Nov 06 2006
By Kurt Seifried (kurt@seifried.org)
Regulations and recommendations concerning secure authentication of users and transactions for online banking applications have been around for several years now. Sadly, within North America most banks have been very slow to use strong authentication methods for customers and transactions.
Sad for the banks that is….
But all this is starting to change.
Historically the majority of online banking applications made use of the simplest of all authentication schemes to implement: the username and password. Ideally both the username and password are secret, known only to the account holder. However in reality the username is often the account number (e.g.: 23525621), and these account numbers are often publicly known or easily guessed. And as we all know the passwords chosen by users are often far from being truly secure (or if they are “I use a secure password, the same one for all my accounts, it’s secure!”).
The result of this has been that it is relatively trivial for an attacker to either capture a user’s credentials by loading malicious software onto their machine, or by tricking the user into revealing the information through phishing attacks. The attacker then typically cleans out a person’s account and scarpers off. This usually results in the victim complaining to the police, the bank, all their friends, etc. Finally we have the bank reimbursing the customer for all monies lost, and doing their best to retrieve what money they can be reversing the outgoing payments.
Banks don’t like angry customers. But banks don’t like reimbursing stolen money either.
So what’s an acceptable solution to all this, for the banks?
Implementing strong authentication such as two factor systems, ideally using external tokens or external communication channels such as the phone or text messages is the beginning of the process. In doing so these banks actually do make online banking more secure against several classes of attacks; however many of these technologies fail to address the most difficult attack vector. This is of course the compromised end user system. We all know that many users will click on anything that arrives via email, and that this will result in a compromise of their machine. The good news is that there are technologies and authentication procedures that can largely mitigate the risk of using a compromised system to do online banking.
So why is this bad news for customers? Well currently if there is any fraud chances are the bank will reimburse the customer, so the customer is protected and often does not suffer any direct cost. Essentially for online banking all the risk of fraud and theft is carried by the bank. This is great for consumers, and personally I’m all in favor of it (being a bank customer). However with the rise of secure authentication methods, and in some cases of banks offering their customers free anti-virus and firewall applications we will being to see the risk of online fraud and theft shifting from the banks onto the customer. The argument will simply be:
“We provided a secure banking environment, but the customer managed to still fall prey to online criminals, we can’t really do much more, sorry!”
This is not so good for customers, but with the rising cost of online theft it is an inevitable step for banks to take.
Authentication in an Internet Banking Environment
http://www.ffiec.gov/pdf/authentication_guidance.pdf
FFIEC Guidance Authentication in an Internet Banking Environment
http://www.fdic.gov/news/news/financial/2005/fil10305.html
Secure Internet Banking Authentication
http://www.zurich.ibm.com/pdf/csc/SecureInternetBankingAuthentication.pdf
VeriSign Identity Protection
http://www.verisign.com/products-services/security-services/identity-protection/index.html
Related posts:
Posted by Kurt.Seifried on Monday, November 6th, 2006, at 8:00 am, and filed under Articles, Technical.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
ricst | 06-Nov-06 at 8:28 pm | Permalink
“This is not so good for customers, but with the rising cost of online theft it is an inevitable step for banks to take.” That’s a nice theory. But as soon as banks start saying, “Sorry!” and not covering fraud-associated customer losses, customers are going to switch banks. They will almost certainly move to (or stick with) backs that offer “full fraud protection”. Banks that fail to offer this are gong to bleed customers.
The bottom line is that strong authentication is a good thing, and eventually even most American customers will learn to use it without too must frustration. [And banks will learn to respond to perplexed customers and those who have lost their tokens.] But strong authentication doesn’t get rid of fraud, it only makes it more difficult for most criminals to carry out. There will be speed bumps ahead, because this will be widely deployed new technology. But hell: Could it be worse than a new version of a Windows Operating System?
admin | 08-Nov-06 at 12:57 am | Permalink
I agree in theory, but in practice that doesn’t always work, for example in Canada we basically have 4 large banks. If they all decide to do this (based on past issues with Interac and other electronic payment systems it isn’t hard to imagine) then what choice do consumers have? As well I can’t for the life of me find out what bank positions on this are officially so until it happens to me or someone I know I won’t know what the bank’s position is.
ricst | 09-Nov-06 at 10:17 pm | Permalink
“… what choice do consumers have?” OK - choice is almost always good for consumers. One of the few areas it’s not so good is safety and security. Do we want to allow consumers the choice to fly on commercial airlines that don’t inspect carry-on luggage? Do we want to give consumers the choice to drive cars that don’t meet minimal crash standards? And with banks, do we want to give consumers the choice of weak, easily exploitable, authentication? Perhaps for a while, but sooner or later, it’s best for everyone - banks, consumers, law enforcement and the economy - if we can reduce fraud with causing a greater expense or level of difficulty for the vast majority of people. You’re welcome to take a libertarian stance and say, “Let the consumer decide whatever they want.” OK, fine, but that consumer should then be forced to bear all the associated risks and costs. In general, it’s better, especially in financial activities, if widespread fraud can be reduced without causing major consumer inconvenience banker/merchant costs.
admin | 09-Nov-06 at 11:54 pm | Permalink
If that’s what the market wants. If we really wanted safety we wouldn’t let people drive SUVs (you are more likely to die in a crash if an SUV hits you due to various design issues such as the high bumpers). We don’t have mandatory breathalyzer machines in all vehicles (that would cut down on drunk driving…). Security is an economic question ultimately, and if the costs outweigh the benefits then yeah, there ya go.