Secure Ways to Determine 'Something You Have'? 103
Steve Cerruti asks: "My credit union is implementing multi-factor authentication for online banking. They are following guidelines provided by the Federal Financial Institutions Examination Council as outlined in Authentication in an Internet Banking Environment (PDF). As you are already required to enter a password, 'something you know' is covered. 'Something you are' has significant technical hurdles while 'something you have' is familiar to credit unions in the form of ATM cards.
My credit union chose to implement 'something you have' as a two dimensional lookup table that they email to an address you supply when you initially log in to the online banking service, further access is blocked until you enter a code from the table. New Measures to Make Online Access Safer describes the plan and a short video (FLV) provides further details." For the security conscious among us, do you think this is a decent way to implement the 'something you have' portion of a well secured system, or are there better ways to do it?
Their plan can best be compared to single use scratch off cards. However, I am unsure of what constitutes "something you have" in this example. If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access. It would therefore be possible for the authorized owner and the attacker to both possess the table simultaneously. Does this system provide multi-factor authentication or is it simply a convoluted mechanism for sharing yet another secret?
Off topic questions:
Is depending on near instantaneous access to email a reasonable thing to do?
If you were dealing with this situation, would you implement a Firefox extension or a cell phone application to reduce the level of effort for banking access?"
Mobile phone (Score:1)
Re: (Score:2)
if a phone has no data connection, perhaps the java client could "listen in" (Don't know whether it's possible) on DTMF codes transmitted at a certain point in the normal phone call between the user and the bank's phone server?
Re: (Score:2)
RSA SecurID (Score:5, Informative)
Re: (Score:2)
(1) Difficult to deploy to customers
(2) Expensive
(3) Somewhat fragile
The system described in the link also provides good second-factor security, is easy to deploy, cheap, and robust. The downside is that the "matrix" could be copied. Sounds like the matrix should be guarded kinda like you guard your ATM card (i.e., you don't just leave it lying around).
Re: (Score:2)
Re: (Score:2)
Are they really fragile? I'd been hearing anecdotes about people running them through washing machines without breaking them.
Re: (Score:2)
Re: (Score:2)
That said, the SecurID card I have is subject to large amounts of abuse (it's on my keychain) and still works perfectly.
As to being difficult to deploy - you can't have security AND convenience. The emailed matrix described by the submitter falls more into a "what you know" category than "what you have".
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I wish more banks and financial institutions (I'm looking at you, eBay/PayPal) would offer this.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3)
I also don't think that RSA don't run the software back-end - I work in a bank which uses
Re: (Score:3)
I like the guy who put a webcam on all of his secureID cards. IE very difficult for others to find out it is his webcam, then they have to figure out which one does what...
So at home, he has physical access to all the FOB's, on the road he still has access in a pinch. They still serve their job since it verified that IT passed the fob. Now, all he needs is to host several honeypot webcams, so if they enter a id from one of them his accounts are aler
Re: (Score:2)
Unfortunately the server is unable to tell the difference between a person having the SecurID token and one that just happens to have a valid code as the result of a phishing attack. Note that typically several codes are accepted by the server a
Re: (Score:2)
Of course it's not a perfect system. If there was a perfect system, everybody would be using it and nobody would be developing stuff like the SecurID. The point of these things is that they're:
If you don't think a window of opportunity of several minutes is preferable to a nearly unlimited window of opportunity, you've ei
Re: (Score:3, Interesting)
What I really think is that the length of this window of opportunity does not matter at all. There are reports that universal phishing kits exist [heise-security.co.uk] already, making it really simple for anyone not only to create a phishing site but also to mount a man-in-the-
Re: (Score:2)
Could be worse (Score:4, Interesting)
Those images are distorted so a computer can't just OCR the thing and brute force passwords (my understanding anyhow). This seems to have worked out well enough that you see it everywhere and brute forcing passwords is less of an issue (if at all).
