Bank Botches Two-Factor Authentication

From their press release:

The computer was protected by two layers of security, a unique user-identifier and a multiple-character, alpha-numeric password.

Um, hello? Having a username and a password -- even if they're both secret -- does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.

I wouldn't trust the New Horizons Community Credit Union with my money.

Posted on April 13, 2007 at 7:33 AM • 68 Comments

Comments

AntonApril 13, 2007 8:05 AM

Bruce, you have to stop posting comments that make readers burst in spontaneous laughter in otherwise silent offices.

But seriously though, that comment has to be just an attempt to spin it look like they had due security measures in place.

CuriosityApril 13, 2007 8:24 AM

So what do you consider those sites that ask for user name, password and security questions? are those dual factor?

I know, my credit card companies are doing it to me :/

Unix RoninApril 13, 2007 8:27 AM

"The computer was protected by two layers of security, a unique user-identifier and a multiple-character, alpha-numeric password."

In other words ... there was at least one account on the machine that had a non-null password. Two minutes with a freely available admin-reset tool on a bootable CD, and the laptop is totally owned.

Nicholas weaverApril 13, 2007 8:29 AM

Bruce, you are missing an important note.

There is now a mandate for "two factor authentication". Which you would think means things like RSA SecurIDs and similar devices.

Unfortunately, it is just whatever the bank can, with a remotely straight face, get away with CALLING "Two factor". EG, the whole sitekey business is called "Two factor".

And it will remain this way until someone gets phished, loses a lot of money, and the bank refuses to pay the person back claiming we used "Two Factor" authentication which wasn't and the case goes to court.

Unix RoninApril 13, 2007 8:39 AM

"So what do you consider those sites that ask for user name, password and security questions? are those dual factor?"

Usually, what they are, IMHO, is stupid — because they allow only a choice of three to five fixed "security questions", the correct answers to almost all of which are public record. So, in most cases, they're no security at all, unless a customer has the minimal security awareness to realize that those answers are public record and supply intentionally false answers ... which the customer then needs to either remember, or keep a written record of somewhere.

One of the very few things Wells Fargo at least used to do right was that for their online banking system, they allowed you to define your own security question, which meant you could pick something that only you knew. (They also, at one time at least — I don't know if they still do — allowed you six digits for your ATM PIN, instead of the usual laughable four-digit limit. Not that a six-digit PIN space is great, but it's slightly better than four.)

State Farm Bank (which is online-only) also allows, or allowed when I last knew, defining your own security question.

ING Direct's system isn't totally horrible ... they require a userID, a password, and one other piece of information which changes from one login to the next. Most of the possible items are still public-record data, though. Instead of having one security question, ING asks you to select and answer (if memory serves) eight such questions; if the security questions are needed to verify your identity, you will be asked to answer a randomly-chosen three of the eight. Once again, though, the questions are still mostly public-record data, requiring you to supply known false answers for them to have any real security value.

Personally, since they won't do it on their own, I'd like to see a law prohibiting financial institutions from using any kind of public-record data for authentication (beyond of course the account number).

Terry ClothApril 13, 2007 8:50 AM

@Unix Ronin:

a customer has the minimal security
awareness to realize that those answers
are public record and supply intentionally
false answers

Look at them this way: they're just asking for a password with a different text prompt.

I must say, though, talking to an agent over the phone is very interesting when your mother's maiden name is ``Jimmy Cagney''

Mike SherwoodApril 13, 2007 8:51 AM

As sad as it may be, I strongly believe that all financial institutions are susceptible to this kind of problem. In efforts to cut down costs, full time, knowledgeable security experts got cut from the budget long ago.

To implement something new, managers hire consultants. Consultants tell managers that they need "two factor" security measures. The consultants may or may not know what that means, but it's irrelevant since their involvement ends with making recommendations. This is the disconnect where what it means when you(Bruce) say it is not what is heard when Mallory The Malicious Manager gets the information.

