keypad on the cardreader. That's about as secure as you can get - but few people use it, because they'd have to buy a cardreader and special homebanking software (all in all, about 70 US$ worth of gear).

Ari HeikkinenOctober 25, 2005 3:27 PM

"In Germany, banks DO offer a very secure system"

The problem with "very secure" systems is when someone figures a way to abuse that and it hits you, the bank can easily claim that abuse is "impossible" and that you're to blame. It's often with "very secure" systems your security actually worsens. And if they invest huge amounts of money to that expensive and "very secure" system and find a problem, they'll likely do everything to deny there's a problem and make their customers pay instead.

In my opinion, forcing technical solutions by regulation would be the biggest mistake to make.

Like Bruce's been saying, making financial institutions liable is the only way to solve the problem.

GuillaumeOctober 25, 2005 3:41 PM

What I understand from Bruce's point is that every system would be vulnerable to a "phisher-in-the-middle" attack. The bank asks for a OTP, token, CAPTCHA or what not ? Just ask for it yourself in a phishing site and replay it immediately to fraud.

The smartcards Juergen talks about are different. There is the issue of actually making people use it, but if every bank made it mandatory, then a smartcard reader *could* become common hardware found on new computers...

BTW "different" doesn't necessarily mean "good" ;)

relativismOctober 25, 2005 4:31 PM

"I've repeatedly said that two-factor authentication won't stop phishing"

Correct me if I am wrong, but a one time pad is one factor, surely. What is the second factor?

pigletOctober 25, 2005 5:41 PM

Pathetic, Bruce. This story has already been discussed in an earlier thread, and I have already explained how well-designed TFA (e.g. rotating code cards) wouldn't have been vulnerable to the scam. Moreover, the scam was really obvious and easy to detect, and from the articles you cite, there is no evidence that the scammers were actually successful in getting money. Instead of making ill-founded generalizations from "security firm" blog postings, a real discussion about how to build stronger security would be in place in a blog claiming to be about security.

GaryOctober 25, 2005 6:17 PM

Financial services firms - or their marketing departments - still don't get the phishing problem. "Special" urls for online banking like cardmemberservices.com, accountonline.com, mbnanetaccess.com, etc. reduce (eliminate?) any remaining sensitivity to "what URL am I trusting" (even if we can trust what URL our browser says we're looking at).

My favorite remains Chase's (used to be Bank One) reward program at choosemyrewards.com - first thing it does is ask for your cc number, expiry, all the usual stuff. Doesn't identify what bank(s) it's associated with (unless you click through & examine the SSL certificate, which is JP Morgan Chase's, at least). But at least it's SSL'd!

www.choosemyreward.com remains blissfully unregistered in the meantime. Don't you be gettin' any ideas, anyone.

DylanOctober 25, 2005 6:39 PM

@relativism
I expect the site also asks for a password. The one time pad would be the second factor.

Just brainstorming here, but a better two-factor authorisation would be one where the user has to enter information that they couldn't know until the bank site requests it. So I log into my banking site, and it gives me a 'challenge' code, which I can tap into my keychain device or similar. Then I type in the number my device gives me as the 'response' code. 3 strikes and my account is locked for a day unless I can get to a branch to identify myself.

This would not prevent man-in-the-middle attacks, but would greatly reduce the effectiveness of keyloggers or similar.

Then apply the challenge-response to each transfer out of your accounts too.

(I was thinking a device as that would be portable, and harder to reverse-engineer. There is probably a more suitable format. Even a one-time-pad with the challenge code printed on the scratch-off stuff and the response code printed underneath.)

I would also appreciate it if my banking site could tell me the last 10 IP adresses (with geograpical resolution) I logged on from and the date and time and numeric value of transactions each time I logged on. Instead they fill my screen with bumph about the latest loan offers etc.

@piglet
grow up.

peachpuffOctober 25, 2005 6:49 PM

@piglet

It's easy to find a specific system that prevents a specific scam. The problem is that these are scams. They start by tricking the victim into trusting the criminal. Anything you give to people--password, disposable password, password generator, smart card--they will turn over to someone they trust.

Bruce's position on two-factor authentication is very sensible. Two-factor authentication continues to pit scammers against regular people with bank accounts rather than against the bank. When you put your money in a bank, the bank is supposed to keep it safe, not sell you something that you use to keep it safe.

Davi OttenheimerOctober 25, 2005 8:43 PM

@ Dylan

"I would also appreciate it if my banking site could tell me the last 10 IP adresses (with geograpical resolution) I logged on from and the date and time and numeric value of transactions each time I logged on."