Curiously my bank decided to implement this functionality differently. The background is a grey colored word, and it's always the same word. The "code" is always black.
I'm no genius but to the best of my knowledge this isn't much beyond an exercise in vigorous masturbation. Security through song and dance if you will?
Re: (Score:2)
Security Theatre (Score:2)
Close - the commonly used term is 'Security Theatre' (or Theater if you're new-school).
It means "I'm implementing a system that looks to someone who doesn't understand security like it might improve safety, but really it just inconveniences everybody".
The TSA is the Andrew Lloyd Weber of Security Theatre.
Re: (Score:2)
Is your bank doing something similar?
What it boils down to (Score:4, Interesting)
At the end of the day, assuming the computers and networks between you and the credit union are secure (they're not, but let's forget that), the only problem they have is to make sure you're Mr. John Doe, legitimate holder of the account you're trying to access ("who you are"). Period. All that matrix and multi-identification stuff is just a variation on the same theme.
Up to now, "what you know" (a password) was assumed to be representative of "who you are", with the single point of failure that someone else might be able to know what you know as well (being your password that's too simple, or someone looking over your shoulder while you type in the password). This was a reasonable assumption because you can't separate someone with this someone's knowledge.
If they want to do better than that, they'll have to use biometrics (DNA analysis, fingerprinting, iris scanning, etc...) or some sort of permanent electronic tagging (RFID implant). That's plain as day. So if your credit union isn't providing you a fingerprint scanner or telling you to go to your local vet to get a RFID implanted, you can safely assume that their new ultra-super-duper solutions are a variation of what's already been implemented before, perhaps a little better, perhaps not, but definitely a lot of PR fluff.
Re: (Score:1)
I couldn't watch the video because I'm on a crappy hotel connection. (Although I will say that this chain (Courtyard Marriott) is the only one I know of that doesn't charge you for said crappy connection. Being billed several dollars a day for crappy DSL speeds ranks high on my Grand List of Suck, since it undermines the idea of Internet as a ubiquitous utility.)
> "At the end of the day, assuming the computers and networks b
Re: (Score:3, Insightful)
You can improve on passwords without breaking a sweat. What they've done is switch from a brittle login protocol to one that is closer to the random challenge/signed response that you'd want if there were a computer instead of a human on the other end.
Not only does it block offline phishing, notice that it's even safe from a keylogger.
Still vulnerable at several points to several attacks but a real improvement nonetheless.
INGdirect have a nifty system (Score:2)
In terms of "something you have", you could try securid. There are agents and software tokens available for phones and the like. Or say, a security code sent out with every paper statement.
Re: (Score:1)
A sequence of security codes would help a bit if they were not all stored on the compromised host, i.e. your paper statement suggestion. But the malware could also modify your session after you authenticate, so yo
Re: (Score:2)
X509 Client Side Certificates (Score:4, Insightful)
Require an X509 client side certificates. That should make access to the account practically impossible unless an attacker can get access to the certificate.
The only way to access the certificate would be to compromise the client machine, and if that happens your probably fucked regardless, right?
there's fsck'd and there's FSCK'D (Score:2, Insightful)
Re: (Score:2)
Fucked as in the bad guy installs a key logger or plays man-in-the-middle and drains your bank account regardless of other measures taken, which is the context we were using.
The SMS message mentioned in another comment might prevent man-in-the-middle if it contained transaction details (and the receiver made sure the message was coming from their bank...). But if the client's only point of interaction with the bank is through a single computer, that computer must be trusted. I don't see how you could h
Re: (Score:3, Interesting)
Simple: don't trust that computer. Home computers are general-purpose machines and very few of them are highly secured. A specialized, embedded device with a private key sounds much more trustworthy, and you could still use the untrusted home computer to transmit the resulting encrypted+
Re: (Score:3, Insightful)
A specialized, embedded device with a private key sounds much more trustworthy
Agreed, but do the losses due to fraud exceed the costs of issuing an embedded cryptographic device to every customer?