The problem just gets compounded when the recommendations are passed on to the existing staff by the manager who missed the point in the first place. As much as we see the security implications of choosing the cheapest solution to every problem, I doubt we comprise anywhere close to 1% of the population at large. Security is not taught in schools, it's not an attractive topic for budgeting, and it's only a priority immediately following a high profile security breech to the organization setting their own priorities. Complacency is the norm that any organization will drift towards. Financial institutions are particularly susceptible because they honestly believe that if there was a problem with their security, all of the money would already be gone and there would be no one left with a job to talk about security.

jeffApril 13, 2007 8:54 AM

For a while, I was really impressed with my bank. They had implemented what I thought was a very secure log on system which, as far as I could tell, tried to address most common phishing or other hacks to compromise the authentication.

1. On the main screen where you enter your "userid", there was a captcha to stop some automated systems.

2. Then, there was an authentication question. The subscriber provided 5 unique questions and 5 unique answers when they subscribed so they weren't easily predicatable. This would help stop some phishing sites.

3. On that screen was another captcha generated from a keyword provided by the subscriber to attempt to stop some phishing sites.

4. Finally, the password couldn't be typed in. It had to be pecked out using the mouse on a graphic. I guess this was to stop keyloggers.

I don't think any of this would have stopped a determined man-in-the-middle attack, but it was much better than before. Not surprisingly, they killed #4 about 3 weeks into the new rollout. Either (a) it wasn't disabled accessible or (b) the customers complianed too much. Not sure which.

But, to the point of Bruce's post, this would be 9-factor authentication, right?!?

Jeff

PaeniteoApril 13, 2007 8:57 AM

@Curiosity: "So what do you consider those sites that ask for user name, password and security questions? are those dual factor?"
No. Two factor requires two *different* to be provided to allow access. I.e. something you know (password) and something you own (smartcard token). Also imaginable is something you are (biometrics).
Asking you twice for something you know is not two factor...
See also http://en.wikipedia.org/wiki/Two-Factor


As to security questions in general:
Am I the only one that gives false answers to these upon registration?
I.e. if they ask me for my mother's maiden name, there is one specific word that I definitely *won't* type there.
Far more probable would be something like "sladkflksejfhlkajsdfnl" which I then store carefully (i.e. encrypted).

Magnus NordlanderApril 13, 2007 9:14 AM

My bank has a good system. First of all, their web site uses SSL (but pretty much any bank does that). When I am to log on I first enter my personal ID number (which is a matter of public record in my country, Sweden), then I have this thing called an ActivCard, which is a physical unit that looks almost like a small calculator. I enter my 4 digit PIN number into the ActivCard, and then I get a number back. I enter this number at my bank's web site.

And then in order to do any transactions to accounts that aren't mine I have to do pretty much the same thing, except after I've entered my 4 digit PIN I have to enter a 6 digit number that I get from the web site.

ElwingApril 13, 2007 9:16 AM

Hell, I'd pay up to about $30 for the bank to send me a token or smartcard to use as two factor authentication - my only requirement is that it works under Windows, Mac and Linux.
Why don't they just add smartcards to our ATM/Credit cards?

BobWApril 13, 2007 9:17 AM

@Paeniteo:"... if they ask me for my mother's maiden name, there is one specific word that I definitely *won't* type there. Far more probable would be something like "sladkflksejfhlkajsdfnl" which I then store carefully (i.e. encrypted)."

Yes. I find Password Safe quite useful for "spelling" and storing such information. By choosing title and user name appropriately, it even shows up adjacent to the proper account information.

B.K. DeLongApril 13, 2007 9:19 AM

I'm really surprised at the amount of solutions people are calling "Two Factor". Is SiteKey really multifactor? It presents an image of your choosing that you have to identify each time you login in. But this the same "factor" as a password - something you know.

And the solutions that put a cookie on your computer? Sure, perhaps that can be called "two factor" when included with a username and password because the latter is "something you know" while the former is "something you have". However, most "something you have" solutions are tokens that are "out of band" from the same computer you type your password into and they produce an additional one-time-password.

It seems like a lot of solutions out there are either being misrepresented by vendors to banks as incorrectly multifactor or these financial institutions are doing the least amount of work possible to legally (in their mind) comply with FFIEC.

