January 10th, 2008

amazon

Online Banking insecurity and "Two Factor Auth" that isn't.

I just tweaked my online banking configuration, setting up bill payment from a different bank account, changing some settings on some credit cards, and so forth. In so doing, I had to both set up new "security questions", and to answer some I had set up in the past.

These "security questions" are a result of a US banking regulation mandate that online banking use "Two Factor Authentication". "Two Factor Auth" means, in theory, that auth be done on the basis of "something you know", which means "password", and "something you have", which means something like a RSA SecurID or Versign VIP, or the end point of a second comm channel, like say, a SMS cellphone.

The banking industry, being fools, knaves, and villains, decided that issuing, or even selling, most everyone, a security token "was too expensive and confusing", and so instead complained, lied, and did the usual regulatory capture dance, and managed to convince the banking industry regulators (see "fools, knaves, and villains", above), that knowing the answer to a "security question" counts as a "second factor".

!

Now, maybe it's true that for a significant fraction of the banks' clients, using a RSA token is, in fact, maybe too "confusing". But for those of us with a clue, please give us the option! Let me buy one from a list approved varieties/branks of security tokens for a couple of bucks, register it with each of my banks, credit cards, and other "secure" sites, and then have the option to use it.

Its not even really necessary to have to buy something. It can be a little app that runs in a smartphone, or even just the ability to receive a SMS message on a not-so-smart phone.

To cut the banking industry a bit of slack, I suspect part of the issue was that Verisign/RSA decided the regulation to be a license to rape the banking industry even harder, and the industry rebelled against them.