Log in

No account? Create an account
entries friends calendar profile My Website Previous Previous Next Next
Mark Atwood
Online Banking insecurity and "Two Factor Auth" that isn't.
I just tweaked my online banking configuration, setting up bill payment from a different bank account, changing some settings on some credit cards, and so forth. In so doing, I had to both set up new "security questions", and to answer some I had set up in the past.

These "security questions" are a result of a US banking regulation mandate that online banking use "Two Factor Authentication". "Two Factor Auth" means, in theory, that auth be done on the basis of "something you know", which means "password", and "something you have", which means something like a RSA SecurID or Versign VIP, or the end point of a second comm channel, like say, a SMS cellphone.

The banking industry, being fools, knaves, and villains, decided that issuing, or even selling, most everyone, a security token "was too expensive and confusing", and so instead complained, lied, and did the usual regulatory capture dance, and managed to convince the banking industry regulators (see "fools, knaves, and villains", above), that knowing the answer to a "security question" counts as a "second factor".


Now, maybe it's true that for a significant fraction of the banks' clients, using a RSA token is, in fact, maybe too "confusing". But for those of us with a clue, please give us the option! Let me buy one from a list approved varieties/branks of security tokens for a couple of bucks, register it with each of my banks, credit cards, and other "secure" sites, and then have the option to use it.

Its not even really necessary to have to buy something. It can be a little app that runs in a smartphone, or even just the ability to receive a SMS message on a not-so-smart phone.

To cut the banking industry a bit of slack, I suspect part of the issue was that Verisign/RSA decided the regulation to be a license to rape the banking industry even harder, and the industry rebelled against them.

Tags: , ,
Current Location: Home, Capitol Hill, Seattle WA
Current Mood: annoyed annoyed

9 comments or Leave a comment
From: technoshaman Date: January 10th, 2008 04:49 pm (UTC) (Link)
Dude. Credit unions.

My old CU's two-factor was bi-directional; you had a cookie (could be overridden by a challenge question, but still), *and* were presented with a private image before entering your password, so you'd know it wasn't a spoof. My new one's is rather novel - keystroke timing on the password. (It seems to work...) (No, I don't know how it works.) But then, my new CU has been in the biz since God was a little boy and dirt was a research project... they've got the best damn online banking I've ever seen.

To cut the banking industry a bit of slack, I suspect part of the issue was that Verisign/RSA decided the regulation to be a license to rape the banking industry even harder, and the industry rebelled against them.

Jive turkeys. I was wondering why they didn't do that.

And why don't they support multiple authentication methods? Added code complexity.... and they have to depend on the security vendor, which ain't in-house. Particularly when it's Verisign, the same jive turkeys that caused the whole "check and see if a dot-com host really exists" thing to epic-fail... I won't do business with'em (directly), not for shoelaces or a stick of gum.
fallenpegasus From: fallenpegasus Date: January 10th, 2008 05:18 pm (UTC) (Link)
I was including "credit unions" with "banking industry", especially, since in this case, one of the banks I was tweaking my settings for is a credit union.

And the "display an image" and "keyboard timing" have already been shown to be broken by the phishers. Quite literally, the computer being used to log into the bank cannot be fully trusted.

The bad guys do stuff like install keyboard loggers (complete with timing recording) on the end user's windows boxes.

I wouldn't use a windows box to log into a bank. Ever.

And I itch every time I have to use this fake two factor auth.
From: technoshaman Date: January 10th, 2008 05:26 pm (UTC) (Link)
Mmmmm, point. But then, that never occurred to me, because I use a Windows box so seldom to do real work...

For the same reason, I don't like cable-based ISP's... any random skript kitty can man-in-the-middle your datastream, not just the goons with badges...
From: vatine Date: January 10th, 2008 05:45 pm (UTC) (Link)
One of the UK banks (I think it's Barclays) has a novel little hardware token they use. The token itself is, as far as I understand, generic. You smack your ATM card in (with a Smartcard chip, for Chip&Pin purchases) and when you log on, there's some sort of handshaking between you and the bank (don't know if it's a proper bi-directional challenge/response, though).

To shift any money out of teh account, you pick a tranfer target off a list. To add a target, you need to punch the sort code and account number both into the webthing and into the token-thing, then punch the code that the tokenthing computes.

As far as "don't trust the web browser" goes, it's probably close to the best I have seen at a distance. Several of my colleagues are banking with them. I am, alas, with another bank.
From: pir Date: January 10th, 2008 06:21 pm (UTC) (Link)
The bank I used in Ireland sucked in many ways but they did use an pre-printed OTP sheet they sent to me for free online international transfers. For general access they just used a password.

Of course in the US I have yet to find a bank that'll let you do online international transfers at all...
dcseain From: dcseain Date: January 10th, 2008 07:59 pm (UTC) (Link)
My CU is changing to a system that presents an image and a word superimposed on it; image selectedy by me from the system i access from, that i must confirm before going to login. It uses scripting and cookies to accomplish it's thing.

I've not been able to log onto their site from work since. Happily, the phone service does what i need during work hours.
docorion From: docorion Date: January 11th, 2008 02:40 am (UTC) (Link)
Huh. One of my credit card banks does proper 2 factor if it doesn't recognize the computer I'm using (which is often enough, as I am mildly compulsive about cleaning out my cookies and other 'private data' regularly). When this happens, it demands you either have access to an email account it can send a message to, or a phone it can SMS. I've used both. I've thought about sending more of my business their way, for this reason alone.

(I believe it may be Chase, but I'm not sure)
katestine From: katestine Date: January 11th, 2008 03:26 am (UTC) (Link)
Chase does the phone thing when there's no cookie.
From: samildanach Date: January 11th, 2008 07:03 am (UTC) (Link)
ISTR that one of the online investment houses, E*Trade perhaps, actually does offer full RSA tokens to some of their clients.
9 comments or Leave a comment