D CompositionApril 13, 2007 9:21 AM

Let's see: 3 and 5 are factors of 15, so if username is 15 and password is 35, then that counts as two-factor authentication, right? :-)

ChrisApril 13, 2007 9:25 AM

Bruce:

You'd better get a prescription for amphetamines if you intend to blog about every silly statement in a breach notification letter or press release. :^(

Language similar to this is surprisingly common, at least among the few hundred breach notices sent to New Yorkers I have had the pleasure of reading for some work I am pursuing.
Generally, the "multiple layers" trope seems to refer to an OS password and an application password of some kind. Less often, it seems to refer to a BIOS password and an OS password.

In the "stolen laptop" scenario, where this is most commonly seen, there seems to be universal silence on the fact that merely mounting the NTFS file systems on a UNIX machine and duplicating them with "dd" dances right around all of this.

There seems to be a rather fundamental disconnect between what the press/public understand about how such protections work (or don't) and what the reality is. A cynic might say that this disconnect is exploited by those who seek to downplay the risk to which customer data has been put. Another cynic might say that even those who are in charge of managing these risks do not really understand that an OS password is useless in 99% of the cases where the adversary has physical custody of the hard drive.

Tim SummersApril 13, 2007 9:47 AM

This is the same with most financial institutions and consumers are getting the sour side of the apple. Research by the Identity Theft Resource Center, 19 people fall victim to ID theft every minute and about 10 million people are victims per year. Banks like this are part of the problem due to their lack of security mechanisms. With companies and financial institutions like this, consumers might as well just give their information away on a street corner.

Mace MonetaApril 13, 2007 9:52 AM

Usually, the bank displays the userid on various forms, both online and printed. Considering that to be in any way a "factor" in the security of the account is an indication of incompetence.

Financial institutions, in general, seem to be among the least secure institutions online. This is a situation where catering to the lowest common denominator is not acceptable. If a customer can't understand how to log in securely, then they shouldn't be permitted access.

Setting the security bar low enough for the few on the far left of the Bell curve is not security, it's accessibility. Too many institutions confuse the two.

jayApril 13, 2007 9:58 AM

Banks should learn about "Real" security before they publish there so called layers of security!.

RichApril 13, 2007 10:04 AM

"I wouldn't trust the New Horizons Community Credit Union with my money."

Who would you trust? Seriously, I've given up boycotting banks that do stupid stuff like this. There's nobody left. I can't pay my bills in cash, so I have to choose someone.

I'm considering the orange one right now, just because they have an opt-in privacy policy. That is, they have to get my permission before they'll share any information with anyone (other than legally mandated). Most of them say they'll share as much as they're legally entitled to unless I tell them not to.

SteveJApril 13, 2007 10:26 AM

@Unix Ronin:

A 4-digit PIN is fine as far as I can tell, provided that the systems are in place to lock out cards after 3 failed attempts, and provided that the only way to guess a value is to take the card to an ATM (or connected Chip & PIN terminal, where available).

Online brute force attacks are different from offline brute force attacks. If I can only guess three times before the card is deactivated and/or eaten, then I can only break about 1 card in 3000 that I steal. That's such a low level of success that I'm almost certainly better off using the card online, instead of trying to guess the PIN to get cash.

Since the PIN is probably "safe enough" at 4 digits that it's simply not worth attacking, why inconvenience customers, and increase the rate of forgotten PINs, by using a larger secret?

But suppose I do take my stack of 3000 stolen cards to an ATM, in the hope of getting some cash from one of them. My own daily cash withdrawal limit is $500 at current exchange rates, so I could expect to make about 17c per stolen card. Pointless.

Even supposing people start doing that: it can't be too difficult to program ATMs so that they raise an alarm if they notice me churning through cards, guessing the PINs wrong. Churning cards via Chip & PIN is even harder, because there's a human being watching you use the POS terminal, and they're hardly going to let you try more than a couple of cards.

So, as long as there's no way to make an offline brute force attack, what's wrong with 4-digit PINs?

Jim HarperApril 13, 2007 10:39 AM

I've never been very impressed that counting "factors" is a useful way of thinking about these things. A single factor like a biometric is often good enough, assuming other security measures surrounding the collection and use of it. You get what you measure. Asking for numerosity of "factors," you get factor-counts whether or not this meets the need for security.

