Two-factor banking

Token statement


People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.

That trust is eroding, however, in light of a massive onslaught of phishing scams on the Internet. The irony is that the security issues surrounding this kind financial theft are by-and-large due to the poor security and social engineering of an individual - and therefore the responsibility for losses are similarly owned by that individual, not the bank.

There are all sorts of toolbars [1] [2] [3], security approaches, and browser extensions that try to mitigate this threat, but they're all ineffective - not because they don't work, but because they'll never get installed on the computers of people who really need them.

The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat. And since the banks have no financial responsibility to do this on their own, the only way this is ever going to happen is by requiring them to do it through legislation.

Some approaches in the banking world

In the US, federal regulators are now requiring banks to have at least two-factor authentication with their websites by the end of 2006.

The Federal Financial Institutions Examination Council (made up of the FDIC - Federal Deposit Insurance Corp, the US Federal Reserve, the US Comptroller the Currency, and others) has very recently issued a press release as well as specific, non technology-specific guidance (PDF) on the need for two-factor authentication. It's an idea being sold to banks and the public as a way to address identity theft in a supposedly proactive manner.

In Sweden, one Internet bank has used the interesting idea of one-time passwords mailed out on a "scratch-pad," but even that novel approach has been attacked and compromised by a recent phishing scam.

There has been some suggestion on the use of drop-down menus on Internet banking sites to thwart the use of keyloggers, but many Trojans also capture screenshots so this approach really isn't very good.

While not quite phishing-specific, here's a funny one for you. Sometimes a con-artist is so slick he can convince a senior people at several major European banks to hand over hundreds of thousands of dollars (or rather, Euros) in the bathroom stall at a public bar. "Psst, I'm a secret agent and I need your help." When they caught up with this guy, he was already suntanning on a beach.

A case for tokens

I've been doing online banking for over five years, and many of our readers have been doing it longer. Five years is more than enough time for the banks to figure out a cost-effective, long-term solution to the problem of stolen passwords (which soon becomes stolen money). Today they secure their internal systems just fine, and they've trained their staff on how to absolve all responsibility when a customer's machine is infected with a Trojan and their bank account has been compromised: "Don't worry, our internal banking systems are quite secure. Have a nice day."

We've all known people infected with Trojans, keyloggers, spyware, and the like. The first thing I tell people when they call for advice is to get off the phone with me and immediately call their bank - reset their passwords or disable Internet access to their accounts altogether - and hope that it isn't too late.

A token is often a small keychain-like device with a non-repeating number that changes every minute. These are made by a number of companies, and they've been used in the corporate world for many years. It's time that (1) banks eat the cost of providing these tokens, (2) more governments besides just the US force the use of two-factor authentication in the banking world, and (3) people understanding security, meaning all of us, lobby their elected officials to get the proper legislation in place.

I have to agree with what Bruce Schneier wrote recently, that pushing all the responsibility from consumers to financial institutions (and most likely, doing it through legislation, if you ask me) is the only way to get this done.

A secure public terminal?

I look at many people's computer as an unsafe public terminal. When I'm invited over to a friend's place for dinner, I'm afraid to do anything on their machine because I know all the nasty things it could be infected with... logging my passwords, stealing my identity, and so much more. I always wonder how badly it's owned up.

If you've ever checked your bank account from a public terminal at an Internet café like I have, you immediately realize two things: one, it's an incredibly dumb thing to do, and two, having a token as a password that changes every minute would dramatically lower the overall risk - regardless of how 0wn3d the machine really is. In certain unexpected circumstances, either using a public terminal or abstaining from access altogether may be the only choice. Where are our tokens?

The average person doesn't understand how phishing works or is prevented, because the security world is so complicated - and yet the risk of losing money through one's Internet banking account is a very simple concept to understand. It's time that more governments around the world step in to ensure that Internet banking remains safe.

Copyright © 2005, SecurityFocus


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022