Phishing, Pharming, Spyware, Viruses, Spam, Spear Phishing, is only some of the threats that banks and us the ordinary people face!
Money is the easily usable, convertible, valuable material we all own (well some of us have more than the others and they should learn to let the human race benefit from it by being a good citizen and contribute to our good charities… sorry couldn’t resist ) and Money is what majority of the above attacks being used for by fraudster and now the organized crime! In the 90s organized crime was stealing credit card slips from restaurants when people used to pay their credit cards. This is like “ambushing” your credit card. Just like you would, if you were the head of the organized crime, identify the weakest point in your victim’s transaction or action and ambush him there. That’s how convoys used to get ambushed in the old days by bandits by identifying the most vulnerable point. Its not that easy to come steal credit card information or your bank details, by coming and stealing it from you physically (even though I am sure this happens frequently by the pickpockets etc). We have a new vulnerable point as we now exchange our “valuable information”, whether credit cards or banking online, this is where the “bandits” (organized crime) is sitting and waiting to ambush us! Internet removed the need for “proximity” a person in east Europe is as close to you as your next door neighbour as far as internet is concerned. We are all connected to the same net. Unlike good old days where you could only be ambushed by local bandits or fraudsters, now thanks to Internet the doors are wide open to any and every bandit from around the world! Don’t get me wrong I love internet and its an amazing tool for the human race, but we should understand its vulnerabilities and fix them. So why is this the weakest point then? Well for one, the number of people who can ambush you has exponentially grown from your local bandit to the bandits of the world! Secondly, there is literally non-existent levels of authentication of who and what you are dealing with. Now a good chunk of use the Internet for many reasons including banking. Lets be honest, its darn easier to click and get a financial transaction then going to your local branch! So organized crime knowing that this is the weakest link, and knowing that the ROI in their fraud is getting better and better as we all slowly move on to internet, they are investing in new tools and creating more sophistaceted attacks and ambushes for us all! Its all well and good for us to enter a challenge when represented to us by our bank so that we can verify ourselves, but what is there to say that we are entering this challenge on the “legitimate bank site?”. We don’t know. Some even suggested perhaps we let the users choose a graphic only they know so that we can present it to them when they login to the site: But hang on a minute, doesn’t the bank has to identify the user before it can show that specific graphic? And what is there to stop a Man In the Middle from luring you to their website, pretending to be your bank, asking your username, on the background, giving that username to the bank so that bank could display the graphic that “you chose” and for the MIM to show that to you? This is a simple MIM attack which does not take much programming! The problem we still all face is our “inability” to verify what we see on the Internet! That is the problem we must solve. Showing the end user something they have chosen as their graphic to validate the website is flawed. We must add “Authentication” to the “Content” we rely upon!
Stay tuned for the next bit where we remember what the topic was and actually discuss two factor authentication, kiddies. LOL.
Two factor authentication is, IMHO, going to become mandated by most financial institutes, whether we like it or not. Most banks in Australia are evaluating issuing tokens to its clients (please don’t suffer from the misapprehension that they will GIVE them to you - you will get charged for them!), and 2 that I know of will make them mandatory for e-transactions later this year.
Most people have accounts with more than one financial institute and they will end up with more than one token. Pain in the bum? YES. Necessary? YES - ABSOLUTELY! It is our money and our account, the banks are merely forcing us to do what we should have been doing all along - take responsibility and ownership of our part of the security process.
I ust hope the banks make the timout on their login screen long enough for me to figure out which of the seven tokens I have on my keyring is the one for this bank! LOL
1)What you know (PIN/password)
2)What you have (something you have with you eg: a token or something)
3)What you are (biometric eg: fingerprint, eye retina, your body’s fat content or how big is your ■■■■ belly )
There is a really easy way of achieving 2 factor authentication! Simply use SSL Client authentication, which is already a standard and built into browsers! all you have to do is issue SSL Client Certs to your customers and thats not a problem! This way you can convert your PC into some sort of (soft) smart card.
But again, first the user must have the ability to verify that they are on the legitimate site! This is a key component that everyone is missing today.
Agreed, cite verification is required, but wouldn’t a better solution be to have client side certs issued (something you have), require a password (something you know) AND an authentication token (something you have). Using three authentication factors, with one being an hardware thingy external to the connecting device, provides a greater degree of security, but it still manageable by everyday users.
This is the method we have employed at work for external agencies to contact us - they have a cert, a token and a PIN and they manage it all OK, and some of them are as dumb as a bag of spanners! Nice people, but you wouldn’t let them stir custard unsupervised! LOL
P.S. The biometric angle has raised several really dubious thoughts!
For enterprises you can dictate the hardware tokens. for end users its almost impossible! They might loose it, break it, don’t know how to use it, if its a usb token they might not have access to the USB port easily (it might be behind the PC etc). The infrastructure is not there yet (IMHO) for a hardware token for the masses. For enterprises yes it already has happened.
With the SSL Client cert, the user experience does not change. They still logon to their account as normal.
If we’re talking about bank-provided usb ident keys, why not give it enough memory to launch a browser with the default bank site encoded into the browser. Require a separate PIN or other user ID method, but make sure that they can only enter it into the right site. Make the site unaccessible by other means, so that even if the spoofers convince you that you need to update your info, you still have to use the usb device to get to the bank site. A certificate built into the device should make the access to the site available to it only, and it could be used to compile user statistics to identify patterns that might indicate non-authorized use. Revocation of the certificate on the bank’s database would be fast and reversible, so if the device is lost it is no disaster. After all, the finder would have to know the PIN and if the loss is reported in a reasonable time, the PIN can’t be discovered by brute force methods. A tiny amount of usb memory would be enough - probably as little as 16 Mb would do (do they make them that small still?).