Re: (Score:1)
Re: (Score:2)
Eivind.
Is anyone already doing that? (Score:3, Interesting)
I'd hate to the be the first organization trying to exercise the client-side certificate code...
You'd have to completely and permanently disable non-certificate logins or phishers would would still be in business.
Re: (Score:2)
Swiss Migros Bank [migrosbank.ch] uses client-side certificates to authenticate customers. Certificates are handed out on smart cards branded M-Card smart. They don't force certificates upon their customers, though; other means of authentication are supported as well.
Unfortunately their Web site seems to be available on
Re: (Score:2)
When security is implemented properly, compromising the machine does not compromise end-to-end security.
Two ways already used in Europe (Score:5, Interesting)
BPH (Polish bank) has your cell phone number on file. They do bank transfers, which are used over there a lot more than here, you can pay people directly like that (like an electronic check), even buy skype credit directly with it. When you attempt a transfer the bank sends you an SMS with a code you have to supply to the website. The cell phone is something you have. Trouble with this is that in the US some people have to pay for incoming SMSes. In the rest of the world that's usually free.
Zero-Knowledge Proof Authentication Systems... (Score:3, Interesting)
I tend to like "zero-knowledge proof" based systems.
Here, you don't exchange an item (e.g. password) directly.
For example, a server can challenge you (your smart card by proxy) with a randomized value / set of values.
Your card performs a function, and returns a value.
If the value doesn't match the accepted value, the challenge has failed. Only your card should return the correct value. However, someone else's might by chance succeed, or there may be an attack.
So, this type of set of exchanges can be
Re: (Score:1)
My current bank uses a number of long codes that are eventually condensed to a 6-digit code (20-bit security, about) that depends on the input code (27-ish bits), your card and your PIN. So that effectively combines something temporary, something physical you have and something you know
Re: (Score:3, Interesting)
Yes, it works SO well for satellite TV ... oops ...
A $50 receiver cracks the rotating keys in minutes, a $200 receiver in seconds ... (the latest models run linux, btw).
Re: (Score:2)
Re: (Score:2)
Nagra2 has been cracked for almost 2 years http://dishnewbies.com/nagra2.shtml [dishnewbies.com] ... and a lot has happened since.
Most decent aftermarket receivers nowadays don't need a card to decrypt either dishnet, expressvu or echostar. Just plug them in, wait 5 minutes, and everything's "open". Example: I know someone who has a Viewsat Ultra, and it works fine.
This was an example of a single-point failure of depending on "something you have". You were supposed
Re: (Score:2)
Unless we discover that ordinary people are unable to participate in such schemes, thus needing a computer to help them, which consequently becomes part of any sensible definition of middle.
Re: (Score:1)
You have to pick up the device in person and provide ID and they also make you set the PIN when you check it out. All the signing might be a
Re: (Score:3, Interesting)
LISTEN to this chap! E-mailing the list is bad because that communication is in-band. It took the phone companies much frustration to move it's signaling out of bands. When payphones and the switches did all their communication in-band [wikipedia.org], then phreakers could manipulate the line via blue boxes or red boxes. If someone is running malware on one of your client's workstations, they could see the e-mail come across and later copy it for their own uses.
Out-of-band communication [wikipedia.org] works because an attacker need
Two factor pain in the ass (Score:2, Insightful)
http://www.schneier.com/blog/archives/2006/11/figh ting_fraudu.html [schneier.com]
My CU implemented a system whereby I now have two passwords. I guess they are probably following the law, but I'm not safer from anything now, especially since they put some text by the second password telling me what it is about. One of the better comments from the Schneier post points out that two factor authentication isn't worth much if they both use the same channel. Another goes ahead and calls it multiple single f
One password - many combinations. (Score:3, Insightful)
So this gives you passwords within passwords. You can have a fifteen digit number/password, and they ask you for random characters from those. Always try to ask for a different combination, and perhaps ask in more ingenious ways, like the third letter and the fourth from last (which could be the same position as the third - if you had a stupid password).