Ha! If that could somehow be turned into an up-sell scheme for more fees, they might be interested. Other than that, where's the incentive?

Moreover, if you think the hurdle to public-key security is too high for the average user then what possible value would there be for an (easily spoofed) list of IPs?

@ Ari

"In my opinion, forcing technical solutions by regulation would be the biggest mistake to make. Like Bruce's been saying, making financial institutions liable is the only way to solve the problem."

How would you make them liable? What would shift a large corporation's liability other than regulation? Guilt?

I have a feeling that at the end of the day you'll find yourself saying "through an independent regulatory body based upon reasonable standards". And that might just be like the FDIC saying banks must use "strong" controls rather than a specifying any particular technical solution.

Interestingly, if you look one of the main reasons all the G7 countries (except for Britain, of course) refused to ratify the ISO 17799 was because they said it gave too many "should do" statements without enough corresponding "how to" information. Basically the opposite of what you are advocating here.

It also probably didn't help that the standard was too focused on centralized organizations, was short on risk management and analysis, and had some privacy guidelines that were incompatible with laws.

But it only took five years after the first version for most of that to be addressed and now we have ISO 27001 to look forward to in November. It's in final draft now:

http://www.standards-online.net/...

I guess my point is that it seems that liability should be pinned to some kind of common language, and you don't get that from thin air...

Davi OttenheimerOctober 25, 2005 8:55 PM

@ peachpuff

Well said, but I have to use your own point against you:

"Anything you give to people--password, disposable password, password generator, smart card--they will turn over to someone they trust."

And in a TFA situation, when they give a token to someone, they no longer have it themselves. This is no cure-all, but certainly better than a secret they can share with anyone undetected....

I wish it would be clearer from the standpoint that while TFA doesn't solve identity theft on its own, TFA still provides a solution to some common authentication problems faced today.

Would I feel better if I had two factors rather than just one to access my bank account online. Yes, I most certainly would. Even though MitM and replay would still be a concern.

"not sell you something that you use to keep it safe"

Isn't that exactly what you "pay for" when you put your money in a bank? Isn't a bank something you use to keep your money safe?

peachpuffOctober 26, 2005 12:34 AM

"And in a TFA situation, when they give a token to someone, they no longer have it themselves. This is no cure-all, but certainly better than a secret they can share with anyone undetected...."

Isn't that worse? I don't see any difference as far as detection is concerned. Not having the token yourself just makes it harder to complain when you realize you've been scammed.

"Isn't that exactly what you 'pay for' when you put your money in a bank? Isn't a bank something you use to keep your money safe?"

A bank should be a company that keeps your money safe for you, not a company that sells you security tools. Handing you a password generator is like handing you a shotgun and a lock box--they're giving you tools to protect your money with instead of protecting it for you.

If you call yourself a bank, you're expected to do more. If I put my money in a bank, I shouldn't have to outsmart phishers to protect that money any more than I should have to face down armed robbers.

Mika HirvonenOctober 26, 2005 1:07 AM

Hmm, how would one attack a single-use password sheet with non-time-limited challenge-response?

This is how I log on to my bank (Sampo, a Finnish bank and a competitor of Nordea):

I connect to my bank's SSL site (checking the certificate in the process). I type my account number and my user-changable password. This gives me access to my account details, but won't allow me to make any payments.

When I want to make a payment, the site shows me a "key" code and asks me to type the corresponding "lock" code from my scratch pad (IMHO it would make more sense the other way around). If the codes match, I am allowed to make payments until I log off or the session expires.

The obvious way to attack this would be to steal or copy the scratch pad (the bank mails me a new one when I'm running out of codes). This isn't a suitable attack for phishing, though.

Man-in-the-middle would work, provided that the attackers had a fradulently issued certificate (not all users check the certificate, they're happy when the lock icon shows up). The phishing site relays the user's account number and the password to the real site and screenscrapes the "key" code and shows it to the user. The user types the "lock" code. The phishing site displays an acknowledgement to the user and proceeds to empty his account.

Are there any other ways?

peachpuffOctober 26, 2005 2:28 AM

@Mika Hirvonen

You could do a phishing attack to get a copy of the scratch pad. Send the victim an email saying that, for security reasons, you are sending them a new scratch pad (attach a fake scratch pad) and immediately retiring all unused codes on their old one. They will not be able to use the new pad until they confirm receipt by replying with a list of all unused codes to be safely retired, plus their password.