This solution is designed to greatly improve security using passwords. Interestingly the scheme he is working on may ultimately involve trusted 3rd parties on the net. the guts of it right now is a charming password generating tool that utilizes multi factor. See: GRC | Flexible One-Time Password MetaSystem
I can’t put my finger on it now, but I recall discussion, perhaps somewhere on Steve’s forum pages, about use by third party trusted internet providers of a transparent password system using the principles behind his “perfect paper password” techniques. The third party would serve as a transparent substitute for the user having his “password card” in his possession.
There are drawbacks both to Steve’s PPP scheme and also to the idea of trusted third parties being used as a “simpler” solution (having the neccessity to trust a third party). This prospect is is not quite so dangerous as it might seem. One could have multiple paassword providers set up and even rotate through multiple lists on each provider site. The idea of very complex passwords and one time use of each password as a practical matter is MUCH stronger than what most users use now. Surely most users now use relatively short easy to remember password which is used way too often and rarely changed. Certainly, also, password management systems on your own machine are useful, but ultimately vulnerable. Those who take extra steps are already somewhat safer, and this Comodo thread is very interesting in suggesting how the security conscious user may soon have other choices.
About the high security disposable passwords - that would be a real nightmare for most non-technical people. The use of the internet to pay bills is a boon for seniors, but hit them with something that they don’t immediately understand and they will cease to use it. They may even continue to try to use it, but a few problems will end that fast enough. Sorry to say, you have to implement a system that the truly disorganized can manage. Pieces of paper with the sequence of passwords on them just get lost. If you regenerate the list, you won’t know where the next password starts. A solution that has a combination of built-in security and user authentication is the framework that we know how to use, and the solution should be possible within that realm. Biometric devices or similarly expensive methods would be ideal, but the cost is not likely to attract converts. A combination of certificates on the user’s computer and a usb device, with a password to access the certificate would provide a fair measure of protection. If the certificate is modified on each access, then an element of disposability can be had, but don’t ask the user to manage the variation of the disposables - it won’t work.
OTOH, many users now use a VERY poor password they write on paper and put under their keyboard… Users need help to make things simple and transparent. Unfortunately each hapless user that doesn’t secure his own computer puts others at risk. Truly it is much like a public health probelm where the only way to protect the community is to protect the people who don’t protect themselves.
I think ultimate extension of the Gibson PPP password idea to a net based “password provider” who keeps the list straight for users has some merit. The idea may be that the “password provider” who plays the role of a proxy would authenticate the login in a 3 cornered arrangement between user and “provider” and target website. Intelligent monitoring of security can help iron out many authentication issues and enhance security if done correctly. The problem with passwords is twofold. First, an easy to remember password can be easily cracked. Second, a hard to rememer is password, well, it’s hard to remember! Users don’t want to use difficult security measures… Melih, you are absolutley right. Typical users need hand holding and a technical solution to solve the problem.
Part of this is to define better who is responsible for security. Arguably an ISP ought to play a greater role in security, much like the IT folks at our local business LAN do. I am appalled at the way current ISPs throw users to the wolves and are more concerned with measuring bandwidth use than in protecting users. In practice they let the wolves in amongst the sheep then complain about sheep allowing the wolves to sleep hidden in their midst. Where are the shepherds? Whose job to watch for predators and maintain fences?
My hats are off to Comodo (and their ISP partnerships) who have found a business model that offers to users security help that the user cannot get from their own ISP. Software like CFP, CMG, Trust and other products are things that are long overdue.
I agree that the current way that passwords are (not) managed is an invitation to fraudsters. I think that the problem can be managed without directly involving a third party. If a usb device containing a browser and a password decrypter were used, the method could work like this: The user plugs in the usb device which then launches the browser. The browser makes a SSL or VPN connection to the bank web site. The password decrypter then pops up and requests a key from the user. The key is used to decrypt passwords from both the usb device and the user’s computer. The pair of passwords is required to access the user’s account and serve to identify him/her. On completion of the transaction, a new random pair of passwords is provided by the bank to the device which then encrypts them using the user’s key on both the user’s computer and the usb device. The user’s key can be a fairly simple and easy to remember word like their favourite flavour of jam, and the security will still be adequate due to the SSL or VPN security and the use of a usb device and passwords saved encrypted on both the user’s computer and the device. If the device gets lost, the password on the user’s computer and the need for the encryption key makes it useless to anyone else. To compromise the security, a hacker would need the usb device, the encrypted password on the user’s computer and the encryption key. Admittedly, if someone were to do their banking on their laptop at a public kiosk, this could still be broken, but maybe some measures built into the usb device’s software could help even this.
I really don’t know much about how certificates work, but would they not then become the target of “Banker” type worms and viruses? I mean, the certificate would be sent, along with key log info from the user’s computer to the hacker’s computer. If they then have both the certificate and the login password, they have the keys to the vault. But, as I say, I really don’t know that it is as simple as I am guessing…
I can only agree that your computer must be as secure as possible. I also think that it is only wise to plan for a security breach. Hackers are nothing if not devious, and they have so far managed to cause trouble for almost any security system that has been devised. A really secure system is one that can be only partly compromised by any single security failure. When you have multiple security failures, nothing works.
Another security application has a “Banking” mode, in which the firewall element will deny access by your browser to any site not on your “My sites” list.
Obviously you must set up your own listings, but it’s simple enough to do by copy and paste of the URL into the list, when you are certain that you are on your bank’s site.
All that is required for a transaction with your bank, or other money handling institution, is to enable banking mode, afterwards returning to standard mode.
How do you see the benefits of this approach?
For the man-in-the-Middle attack and trojan attack,how can two-factor Authentication system prevent them efficiently?Is there any idea which can be suggested for the bank to use thus it can improve its security?