Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| Two-factor banking
from
»www.securityfocus.com/columnists/363
"..
Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money.
...
That trust is eroding, however, in light of a massive onslaught of phishing scams on the Internet. The irony is that the security issues surrounding this kind financial theft are by-and-large due to the poor security and social engineering of an individual - and therefore the responsibility for losses are similarly owned by that individual, not the bank.
...
The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat. And since the banks have no financial responsibility to do this on their own, the only way this is ever going to happen is by requiring them to do it through legislation.
..."
Cudni
--
What is now proved was once only imagined.Help yourself so God can help you |
|
Kilroy
Premium,MVM
join:2002-11-21
Sterling Heights, MI
| The problem with having the Secure ID tokens is that they cost $65 for three years. Your bank isn't going to start handing them out.
--
I have two favorite sports teams, University of Michigan and whoever is playing Michigan State. |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| reply to Cudni
There are multiple ways banks can make the sites more secure w/o secureid.
Simplest one by far: require only parts of a password at a time, randomly, different ones. Keyloggers won't be able to pick those off so easily... and neither will phishing sites.
--
Life is too short to be boring |
|
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE
| reply to Kilroy
ROFL, I do IT Security for a bank and trust me, there is SERIOUS talk about tokens in the industry. It may start at a certain dollar level of average balance, but two factor authentication is THE TALK in the industry. We've already rolled out over 25,000 tokens to high dollar customers who've agreed to try them out.
--
The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants. It is it's natural manure.The "Tree of Liberty" letter From Thomas Jefferson to William Smith |
|
Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire | reply to Kilroy
some do, albeit on trial basis
»news.bbc.co.uk/1/hi/business/4340898.stm
Cudni |
|
B
Premium,MVM
join:2000-10-28
| reply to Gelroos
The neuron powered biological implants will make all this much easier.
»www.verichipcorp.com/content/sol···ogy.html is a start at least, though it's still battery powered.
-- B
P.S. Yes, I hate this more than you do.
--
In a realm outside causality and function |
|
Hayduke
join:2001-01-06
| reply to Cudni
I already give the banks the privilege of using my money. I am not willing to pay them any more than I am right now to keep it or my personal information safe. If they can't or aren't willing to do that then they need to tell me and I'll take my business elsewhere.
PS.
And the same goes the credit agencies. I'm pissed about the number of people they give my personal info to without my permission. I get dozens of credit card offers, loan offers (most with interest rates you'd have to be an absolute moron to accept), etc. every month and most all have my personal information in them. I have not requested these credit cards, applied for any loans or ever done business with any of these companies. They have (or should not have) any right to give this info out to every Tom, Dick & Harry that ask for it then tell me I need to work harder or pay them more money to secure my personal information. If they'd stop giving this information out I wouldn't have to worry about someone stealing it. On top of cluttering my desk & filling my wastebasket I have to spend my time running these things through a shredder so they ought to be paying me for using my money and making me waste my time disposing of their unsolicited junk mail. |
|
nil
Java Geek
join:2000-11-27 | You can opt out of credit bureaus selling your info. (I know, it should be the other way around.. but it's not like our government works for us..)
--
Life is too short to be boring |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
edit:
October 19th, @12:56PM
| reply to Cudni
Funny thing is their STUDY ("If one can call it that") really does not deal with the Employee(s)/Consultants(s) who can backup the internal daily,weekly,monthly logs to their laptop CD/DVD drive where these initial security breaches in most cases happen.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| reply to Kilroy
said by Kilroy  :The problem with having the Secure ID tokens is that they cost $65 for three years. Your bank isn't going to start handing them out. My bank, HSBC, just mailed me one  It is smaller than the securid I remember that was used to login to a bank network over dialup. |
|
B
Premium,MVM
join:2000-10-28 | High Security Bancorp?