Davi OttenheimerOctober 26, 2005 3:02 AM

@ peachpuff

"Isn't that worse? I don't see any difference as far as detection is concerned. Not having the token yourself just makes it harder to complain when you realize you've been scammed."

Well, that's a good example of one difference, and perhaps even why it can be better (at least for the bank).

"A bank should be a company that keeps your money safe for you, not a company that sells you security tools."

Again, I think you have a good point in the sense that if banks promise security then they should not be allowed to beg off the reality of providing something secure.

But on the other hand, your comment makes me think that when I open a safety deposit box I am essentially paying for a safe place to store my valuables. I give a bank a payment to hand me a key and they tell me to keep it safe. So are they "selling" me a security tool in that instance?

I guess the question would be whether any of us would be likely to hand our key over to someone dressed as a bank employee. That seems to be a better analogy since phishers generally don't force consumers to do things under duress (per your bank robbery example), they fool/trick them using clever disguises.

Dom De VittoOctober 26, 2005 3:53 AM

Frankly, a bank that send a paper copy of (in effect) demi-passwords, I think has not examined the risks well.

A least with an electronic token, the attacking/phishing website has to use the 'stolen' pin+tokencode information within 'X' seconds, with one-time-pads, they have a much wider timeframe for successful attack.

Daniel NylanderOctober 26, 2005 3:56 AM

Two-factor authentication will be implemented by Nordea soon according to the rumours I heard on the 'net.

Other Swedish banks (suchs as S|E|B uses it since many many years).

Nordea has never had a major phishing attack before so it was just the matter of time before it happened..

So, until next time.. start scratching your codes.

peachpuffOctober 26, 2005 5:08 AM

@Davi Ottenheimer

Safety deposit boxes are something of a sideline for most banks. Besides, if you con someone out of their key and raid their deposit box, you are almost guaranteed to get caught. They have video of you at the bank and your prints on the box.

To me, the real question is "What should the banks accomplish?" We shouldn't use analogies between attack methods to decide the defense, we should target an analogous result and figure out how to get it. If you try to put your money into a bank today, they will shrink it down into something that fits in your pocket and entrust it right back to you. It's convenient, but you're still in charge of defending it from thieves. That's the wrong result.

Mika HirvonenOctober 26, 2005 6:07 AM

@peachpuff

The scratch pad is a credit card-sized piece of plastic, so recieving a picture of the fake pad via email would be suspicious.

But your attack is scalable. The problem with the different delivery method of the pad could be explained away in the phishing email. For example, the email could claim that the bank had to immediately retire the scratch pads to stop an ongoing attack, and using snail mail would cause unnecessary distruptions in service availability.

Ian EiloartOctober 26, 2005 6:26 AM

@mika

"not all users check the certificate, they're happy when the lock icon shows up"

More accurately, not all users know there's a certificate, or a lock icon. Most will procede unless their browser tells them there's a problem. It won't do that if the certificate matches the domain name, or if it isn't a secure site.

Ian EiloartOctober 26, 2005 6:34 AM

I get occasional calls from my bank. Once they phoned me to verify a credit card transaction that looked unusual to them (I was on holiday). Once they phoned me to sell me a new product. On each occasion, they've asked my on-line security details. This is cold calling, mind you. I wasn't expecting the calls, and I had no way to verify where they came from. I was livid. I spent a long time discussing how they're creating a bad security environment.

The salesman told me that he might make several dozen calls in an evening, and maybe one or two customers will refuse to give their security details.

Now, they don't ask enough information to get you logged in, but two such calls will give you enough information to get a 40% chance of logging in OK. Your chances of logging in are better if you can make a good guess at answering questions like what's your "mother's maiden name", or "first school". Of course lots of these answers can be found online.

The salesman said if I'm worried about that, then I should lie about the answers. He then admitted that he uses the true answers himself!

FredOctober 26, 2005 7:17 AM

SEB one of the Nordea compeditors use a Digipass. It is a small calculator which you unlock with a personal code, then enter codes from the homepage to genereate both login and transaktion codes.
The code has then a timelimited lifetime.
Unfortunatly SEB does not have this system in Germany where I currently live. They have paper codes or HBCI. HBCI is bad since you only can use it from a computer with a cardreader.

The digipass one can use from any computer.
Home, friends, work or internet cafe (if you dare).

If loose your digipass it will still be locked by your personal code. If you loose your piece of paper, then you have not much protection.
HBCI is also more secure I guess, but the need for extra hardware makes hard to use.