David WApril 13, 2007 10:40 AM

On eof my credit card companies added the typical "verification" questions, but they *require* that the answers be a certain length (5 characters, I think). My grandmother's mainden name is shorter than this.

I understand requiring a made-up password to be a certain length, but the answer to a real question? That's stupid.

When I called the company, they suggested adding ones or zeros to the end of the answer. Great, now I have to remember whether I added 111 or 123 or 000 to the end of a name.

David WApril 13, 2007 10:42 AM

SiteKey (with the image that you pre-selected) is supposed to assure YOU that the site you are connecting to is really the bank site, and not a fake or phishing site. It is not meant to be two-factor authentication.

BrianApril 13, 2007 11:22 AM

@David

That does seem to be the main advantage of sitekey, but there are security questions as well that could, arguably, be construed as two-factor auth. BofA doesn't seem to claim that SiteKey is two-factor authentication, but the literature from RSA does claim that PassMark is two-factor.

The FFIEC guidance doesn't actually require two-factor auth, either. They state "... where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."

@everybody who thinks that banks are stoopid: no, they're not. They are cost-conscious. They aren't going to pay for an expensive authentication system unless it is going to save them money. How is that stupid?

Todd KnarrApril 13, 2007 11:24 AM

What I want from a banking site, and my browser is simple: a consistent SSL certificate from them and a way in my browser to say "When I want to talk to $CREDITUNION, accept only connections to places presenting these certificates.". Then anyone trying to spoof my bank to me has to have intercepted my connection not just now but back when I initially set up my account and selected the valid certificates for that site.

The browser interface could be simple: a pull-down list of entity names, and a way to create a new entity name and associate one or more certificates from the cert store with it. It wouldn't close all the holes, but it'd make phishing scams a lot harder to pull off against a moderately-aware user (the oblivious ones are beyond help IMHO).

encodedApril 13, 2007 11:36 AM

> have to remember whether I added 111 or 123 or 000 to the end of a name

Add %20 in the middle.

no factors pleaseApril 13, 2007 11:54 AM

@elwing

> Hell, I'd pay up to about $30 for the bank to send me a token or smartcard to use as two factor authentication - my only requirement is that it works under Windows, Mac and Linux.
Why don't they just add smartcards to our ATM/Credit cards?


Because they know what it costs when tried on bank staff and are scared to death of what it might cost for the public (who are assumed even worse at IT).

goodbye from himApril 13, 2007 11:56 AM

@Tim Summers

> 19 people fall victim to ID theft every minute

And they're getting fed up with it. The old ones are the best.

FentonApril 13, 2007 11:57 AM

Speaking as a customer of New Horizons who happens to have done a little digging into how their system is set up (mostly in trying to figure out whether they offered a direct OFX service), I suspect the situation is worse than might be obvious at first glance: pretty much *every* credit union in the area gets their "secure banking" website from the same company. In fact, as far as I can tell, there is a fairly good chance that they're all on a small number of physical servers, though that is much harder to confirm.

That vendor's history of understanding or implementing standards usefully is spotty at best. But as far as I can tell, there are few if any alternatives that are actually any better, as far as the local credit unions go.

Another lovely tidbit: even if you have no correspondence or statement from the bank, you can get most of someone's account number. Nine digits, of which seven can be obtained directly; the other two have a highly predictable pattern, with a high chance that any near-miss will be someone *else's* account number, but still be valid.

Obviously, they aren't my primary bank. I'm okay with risking the $5 required in the savings account for the convenience of having a local place to cash checks or get a certified check made out, and that's about all they get used for.

CassandraApril 13, 2007 12:23 PM

@Terry Cloth
Quite right, but unfortunately your details (in the UK at least) are shared between institutions, and the fun starts when one lot think your mother's maiden name is 'Smith', and another 'Jones' - enough discrepancies like that, and you start getting refused credit or insurance policies.

Cassie

Stian ØvrevågeApril 13, 2007 12:30 PM

Do not confuse layers and factors. There can be many layers, but there are only three available factors:

Something you know.
- Usernames and passwords.
Something you have.
- Keys, tokens, key generators.
Something you are.
- Biometrics.