You can then keep the password long enough for it to not be too much of a bother to remember. And they can always disable the account if too many wrong tries are made.
The cleverest thing to do though, is to probably make it harder to do international transfers of cash using accounts, or impossible online. And make it harder to have an account without giving some form of verifiable ID. My bank does that. It is quite silly to steal money online into another local account in my estimation anyway, because you will be caught. Internationally is another issue, because some countries may not cooperate.
Anyway, how many people do you know who have had their money stolen from their bank accoount online. I guess very few.
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Sio I can do a denial of service at random on any account ... sweet. NOT!
Re: (Score:2)
Re: (Score:2)
If they're asking for 2 digits, there's only 100 possible combinations - 00 to 99
So, you'll hit the right combination, half the time, at 50 tries (n/2).
If you dial random numbers, and they issue random responses, the odds stay the same.
If they allow 3 attempts before disconnection, then the average becomes n/2/3, or 17 tries, on average. Sometimes, you'll get it right away, sometimes it will take 100 tries, or even 200, but, on average, 17 attempts would get you in.
Re: (Score:2)
Watson Ladd's post said:
So n is the number of digits in the PIN, not the number of combinations to guess between. And the aim is to work out the number of calls to learn the entire PIN, not just get into the account... (and I think he's assuming you're eavesdropping on calls, rather than attempting to break in remotely...)Re: (Score:2)
The topic was the fallacy of the "something you have" in regards to a 2-digit verification number. No matter how large the pin, a 2-digit verification number will fail, on average in 50 tries. So if someone has left their access code in their browser, and you now have to enter a 2-digit verification number, and they give you 3 guesses before they close the account, you have a 1 in 18 chance of p0wning their account.
"Something you have" will never be foolproof, because if you have it, someone can always t
Re: (Score:2)
This would concern me to no end - it sounds like the bank staff can see your PIN on their screens. What's to stop staff looking-up people's PINs and either using them themselves or even selling them to someone else.
Re: (Score:1)
Only if the design is braindead. If they need the whole PIN, then they can see your entire PIN (or they type in everything you say). If they only ask for a piece of the PIN, then they only need to see the piece. Maybe even an interface that just says "Ask customer for piece 4 [enter here] and piece 9 [enter here]".
Whenever I call a credi
Good outside-the-box thinking (Score:2)
But then all the bad guy has to do is pay a cut to local recipients of phishing proceeds who will pass along the funds [theregister.co.uk]. No need for the online transaction to go straight to Elbonia in one step.
>some countries may not cooperate.
Notice the destinations are never squeaky-clean places like Finland. It's always some place where it's easier for the crooks to have an und
Re: (Score:2)
When I call my bank, they never ask me for say, my full telephone pin. They ask for 2 random digits.
I cannot abide this. It makes logging in a extremely painful procedure, as the human mind remembers words in sequence. Ask a person to type out the word 'impossible' and any reasonably proficient computer user will have it typed out in a second; but ask a person to give you the 7th letter and suddenly it takes a lot more time, especially when you don't have it written down. It's even worse when dealing with passwords of random letters and numbers, as they're so much less familiar. Asking for random letter
Security test (Score:2, Funny)
Reasonable except for Email! (Score:2)
The
Call me a Luddite, but... (Score:1)
Re: (Score:2)
Hey, some of us have to work for a living. The don't call them "bankers' hours" for nothing ...
I'm sure the criminals insist, too... (Score:1)
Well, that certainly ramps up the security, doesn't it? I'm sure someone with malicious intent is doing the same thing.
Good for what's it's supposed to do (Score:2)
Only if they phished your email password at the same time as your online banking password, sorted through your old email, found your Matrix chart still there and not yet deleted, and downloaded it for their use.