Bill P. GodfreyOctober 26, 2005 7:27 AM

Scratch cards...
A scratch-card token can be turned into somethign approximating an electronic token by asking the customer to scratch off one specific (unused) tile.

If a phisher does manage to trick a code out of a customer, they will have to know when the right moment to use it. (Requring knowledge of today's shuffling key.)

This modification remains vulnerable to the attacker getting the whole card and the same vulnerabilities with SecureId-esque tokens.

Fraudulently issused certificates...
Have a read: http://billpg.me.uk/2005/10/...

(That was a shameless plug. Sorry. Please feel free to ridicule it.)

pigletOctober 26, 2005 12:18 PM

@all Stop taking every word of Bruce,s as gospel. The authentication system used by Nordea is the simplest possible implementation of two-factor-authentication. It has been in routine use by financial institutions that care about security since the 1990s, ever since online banking was introduced. The fact that there are now scams targeting the users of such systems is neither new nor surprising (surprising is only that Bruce hasn't noticed earlier; as a matter of fact, until recently he didn't even know that many European banks are actually using TFA). Nor does it prove that two-factor-authentication is flawed or useless. The fact that Nordea's system could easily be strengthened to prevent this kind of scam, and that such stronger systems are already in use in several institutions (I have written about this in an earlier thread long before Bruce heard about the Nordea scam, you can check it out) is not irrelevant, as peachpuff implies.

The point of view towards security taken here by Bruce Schneier and his fan-club is flatly ridiculous. You can put forward that kind of argument against any security technology. So you end up saying that security isn't worthwile. Take as an example PGP. A stupid PGP user might be tricked into handing the key ring and the pass phrase over to a fraudster. Does that prove that PGP is flawed, or that Phil Zimmermann was naive?

peachpuff's argument - people are stupid, fraudsters will always be able to cheat them - deserves further examination. There is no doubt that no technology can prevent certain people to fall for scams (this fact has nothing to do with the internet). Should we conclude that financial institutions must in all circumstances be held liable for the stupidity of their clients? I hope you realize what you are asking for: you volunteer to pay with your money for the stupidity of others. Because that is what happens if banks are liable: it's you, the collectivity of bank clients, who will foot the bill (by the way, this is what is happening in the credit card industry - or did you think the Citigroup shareholders are paying for the fraud damage?).

You seem to believe that, if US banks are held liable, they will take security more seriously. Maybe, maybe not. As long as they can pass the cost of liability on to their clients, I don't see a compelling reason why they would, if they haven't in the past. But let's assume they will. What are they going to do? Implement TFA, of course. There is no reasonable alternative. Bruce's crazy crusade against two-factor-authentication won't deter them.

pigletOctober 26, 2005 12:42 PM

What is so absurd about this discussion is that Bruce is now propagating silver bullet solutions. I thought we have all agreed long ago that there is no security panacea. We have all agreed that two-factor-authentication is not panacea, that it can't offer a 100% security guarantee. However, it has been successfully argued that, if done right, it substantially highers the bar for the fraudster. Now we are being told that everything will be all right if only Bruce's silver bullet concepts are implemented, e.g. "identify fraudulent transaction patterns". Whatever the merits of such an approach, there is no question that fraudsters will adapt to it. A lot of issues need to be discussed - weaknesses, potential privacy implications, false positives and false negatives, cost (will be high because the need of human interaction), etc. And it certainly cannot replace strong authentication. Presenting that as a panacea and deriding other sensible and proven technologies is quite an embarasing thing to do.

pigletOctober 26, 2005 12:49 PM

Presenting that as a panacea and deriding other sensible and proven technologies is quite an embarassing thing to do.

And one last issue that I have with Bruce's style. "Two-factor authentication won't stop identity theft, because identity theft is not an authentication problem." We know that already, Bruce. We also know that TFA doesn't help against hurricanes, global warming and terrorist attacks. Nobody claimed it would, and there is no point in your constantly refuting an argument nobody has ever made. TFA is useful to secure online transactions. End of message.

Davi OttenheimerOctober 26, 2005 1:18 PM

@ piglet

"peachpuff's argument - people are stupid, fraudsters will always be able to cheat them - deserves further examination. There is no doubt that no technology can prevent certain people to fall for scams"

Yes, but you might note that the controls mentioned by peachpuff were only detective:

"video of you at the bank and your prints on the box"

@ peachpuff

"Safety deposit boxes are something of a sideline for most banks."