So you can have many layers of security and still have one-factor authorization. And depending on definition you can have two-factor authorization and still have a single-layer defense.

NApril 13, 2007 12:42 PM

@David:

>On eof my credit card companies added
>the typical "verification" questions, but
>they *require* that the answers be a
>certain length (5 characters, I think).
>My grandmother's mainden name is
>shorter than this.

>I understand requiring a made-up
>password to be a certain length, but
>the answer to a real question? That's
>stupid.

I've also recently encountered "too many consecutive letters or numbers" on a security question where the answer to their question was "1999". This is the kind of programmers banks have working on security...

At least customer service actually said they would forward a message to the web team, which is rare in my experience.

Dom De VittoApril 13, 2007 1:04 PM

Actually, there is a forth factor - time.

e.g. a time-lock safe is

the combination (something you know)
+
correct time

You may know the right time to try the safe, but that alone doesn't help any - , 'time' is another factor that governs access.

Dom

no-one specialApril 13, 2007 1:55 PM


Bruce and others,

No one seems to have noticed that the laptop actually belonged to Protiviti ... they should be ashamed ... The posting itself probably was written by someone that's marginally literate in this field. You can't blame the little Credit Union for this

gilboApril 13, 2007 2:02 PM

@Dom

Actually, the fourth factor is sometimes considered to be "Something you do", for instance your specific keyboard cadences when typing a keyword, or some other behavioral 'tick'.

Time is still something you know...

MitmwatcherApril 13, 2007 2:10 PM

2FA ,Multi Channel (SMS,TANcards) and other types are prone to Active MITM attacks ,with the rainbow tables around and the advancement in Malware(Browser extensions and Trascation hijackers[research by stanford guys]),I see its only something like a voice based or biometric based (typing patterns) mechanisms can save dumb users like me .

Harry TuttleApril 13, 2007 3:01 PM

According to the FFIEC, verification of an IP address for an authorized user by using "IP Intelligence" technology meets the two-factor authentication requirement. This seems like a very weak solution given the vulnerabilities and its lack of effectiveness for a traveling users and yet it is considered acceptable. It is no surprise that the weak guidelines given by regulators have enabled institutions to adopt a lower standard of due care.

Joel OdomApril 13, 2007 3:36 PM

Their user agreement probably transfers all of the liability for a stolen account to the customer, so it's an externality. In that case, why should they care?

CoreyApril 13, 2007 3:57 PM

Re: "who would you trust?"

My mattress is pretty secure, because nobody knows I keep my money under it.

CoreyApril 13, 2007 4:03 PM

Re: "who would you trust?"

My credit union (coastalfcu.org, BTW) has a decent website. It just uses one's account number and a good old-fashioned password. You can change this password as often as you want, and make it as hairy as you want; that's secure enough authentication for me anyway.

As far as questions of their server security, laptop security, etc. I have no idea, and I doubt they would let me pen-test. At least they're not doing anything obviously boneheaded or making stupid statements, as far as I've seen.

mikeApril 13, 2007 4:38 PM

I started using interweb banking in 2000. I live in Finland and at that time literally all the Finnish banks had two-factor authentication. They never were available without such scheme(s) I believe. I have never heard of a bank around here managing to botch the scheme in any way.

There has been only a few cases where someone has fallen to some attack and they have been mostly phishing attacks that lead the user to use the two-factor authentication properly. I guess nothing in the end can save from plain good old stupidity. I'm not sure that they lost the money in the end though since in Finland the one who releases a payment tool is responsible for the safety of it. Likely most of the people got reimbursed anyways but I have not bothered to check.

My bank sends me credit card sized plastic card with 200 random unique numbers on it. I can log on without them by using my client number (7 numbers long series) and a password I have chosen. When I attempt to do something potentially damaging I will be asked for one of the numbers. They send new cards every once in a while (those plastic pieces are practically free after all).

Now, I saw couple people in the comments here being against Bruce blogging about these failed implementations because. I'm pretty much with Bruce here, I just can't get it how on earth someone can screw up something so simple (and haven't had such scheme for years already) and how on earth some interweb banking systems can be so insanely insecure. This is truly one of those moments when I feel pity for the Americans...

poo pooApril 13, 2007 10:50 PM

Finland, the Netherlands, and other European countries started online banking with 2FA. I wonder what the takeup rate is for online banking is in these countries versus in USA?