Not your average phishing scam at all, and it's probably easier for a phisher to set up a real-time man in the middle attack where they relay your bank's challeng
I'm not sure if it's something I have or am. (Score:2)
She explained it was a policy to speed up identification, etc.
- When I opened the account in another state, I didn't give a thumbprint. So whoever shows up and sticks a thumb down in my name will be recorded as the account holder of record. T
Re:I'm not sure if it's something I have or am. (Score:4, Insightful)
She explained it was a policy to speed up identification, etc.
The customer service agent didn't implement the policy, she doesn't know why she has to collect the thumb print any more than you do. You assumed the thumb print was to provide confirmation of your identity in order to *authorize* the transaction. This is not the case, and also why they don't really care that they've never collected a thumb print before. The purpose of the thumb print is to provide *evidence* after the fact in case there is a fraudulent transaction.
Suppose you are head of Wells Fargo's security department. The CEO has mandated that you implement "greater security" and the CFO demands that you do so on a minimal budget. Which of the following do you choose?
1) Implement a new program requiring millions of customers to come into a physical banking location and establish their authorized thumb print, regardless of their account age, banking history, account balance, or fraud risk. Maintain a secure, reliable, online database of all these thumb prints. Make the database accessible to several thousand banking locations. Implement a near-100% accurate thumb print recognition algorithm. Ensure that all the components in this system can operate at near-instantaneous speed so transactions can be authorized in a timely manner.
Cost to bank: several hundred million dollars
Cost to users: hassle for thumb print at each transaction
2) Implement a new program that requires thumb prints to be taken for each transaction. Thumb prints may be collected on paper, stored at the local banking location, archived only occasionally, and are only ever referenced if a transaction has been flagged as fraudulent. If such a thing does happen, surveillance tapes and the thumb print may be supplied to law enforcement for further action.
Cost to bank: in the tens of millions of dollars
Cost to users: hassle for thumb print at each transaction
Both methods produce essentially the same amount of security, particularly for dumb criminals who may not know that the bank is relying on method 2 and not method 1. I honestly can't say I would have chosen differently either.
How my bank does it - the perfect way? (Score:1, Interesting)
1. You get a keypad in the post, a small (3x2)" thingy with numbers 0-9 and a tiny calculator-style screen.
2. You also get instructions how to set a four-digit PIN code on it for first use.
3. To log in to the internet bank, you enter your personal number (SSN equivalent), and type the PIN into the pad. It gives you an eight digit code.
4. You enter the first six digits of the code. The bank displays the last two, which should match your card's.
Hackable? Phishable? Any flaws? I can't
Re: (Score:1)
Monthly statement (Score:1)
Olds? (Score:2)
This may sound complicated, but actuall
Sure (Score:2)
The basic problem with emails, tan-numbers etc is that they can be easily copied. So, the fact that you have the item/information does nothing to ensure that noone else has it too. You're much more likely to notice having *lost* something than you are of noticing that someone has *copied* something you posess.
If you could be certain people wouldn't leave them plugged in (many would, despite strict instructions to the contrary) the ideal something
Re: (Score:2)
Re: (Score:2)
However, if the check was in the dongle itself it could work. The dongle could require the pushing of a on-dongle-button before it'd sign a single transfer.
For added paranoia, the dongle could have a display: "Press the button to transfer [dollar-amount] to [account-number]".
Re: (Score:1)
I completely agree with this, although I would also say that the addition of biometric verification - such as a fingerprint scanner on the usb encryption token - would add an additional layer of security at a reasonable price and convenience point. These are already available for purchase, and I don't think it would be overly onerous to implement them.
My bank - Bank of America - claims to have "above industry standard" security for online banking, but to be quite honest, it's pretty lax. They added a mand
Re: (Score:2)
It's possible to make them less sucky, but most of the time that results in a higher false-negative rate which ain't that user-friendly at all. Plus, it's a large practical problem, you can't change your biometrics if they're somehow compromised.