Only because they can't invest your deposits overseas during the night hours, etc.

"It's convenient, but you're still in charge of defending it from thieves."

In charge of defending the key(s) for authentication. I don't see how you'll get away from that as long as you've locked your valuables into something, you'll need to have a key and defend that key. Of course, I wouldn't mind going into a discussion of public key cryptography as a more plausable solution then secrets, but everyone seems to still think CAs are still impossible to realize.

Ari HeikkinenOctober 26, 2005 2:12 PM

piglet: I think you missed the point. It doesn't matter what banks implement if their customers aren't liable for fraudulent financial transactions. When financial institutions themselves bear the costs of fraud (all of it, not just all but $50) they will do the right thing to fix it, as it's their money at stake. It works, because not doing the right thing would cost more.

Forcing technical solutions by regulation or law don't work, because that way the financial institutions would just implement what's required and nothing would essentially change (the crooks would simply create attacks that work and same problems would persist).

As for Bruce's (or anyone else's) conclusions you don't necessarily have to agree with them. The point is to contribute to the debate. If it makes people think and causes discussion then it's a good thing.

Ari HeikkinenOctober 26, 2005 2:37 PM

Just to add, how making finacial institutions liable for all of fraudulent financial transactions would work is they'd be forced to optimize their tactics and countermeasures and eventually they'd perfect it and get it right.

Forcing technical solutions by law or regulation would make all that impossible. They'd just implement what's required and be stuck with it no matter how wrong those solutions would be.

pigletOctober 26, 2005 2:39 PM

"If it makes people think and causes discussion then it's a good thing."
I'm sorry but propagating silver bullet solutions is in my view more akin to superstition and not likely to stimulate fruitful discussion. As this thread has sufficiently proved.

"When financial institutions themselves bear the costs of fraud (all of it, not just all but $50) they will do the right thing to fix it, as it's their money at stake."
Actually, it's their clients' money at stake. But even granted your premiss, there then has to be some serious discussion of what is "the right thing to fix it". And no, I didn't miss that point (sigh). Read again what I wrote earlier, will you.

pigletOctober 26, 2005 2:50 PM

Ari: "Forcing technical solutions by law or regulation would make all that impossible. They'd just implement what's required and be stuck with it no matter how wrong those solutions would be." That's not the part of the argument that I object to. Still I hold that regulation forcing US banks to improve authentication security is better than no regulation, and attacking regulators for a step in the right direction is a stupid strategy.

Davi OttenheimerOctober 26, 2005 3:30 PM

"They'd just implement what's required and be stuck with it no matter how wrong those solutions would be."

Hmmm, that didn't go over so well for CardSystems did it?

Regulations, just like the technical solutions themselves, are prone to error.

But if your argument is that banks will do the bare minimum unless pressured to do otherwise, then you're just making the case for a baseline to be handed to them by...regulators (industry, gov't, or other).

relativismOctober 26, 2005 3:52 PM

@Dylan

"I expect the site also asks for a password. The one time pad would be the second factor."

Of course. Thanks.

Ari HeikkinenOctober 26, 2005 4:15 PM

Actually, what banks tend to do is bare minimum required plus anything that can be done to maximize their profits.

peachpuffOctober 26, 2005 5:26 PM

@piglet

No one is offering a silver bullet. I just think that banks rolling out TFA are aiming in the wrong direction. Making it harder to impersonate someone isn't worthless, but it's no substitute for putting professionals in charge of detecting and stopping impersonators.

It's already the bank's job to protect the money in your account. Why be satisfied with less?

ProhiasOctober 26, 2005 6:21 PM

@piglet,

I think you and Bruce seemingly disagree on a simple point. He thinks the crooks will adapt easily and quickly, when it does become more prevalent. You feel that it raises the bar sufficiently to dissuade a lot of unsophisticated crooks. Both are true! He pushes for pressing a larger untackled problem, and looks beyond this TFA which he considers a baby step. Other than contesting that it is a 'baby' step, do you still disagree?

pigletOctober 26, 2005 9:30 PM

peachpuff, "I just think that banks rolling out TFA are aiming in the wrong direction... It's already the bank's job to protect the money in your account. Why be satisfied with less?" This doesn't make any sense to me. Why in your opinion is it "the wrong direction" to at least implement state-of-the-art routine security technology? T-F-A is state-of-the-art routine security technology, period. There is no excuse for a financial institution offering its customers less than that. And there is no excuse for a "security expert" claiming that it's not worthwile to implement state-of-the-art routine security technology on the grounds that (like any technology) it isn't 100% secure.