-- B |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| reply to Cudni
The root problem is that it's far easier to remotely fake a string of 1's and 0's flowing to a computer than to fake a hand-written signature and one's facial details live and in front of a trained human being who is using the full array of authentication tools of the average financial institution. And even then, live identification is subject to error and abuse... many of the verification tools still don't get used properly, if at all. But electrons are all totally anonymous, each and every one! For every grand method concocted for "safe" authentication of remote, digitally-accessed accounts, there will come equally thought-out exploits, cracks, and phishes. Sorry, it's just the way things work in a world where all electrons are created equal and clever men sometimes possess evil hearts.
So, just like with one's billfold, you don't put more money into any sort of remote-access account (or carry credit cards with higher credit-lines) than you can basically afford to lose. You keep your main asset trove somewhere else, inaccessible to digital attack. More inconvenient than the easy-access, wrap-around, high-balance/high-credit-line accounts used by so many today? Admittedly, yes. Safer in protecting families against financial wipeout? Absolutely!
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
B
Premium,MVM
join:2000-10-28
|
Inaccessible to digital attack? What vehicles would that be? It kind of rules out every type of bank account and many brokerage accounts too. Keep your "main asset trove" in real estate? Coins? Cash? I'm not sure where you're going here.
Or did you just mean bank accounts for which you have specifically disabled end-user (but not internal!) digital access? (Not that that access might not be able to be established anyway, either on-line or via the human exploits you mention.)
-- B
--
In a realm outside causality and function |
|
Vig
Thread-safe since 1997
Premium
join:2004-03-23
San Diego, CA
 ·RoadRunner Cable
| reply to Blackbird
It seems to me that your point is that digital access makes mounting and sustaining attacks easier, which is unarguably true. However, even though "all electrons are created equal", not all streams of electrons are. That is, using a protocol that has a difficult-to-defeat authentication and encryption scheme can reduce the exposure to acceptable levels for the given threat model.
What banks are up against is basically the "encryption" problem. They need a way for the user to prove who they are (and to prove who they are to the user) and also secure the data passed in the subsequent session. This is a problem that, while not solvable, is manageable with current technology. There are systems passing data around every single day whose only known vulnerability is a brute-force attack requiring age-of-the-universe amounts of time to break. Until someone comes up with a clever way to exploit a weakness in the underlying algorithm or use some means to shorten the calculation time needed for brute force, sensitive transactions can still be undertaken with a high level of confidence.
This is not to say that exploits and phishes can be eliminated entirely. Crypto is always a game of trying to stay one step ahead of the bad guys. But a secure ID token makes it tougher for the bad guys to phish enough info from unwitting users to hurt them, and that's a good thing.
--
Visit the land of the never-setting sun |
|
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE
edit:
October 19th, @03:33PM
| reply to Blackbird
Yeah cause the $10/hour tellers are "using the full array of authentication tools of the average financial institution" when you come in and cash a check One of the toughest parts in training tellers is not getting them to KNOW what to do, it is to apply these skills EVERY time they are supposed to. The fact is, most bank tellers are paid slightly more than working at McDonald's...It doesn't garner a lot of reliability, and the fact is, most banks suffer from relatively atrocious turnover rates in their teller departments. One of the reasons most banks are hoping to solve the Phishing, Pharming, E-fraud, etc.. problems is that it removes the human factor from the authentication system, hopefully, this translates to less compromised accounts. You'd be surprised what a confidence person can have a teller do just by smiling and spinning a tale.
--
The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants. It is it's natural manure.