US banks say 2FA would kill online banking.

But the last time I was in Finland, my impression was that online banking and e-payments were widely adopted...

an online banking developerApril 15, 2007 4:15 AM

You may be interested to read of the following two recent security breaches of
online banks involving 2FA:

1. ABN Amro Bank (Man-in-the-Middle Attack):
http://www.computerweekly.com/Articles/...

2. China Construction Bank (Malware):
http://www.shanghaidaily.com/sp/article/2007/...

In China, (client-side) digital certificates are commonly used for the 2nd
factor. This hasn't stopped fraud, as reported by
http://www.bjreview.com.cn/headline/txt/2007-04/...
"According to Zhu Ying, deputy director for Shanghai's Bureau of Public Security, 925 cases involving online banking fraud were registered in 2006, involving around 13.65 million yuan (about US$1.707 million)."

Presumably, the figures are for Shanghai only.

MITM paranoid.April 15, 2007 4:34 PM

Mike,

The plastic card with 200 unique random numbers is more vulnerable than an electronic token, because the 200 numbers can not easily be invalidated. There has been a big attack in Sweden where that scheme was proven to be very vulnerable.

Now some of the banks around here in Sweden use a electronic token where you are given two challenge numbers that are given to the token that produces a six digit response. Now this is not invulnerable to MITM attacks but it is more secure because the challenge numbers and it's appropriate response has a time limit. So the MITM attack has slightly higher requirements to be successful. But in the case of the plastic card the numbers are much harder to time out. The man in the middle just need to trick you into giving a few of them up without giving them to the bank and they could still be usable unless there is a sequence constraint on them. Figuring out how to bypass the sequence constraint is left as an exercise for the reader.

ArunApril 15, 2007 11:49 PM

Hello all,

for me the authentication should be using a password, with enough randomness (alphanumeric 12 byte long). the second factor of authentication should be a token, which could generate a 5 digit number, by talking to the banks server. on entering the token as well as the password, in a small amount of time, the server could authenticate both the factors. to avoid a keylogger attack, the password could be entered using images in screen.

if you talk about the security question and answers, that too more than one, i dont see any usability being fulfilled. and there are users still use "pass" as their password, and we expect them to have a completely random security question and answer.

Arun

csrsterApril 16, 2007 2:13 AM

This is almost a dailywtf (www.dailywtf.com) although it also makes me think "Blues Brothers" - "We use both kinds of authentification here - username _and_ password."

DjangoApril 16, 2007 4:59 AM

Same here in Singapore, all of banks give you a token (like an RSA key used for vpn access) for free the first time. You only have to pay when you need a replacement around ($50) if you lose the original. I am surprised that US banks can't do this.

DannyApril 16, 2007 7:24 AM

@ no-one special: u are the only one who noticed the most ironic piece of the story ... Protiviti the "technology risk consultants" lost the laptop ... I'm sure whole disk encryption of laptop drives is one of their top 3 risk-reduction recommendations to any client...

stacyApril 16, 2007 9:10 AM

From my reading of the press release, I am not sure it is the credit union that made the offending statement. The laptop belonged to Protiviti and they are the ones who lost it. It is not clear from the press release if it is the NHC Credit Union, Protiviti or the NCUA making the comment about "two layers of security".

@csrster - I'm glad you said that... saved me from having to :-)

Frank BApril 16, 2007 3:27 PM

@gilbo

"Something you do" can also be folded into "something you are". Thus far, it's always been possible to reduce the set to 3 factors. 3 is probably enough...

castadreamApril 16, 2007 3:41 PM

Clearly a Username and Password are not two-factor authentication; however, the convesation seemed to drift elswhere aside from the article with a lot of misinformation. First, let's make it clear: BoA's "Sitekey" is NOT two-factor authentication, nor does it try to be. It simply provides "peace of mind" to the end user that they are at the correct site. This "Sitekey" is actually a small part of a much bigger picture that does involve an additional layer of authentication. In other words, "Sitekey" is what the end user sees, but behind the scenes exists a risk engine that determines the "something you have" (i.e the computer you are logging in from) as well as additional risk analytics.