The real point of disagreement seems to be that some in this forum believe two-factor-authentication to be a new trend, when in fact it has been used routinely for many years. prohias: "the crooks will adapt easily and quickly, when it does become more prevalent". It is already prevalent! Only in the USA you have never heard of it, you have never seen it, and therefore you believe what Bruce, who doesn't know himself, is telling you.

"He pushes for pressing a larger untackled problem". No. Bruce is simply mixing up different issues. He says that TFA "won't stop identity theft", which is a banality because TFA simply addresses different concerns.

"putting professionals in charge of detecting and stopping impersonators". Why don't we discuss *how* to detect and stop impersonators. This would be much more interesting than polemical attacks.

ProhiasOctober 26, 2005 9:59 PM

@piglet

I agree with you that it is worth implementing. I think the compulsory TFA edict is good. I like your point that this option much like all others is not 100% secure. Yet, I wish the powers that be aim higher and are more proactive. It pays to be a step ahead, and they could have done more. I chose to view Bruce's comments in that light.

I too would love to see informed articles on the art of detecting and preventing impersonators, and the fraud tx identification that Bruce mentions. Davi Ott. invariably has interesting links. If you are reading this Davi, can you point to some material? @piglet, have you read something that is illuminating? Thanks.

peachpuffOctober 27, 2005 12:20 AM

@piglet

I've been as clear as I know how to be. I don't care whether TFA is new, old, state-of-the-art, or routine. The fact that it doesn't prevent identity theft isn't a banality. It's the reason that banks need to do more. Any way you slice it, identity theft is the key problem.

I'm not saying that banks should be forced to scrap their TFA systems--I'm saying they shouldn't substitute those systems for doing their job. Calling the account holder to confirm suspicious transactions is a good idea. Checking for suspicious transactions costs money, but it's clearly part of what banks are paid to do. Why not do it?

BOctober 27, 2005 2:31 AM

@Daniel Nylander
Nordea uses a two factor system as well PKI and smart cards that was how they started their operations on Internet in late 1997. This lead to costly support but you can still as a Nordea customer use smart cards (I do). They are issuing their new debet/credit card Visa and Mastercard containing an EMV-chip which can be used to store private keys. You as a customer can activate the private keys on your card on-line..

ZepOctober 27, 2005 5:44 AM

@Mika

Nordeas way of doing authentication ja authorization of the payments isn´t 100 % phishing proof. Their point, I guess, is that it's better than what the most of the banks are offering.

Nordea Finland uses one-time key and a 7-9 digit user number authenticate the user. Phishers could obviously get those with a standard e-mail/fake-web-page scam. The one-time key would be valid until the user signs in to the real online bank.

Nordea has also a challange/response authorization of the transactions, but it uses 20 static keys (also in the scratch pad) that are identified with numbers 1-20. Before the transaction is made bank asks the customer to give one of the static keys.

If the phisher gets the user to give next one time key and the pin, I´d imagine the same user wouldn't think twice to give away one of the static keys also, if asked to do so. The problem is, that unless you get all 20, some or most of fraud attempts will fail. Phisher with only one static key would get his transaction done in only 1 of 20 attempts. I haven't tried but propably the bank's challenge stays the same even if you log out and log in again (and then the phisher would need two one time keys).

What really protects Nordeas customers is the economy of scale that the phishers rely on.

Why go after a couple of hundred thousand Finnish customers using TFO, when thera are millions of online bankers using weaker online banks in say in Germany or in the U.S? Especially with a 1/20 probabilty to succeed.

If when other banks start adopting some better methods, even the Nordea (or Sampo) phishing could become feasible to some fraudsters.

bOctober 27, 2005 3:31 PM

What Bruce seems to be missing is that the problem is not just fraudulent financial transactions, but the privacy of personal information as well. Even if Bruce is correct and banks somehow come up with a way to prevent fruadulent transactions that doesn't involve two factor authentication, how does that prevent fraudsters who can somehow breach my password from breaking into my account and accessing sensitive personal information such as which accounts I have, and how much money is in them?

It's not enough for banks only to prevent unauthorized financial transactions that move money around. They also need to make sure that bad guys can't break into people's accounts online to access sensitive financial and other personal information. If access to these accounts is protected with nothing more than a password, your private information is still vulnerable.

The only way to keep the bad guys out, it seems to me, is with stronger forms of authentication. The particular form of two factor authentication in this instance may be weak, but nobody should be able to find out what you've got in the bank simply because they've managed to discover your password.