The "Tree of Liberty" letter
From Thomas Jefferson to William Smith |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| reply to B
said by B :Inaccessible to digital attack? What vehicles would that be? It kind of rules out every type of bank account and many brokerage accounts too. Keep your "main asset trove" in real estate? Coins? Cash? I'm not sure where you're going here. Or did you just mean bank accounts for which you have specifically disabled end-user (but not internal!) digital access? (Not that that access might not be able to be established anyway, either on-line or via the human exploits you mention.) Uhmm... maybe some CDs and savings accounts that I have never authorized in writing to permit electronic access? Or some brokerage accounts I access in-person or via telephone with a living, breathing broker and which have never been authorized for digital access either? My bank access for such accounts has to be in-person, in front of a human teller... I use two local banks where the tellers even know me personally. Ancient, small-townish - but highly effective. I'm much less concerned if such an account gets raided by some external, digital hack of the bank's account computers, because my true balance can be legally established by the paper record trails I retain. (You do retain your paper records?  ) I also keep several credit card accounts, but only one is set up for online purchases or electronic access... that one has a very modest credit-line and is watched like a hawk.
My real point is not that any given account is totally "safe" against fraud, theft, etc. Instead, I submit that much less fraud is perpetrated against such 'human-interface' accounts than against invisible, electronic-access accounts in general, these days. If my signature is required, if my face is verified against "valid photo ID" (or personal acquaintanceship with the teller), and if recent odd account activity is checked by the bank teller while accessing my assets on behalf of the person standing in front of real cameras at the bank window, then the consequences of failing to follow through in all of that is legally and totally in the bank's lap - and that means rapid restitution to me for any losses.
When a modern E-account is raided electronically, the burden of proof that it was not the account holder's own doing can and sometimes does rest largely in his lap. That is certainly the case for debit-card (electronic or otherwise) access. Resolving that digital forgery has occurred after-the-fact is often far messier than verifying a forged signature was written onto a preserved paper record. And that means possible loss, but certainly great delay, in retrieving my funds.
True, it's always in the realm of possibility that somebody could walk into a one of my banks' distant branches, pose as me, alter my account access to electronic, forge my signature in front of cameras, and then go somewhere and raid the assets by computer. But is it likely? Is it anywhere near as likely as simply phishing for access codes to pre-existing electronic accounts or stealing them via Trojans and keyloggers on target machines? This is about prudence, not perfection. Life's full of choices... many of these break down to convenience versus security. (Proof? How many folks run as admin because it's a PITA to run as a logged-in user; how many folks write down their passwords and lock combinations because it's hard to remember them all; how many people leave their car doors unlocked while running into a quickie-mart...?) I submit that to choose for the convenience of electronic finanical access is a trade-off against account security, and I do recommend not exposing the major part of one's account-assets to that risk.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
jack b
Big House
Premium,MVM
join:2000-09-08
Up the River
clubs:
·Optimum Online
 ·Verizon FIOS
edit:
October 20th, @12:17PM
| reply to Cudni
HSBC online banking bill pay section has two factor security.
They use a virtual keyboard where you enter an ADDITIONAL security password before accessing the section where you can pay anyone. You have to use your mouse to click the keys.
This is in addition to a user-ID and password required to enter your account, initially.
--
~Help find a cure for Cancer~
~Proud Member of Team Discovery ~ |
|
MrBradTX
join:2001-05-23
Carrollton, TX
·RoadRunner Cable
| reply to Gelroos
said by Gelroos :One of the toughest parts in training tellers is not getting them to KNOW what to do, it is to apply these skills EVERY time they are supposed to....You'd be surprised what a confidence person can have a teller do just by smiling and spinning a tale. My wife's 20+ year banking career ended due to exactly the kinds of things you mention. Tellers were unofficially allowed some amount of discretion when authenticating checks to enhance customer service, but any forgeries that slipped past as a result of discretion were grounds for dismissal.
Basically, enhanced security and authentication == less convenience. If convenience diminishes past a certain point, customers take their money elsewhere. It's something of a paradox. |
|
Daniel
Episteme
Premium,MVM
join:2000-06-26
Newark, CA
clubs: 
edit:
October 20th, @11:39AM
| reply to Cudni
For anyone not familiar with this concept, two-factor authentication is where you need two sources of information in order to access something. A real-world example of this is an ATM/cash machine. When you use an ATM you not only need your card, but you also need to enter your PIN.