So for example, and depending upon policy set, lower risk transactions may be allowed to continue; whereas higher risk transactions might require another layer of additional authentication (e.g. out of band, OTP, etc). It is simply adaptive risk based authentication and transaction monitoring, that for the most part is completely transparent to the end-user.

shimmershadeApril 16, 2007 8:35 PM

I'm still not over a public library system's requiring, for entry into one's patron/user account, the typing in of one's library card number and a PIN limited to four numeric characters. Printing the card number on some library documents provided the user, and requiring the log in even to check library holdings, increase the risk of data exposure.

John FaughnanApril 16, 2007 10:27 PM

The post was fine, but the comments are great. Bruce, you've been too easy on the banks, it's time to lay it on them. Shall I mention Vanguard's idiotic barrage of security-sapping "who's your mama" questions?

I am most interested in the comments implying banks are generating security smoke to doge or forestall requirements for true two factor authentication. Can you did into this a bit more?

lithiumApril 17, 2007 1:28 AM

What about bingo cards for second factor?

A plastic card with a 5*5 matrix of numbers.[25 cells & each cell holding one digit or two digit or three digit numbers]
Along with the userId and password, system will ask for any three cells randomly.
User has to furnish them by checking the card.

Agreed MIM is possible but will not be very easy...

andrewApril 17, 2007 3:04 AM

Funny finding. But original press release didn't reveal what for that so called 2 factor ath. was used. If it was for crypted HD with pre boot auth. then it's fine for me.

Bruce SchneierApril 17, 2007 7:47 AM

"What about bingo cards for second factor?

[...]

Agreed MIM is possible but will not be very easy..."

Man-in-the-Middle is possible with any number of authentication factors. That's why the attack is so nasty; it defeats the authentication process entirely.

This is why you're seeing more MITM attacks -- and Trojan attacks -- as banks implement two-factor authentication.

guvn'rApril 17, 2007 10:33 AM

@stacy, I was inferring that the press release came from NCUA, based on the URL and Leeburg VA location for an item concerning a Denver CO credit union. I'd say there's very likely some strong CYA involved in the wording, very probably overriding technical correctness.

Incidentally, I'm slightly surprised that no one has commented on the fact that New Horizons is "under conservatorship" of the NCUA, especially in the comments about trusting New Horizons with deposits. What that statement means is that they are being bailed out by their insurer, because of some sort of problems. This incident may not be their biggest problem.

SteveJApril 17, 2007 6:09 PM

"you can actually fix the PIN and vary
the account ID and it will only take 10000
accounts before you would expect to hit
a correct PIN. In practice, this attack can
take only a few minutes."

OK, but if 10000 failed verification attempts on an ATM line in a few minutes doesn't look suspicious, then:

a) the security analyst has never stood in line at an ATM,

and

b) who knows whether 100000 failed attempts (taking a few hundred minutes) would look suspicious?

If the security analysis looks at what happens when an attacker accesses the communication line directly, then it should have a cut-out (or perhaps an exponential back-off) for too many failed attempts from one machine, just as it has a cut-out for too many failed attempts on one card. Increasing the PIN size would not compensate for failing to take such a simple step, and would be harder to implement.

I have no idea whether such cut-outs do exist, but clearly they could, and could be added without painful side effects (they add a risk of someone using them for a DoS attack on an ATM, but DoS attacks on ATMs can be easily performed with the aid of a large truck, so that's probably not a problem). 6-digit PINs, on the other hand, would have the certain disadvantage that they're harder to remember.

Furthermore, I'm sure I recall reading somewhere that there are other problems with the ATM PIN-validation system which can be exploited if you have access to the trusted network. Increasing the size of PINs might help with some or even all of these, but I don't think it really qualifies as a "fix".

At least the PIN isn't stored in cleartext on the magnetic stripe any more...

SteveJApril 18, 2007 8:49 AM

"DoS attacks on ATMs can be easily performed with the aid of a large truck"

Or, come to think of it, a small hand-made 'Out of Order' sign.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..