Davi OttenheimerOctober 27, 2005 3:56 PM

@ Prohias

"the art of detecting and preventing impersonators"

Not certain this is what you mean, but there is a huge body of information on how to be an impersonator (e.g. successfully evade or manipulate weak controls). Mitnick and Frank Abagnale Jr are two of the more infamous examples in security, but psychology and anthropology literature is also a good source.

pigletOctober 27, 2005 4:31 PM

@peachpuff: "The fact that it doesn't prevent identity theft isn't a banality. Any way you slice it, identity theft is the key problem." I say "banality" in the sense that if TFA wasn't meant to solve the identity theft problem, it shouldn't surprise anybody to find that it doesn't. Why can't we discuss separate issues separately?

@b: That is an important point. Discussions about security suffer when they are restricted to a single scenario. Fraudulent financial transactions are an obvious but not the only form of attack against which effective security is needed. An attacker might want access to personal data. Or they might simply want to damage a particular person, or damage the reputation of the bank. Incidentally, certain TFA schemes do not protect the access to the account, only the individual transaction. Other schemes protect the access but not each transaction. I don't quite understand why they don't combine the two principles to strengthen security without any additional cost or inconvenience.

Ari HeikkinenOctober 27, 2005 6:20 PM

You know, even though liability don't solve everything, it works for loss of personal information too (it's the same principle).

ProhiasOctober 27, 2005 9:37 PM

@Davi,

Thanks much for your response. I am sorry for not having been clearer.

I meant software for detecting fraud transactions and impersonators. Personally, I've not had any luck gaining insight into the neural networks and AI based solutions that are supposedly used by credit card companies and licenses by Fair Issacs. Systems like Falcon etc. If anyone has something technical to recommend in this area, it would be very much appreciated.

b (not B)October 27, 2005 9:38 PM

@Ari

You say "even though liability don't solve everything, it works for loss of personal information too" and "When financial institutions themselves bear the costs of fraud (all of it, not just all but $50) they will do the right thing to fix it, as it's their money at stake."

For fraudulent financial transactions, there's a well-defined amount of money the bank would be liable for, and it would be money that the bank is supposed to be protecting. However, if the fraudsters discover your password and break into your account, they can steal various types of personal information that they can use elsewhere to commit fraud in your name. It would be difficult to quantify the monetary amount of this damage, and there's no way the bank would agree to compensate you for it. The best way to avoid this is to prevent fraudsters from breaking into your account in the first place. Unless you are going to argue that passwords alone are adequate to protect access to your account, what else is there? There are no transactions or patterns for the bank to monitor. All it would take is a single fraudulant access due to a breached password to do the damage. Other than stronger authentication, I don't see any other solution.

peachpuffOctober 28, 2005 12:00 AM

@piglet

"Why can't we discuss separate issues separately?"

Because you won't let us. The issue of how well TFA solves the problems it is designed to solve is separate from the issue of whether banks are focused on the problems they should be focused on. It's also separate from Bruce's idea for getting banks to focus in the right place.

Tackling a low priority problem while ignoring a high priority problem is bad. It's bad no matter how effectively you tackle the low priority problem or how powerful your technology is.

Ari HeikkinenOctober 28, 2005 6:06 AM

I haven't used online banking services myself but it would seem really stupid to me to have a button there to view all my personal information like social security numbers and the like. I thought the idea was, when you log into a banking system you're authorized to make financial transactions until you log off. Why would your personal information need to be displayed there anyway? A system that unnecessarily gives out your personal information is bad security.

pigletOctober 28, 2005 11:05 AM

@Ari: "I haven't used online banking services" but this doesn't prevent you from making quite strong claims about online banking ;-)
"Why would your personal information need to be displayed there anyway?" Look, what you will find in an online banking account is lots of financial information, which of course is personal information. You wouldn't want strangers to have access to that, would you?

pigletOctober 28, 2005 11:47 AM

@peachpuff: "Because you won't let us." Right, it's all my fault...

"Tackling a low priority problem while ignoring a high priority problem is bad. It's bad no matter how effectively you tackle the low priority problem or how powerful your technology is." Maybe you are right. But what exactly is the "high priority problem"? Is it the existence of evil in the world? Is it social inequality? Is it fraud in the broadest sense of the word? Identity theft (Bruce)? Impersonation (Bruce)? Transaction security (Bruce)? Or are we talking about online banking security? All these problems are worthy of discussion.