There are four basic ways to authenticate:
•Something you know, e.g. a password.
•Something you have, e.g. a token or an ATM card.
•Something you are, e.g. biometrics such as fingerprints or retina scans.
•Somewhere you are, e.g. only being able to access something if you are in a certain place, such as within the Pentagon walls. For the ATM example, you're using two factors out of those four -- something you have (your ATM card), and something you know (your PIN). And since you're using two of the four, you're using two-factor authentication.
So that's what we're looking at getting at all U.S. banks -- and the second factor is probably going to come in the form of something you have. That could be a token of some sort, or it could be one-time-passwords similar to those being used in Europe.
--
dmiessler.com -- grep understanding knowledge |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
edit:
October 20th, @01:49PM
| said by Daniel :For anyone not familiar with this concept, two-factor authentication is where you need two sources of information in order to access something. A real-world example of this is an ATM/cash machine. When you use an ATM you not only need your card, but you also need to enter your PIN. There are four basic ways to authenticate: •Something you know, e.g. a password.
•Something you have, e.g. a token or an ATM card.
•Something you are, e.g. biometrics such as fingerprints or retina scans.
•Somewhere you are, e.g. only being able to access something if you are in a certain place, such as within the Pentagon walls. For the ATM example, you're using two factors out of those four -- something you have (your ATM card), and something you know (your PIN). And since you're using two of the four, you're using two-factor authentication. So that's what we're looking at getting at all U.S. banks -- and the second factor is probably going to come in the form of something you have. That could be a token of some sort, or it could be one-time-passwords similar to those being used in Europe. The Whole Problem with this is that ok, so now it's more complicated to FAKE a transaction using someones card for $9.95-$24.95, so what.
The personal data is still in the WILD, so, maybe it's now used for getting a BOGUS card from another bank or a BOGUS loan, who knows?
The facts are as areas are fortified the personal data will be used for OTHER less strengthened things which may or may not cause more financial impact on the victim.
When will a group of people finally "Own Up" to the fact that some of these scams are NOT the result of poor security and/or software on a Web Site?
Watch.....your banking fees will go up, who knows, some banks may CHARGE for this fortification processes ("Which should be Free") and it will NOT go away.
If your ISP announced that due to IP related attacks it is requiring you to purchase a SPECIFIC router and pay an additional 10 Bucks a month "To Protect You From Harm" would you stay with that ISP?
If your cell phone carrier required you to "Whip Out a Mini-Keyboard" and enter a SECRET number before you placed a call, and suddenly asked you to pay an additional fee per month because of "Cell Phone Fraud" would you stay with that cell phone carrier?
Wake Up People, these institutions should not be placing financial burdens on their clients because they can't figure out ways to protect the data they have without financial burdens on their customers.
We need to look at this problem no differently than the DRUG problem, In the early 90s a focus was on CRACK now it's on METH, so your personal DATA is a DRUG problem but yet NOT a specific Drug.
It may have been packaged as CRACK before but now it is METH, new suppliers, new labs, new dealers but the facts remain, your personal DATA is very very valuable and will be re-packaged re-sold to the highest bidder where ever, at that time, it can be used to CREATE income for someone else.
Until The Large warehouses of your personal data are fortified, two-factor, six-factor auth schemes don't stop people from gathering hundreds of thousands of records and selling that data.
This will continue to go on while your NEW keyboard and your secret numbers for your transactions on your new forced-fed hardware which is now an additional monthly expense from the bank that asked you to use it is being used.
I am about to submit a new joke to "Jeff Foxworthy" about this, you know the comedian who is famous for his You Know Your A Red Neck" jokes. Mine will be......
You Know Your A Red Neck When You Have More X-Factor Auth Devices in Your Home Than You Have Remote Controls
Remember....SMART Criminals steal TRUCKS, the stupid ones SHOPLIFT! 
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