Re: (Score:1)
In general, I would agree that in a higher security environment, relying on cheap fingerprint scanners alone would be idiotic. They have many more functional models of scanners available, such as those that can detect whether the print is on a hand, the hand is alive, etc., but of course those are more expensive, and, as you point out, may give more false negatives.
However, I think that most people are not as concerned with people breaking into their house and trying to lift their prints off the desk as th
Re: (Score:1)
I, lazy/busy American/Nabob, cannot be inconvenienced to cart around one of these for every one of all my very important, easy to remember and of course identical passwords.
My bank has me scratch my mark on paper and fax it for anything critical, asks me to call from my phone-of-recod for some things of a little import, and insures everything else.
I don't know how much that costs you all in additional fees and such, but thank you, and keep up the good work!
Re: (Score:2)
To be secure, passwords should:
At the same time, the number of situations where the average person needs a password increases strongly.
The human brain just ain't suited for that kind of thing. It gets worse too, because the largest password easily crackable goes up over time. Used t
OPIE: one-time passwords (Score:2)
Blatant plug: Meridea 2FA (Score:2)
Sorry for this blatant plug but I believe it's quite relevant to the discussion.
The company I work for [meridea.com] has an authentication product [meridea.com] that's more secure than hardware tokens (SecurID) and one-time password sheets.
The product is a J2ME application that you install into your mobile phone. You activate the application in advance by entering a cryptographic key. To authenticate something, you start the application and enter your PIN code, then type in a challenge code given by the remote service (a web page,
Whatever you do, make it work (Score:3, Interesting)
When I went to log into my account from a second PC, their system asked me the challenge questions. For elementary school attended, did I answer "jones" or "jones elementary" or "jones elementary school" or "Jones" (you get the idea)
At any rate, since my answers the second time failed to exactly match, my account was locked and I had to call the customer service number to get my account unlocked. They reset my challenge questions, and told me that lots of people are having this problem. As a result the CSRs tell people to answer those questions with a single word, and to USE THE SAME WORD FOR EVERY ANSWER!
This system is broken.
Whatever you do, don't build a broken system.
Re: (Score:2)
did I answer "jones" or "jones elementary" or "jones elementary school" or "Jones"
What I do for these is to make up answers (this defeats an attack where someone finds out where I went to school, etc.), then put that answer in my password-safe program along with the password.
It doesn't add any extra types of security anyway. It's just a secondary password, same as those "we'll ask you this question to reset your password if you forget it" questions sites used to have. Those I would just answer with random gibberish, not logged (a well-backed-up password safe means I won't be forgettin
Mutual authentication is what is needed (Score:1)
http://en.wikipedia.org/wiki/Mutual_authenticatio
Otherwise, banks would be better off using OTPs to validate the transactions.
It's Called EMV Geniuses (Score:2)
First of all, the rest of the world is already using a pretty secure standard for two-factor authentication called EMV. It's all there, smart card vendors support the standard, card manufacturing plants can produce EMV cards, banking software supports it.
Second RSA IS NOT cost effective in banking. Nevermind the logistics and cost of replacing lost RSA fobs, RSA will use the opportunity to ream the bank an extra-large you-know-what. Where else
Re:my cu's solution, for comparison (Score:4, Insightful)
For those who missed it, the above post is enclosed in [sarcasm] tags
I could never figure out how anyone could believe that "name of favorite pet" or "last 4 digits of your phone number" or "name of your [insert whatever here]" is a good security question.
Now, to answer the REAL question posed by the article's title:
- the answer is obvious - go to an anonymous clinic in another part of town, use a fake name, and pay the doctor in unmarked bills :-)
Re: (Score:2)
Anonymous cowards don't have pets. No SSN either.
And of course, being an AC, you have no way of refuting this.
And anyne who posts claiming to be the AC can't prove it was really them, so too bad ...