Davi OttenheimerOctober 28, 2005 2:00 PM

@ Prohias

Ah, sorry I misunderstood.

I hate to say it but I am essentially restricted from commenting too specifically on the technology and systems used to detect fraud. I don't really know of any reliable (public) sources of information on how fraud is tracked/traced but I can tell you that it does work and people are regularly caught. Honestly I think FICO is a mystery even to the people who wrote it, but don't quote me on that. However, I can say with certainty that detective measures work exponentially (!) better if preventive measures rely less, or not at all, on obscurity as a control.

All that being said, you might find some good hints here:

http://www.livejournal.com/users/publius_ovidius/...

Mike DunneOctober 28, 2005 2:54 PM

Have developed a prototype for a unique approach to multi-channel, multi-factor authentication via web.

Have just begun to seek funding to make it happen.

Interested in any participants who are security experts or who work with or work in banks or other financial institutions.

pigletOctober 31, 2005 12:11 PM

Davi, could you tell us what kind of fraud you are referring to ("systems used to detect fraud")?

"I can say with certainty that detective measures work exponentially (!) better if preventive measures rely less, or not at all, on obscurity as a control." You mean they would work better if could talk frely about them? Why?

ArnneiNovember 4, 2005 5:51 AM

The problem with current Authentication technologies is that they are not affordable. Think about any bank with say 300 – 400 K Internet users. If the bank was to provide all its customers with an RSA Authentication token at 30 – 100 USA Dollars per account, or about SMEs that need security for their Web Based eCommerce or services. This is not realistic. They would not be able to afford it.

It is not the direct expense of the solution it is also the deployment problem. How do you manage all your customers, some of which are virtual name over the Internet, and how do you provide them with the hard token that will produce the TFA OTP (One Time Password).

Recently a New Zealand company (Mega AS Consulting Ltd – www.megaas.co.nz) introduced to the market a new solution. It created an Affordable TFA OTP and an eAuthentication service. The service is for any SME that would like to provide the customers with a TFA OTP security level at Internet Service costs.
The eAuthentication service is similar to a Credit Card verification process at eCommerce site. The difference is that instead of returning a true/false for the processing of a credit card transaction – the API returns a true false for the customer ID/OTP. The customer creates the OTP using a CAT (Cellular Authentication Token) which is free and does not have ANY costs.

Davi OttenheimerNovember 4, 2005 1:40 PM

@ piglet

Financial Institution Fraud. The FBI covers this with the umbrella "Operation Continuing Action", and you can gather few specifics publically. The Ford Motor Credit identity theft case is a good one to review for an understanding of detective controls:

http://www.fbi.gov/pressrel/pressrel04/...

When the case first broke, there was a lot of "oh, those hackers are so clever to defeat our controls" going on, but over time a more accurate picture has emerged that makes the "hackers" appear less and less sophisticated, if you know what I mean.

"You mean they would work better if could talk frely about them? Why?"

Not exactly. When a detective control finds something is amiss, it doesn't do you much good if all you are detecting is that yet another attacker has uncovered a shared secret (or an "obscure" yet gaping hole). In fact, detective systems are often defeated through a common-enough attack to overwhelm them with non-specific data (interference). Thus, if you can get some light shed on the things that could cause intereference, in order to resolve them and remove from the signal, then you can better detect information that will lead you to the true attack source.

Hope that's not too generic, but just keep in mind that we should all regularly ask ourselves "who said a plastic card representing our credit is safe and secure in the first place?"

Here's a hint from 1994:
http://www.consumer-action.org/English/library/...

GaneshFebruary 7, 2006 12:51 AM

I think a client side applet or activex can help and people should be clearly told that their logins and key transactions can happen only if the browser allows these programs to function. Some kind of education has to go out to the customers to let them know that they supply their information only through this applet. The applet can validate the server and then show the user some portion of his scratch card or some identifier that the bank has issued and then get the second factor.
Worst case, if someone makes a similar applet that finds its victims, he might just be able to get over the first factor while the second factor shud still be there.

AnonymousMay 3, 2007 11:22 AM

I read all these posts after a year and a half, and we are still debating what form of authentication to use to prevent Internet banking fraud. That is going to be a never ending discussion.

Thanks to being in Europe, almost all of our customers have an SMS enabled cell phone. We used SMS OTP for a long time which proved to be effective. It bought us almost two years to implement something more secure and convenient. Now that fraudsters started to exploit SMS OTP, we need a new technology. How about digital signatures embedded in SIM cards?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..