Historically most online banking done with password (single-factor authentication) with the password communicated over SSL/TLS secured channel. Unfortunately, this system is vulnerable to phishing. The FDIC and FFIEC required that all banks have “enhanced” login by the end of 2006. Most banks took this to mean two-factor authentication.
SSL is simply not understood by users, so they give out credentials improperly. Attempts have been made to help users visualize this by adding security indicators, but they are inconsistent between browsers and users often don’t understand or them, ignore them, or misunderstand them.
What problem is the two-factor authentication supposed to be solving?
- Do we want to prevent credential loss?
- Money laundering?
How Expensive are the Solutions?
- Initial enrollment costs
- Deployment costs
- Support costs
- Financial industry is phobic of any client-side solution
- If costs per transaction is not lower than teller, ignore it
Who are the adversaries?
- Traditional fraud (family members, co-workers, etc.)
Multi-Factor Authentication: Is it Enough?
Jeffrey Friendberg, Chief Privacy Architect, Microsoft
The core of this presentation is a very interesting direct graph depicting the “Internet Battlefield” visualizing users, sites, attackers, and existing defenses. Though it is obviously not “complete”, it has a whole lot of interesting data. (link to Internet Battlefield whitepaper)
Key themes discussed in 2005/2006
- Know who’s who - enable strong mutual authentication
- Don’t share secrets - leave bad guys empty handed
- Plug the leaks - comprehensive data governance
- Nowhere to hide - make it easier to catch the bad guys
- Lend a hand - help victims contain damage and cleanup
Some progress has been made
- Agreement on the need for better mutual authn - FSTC, IDSP, Authentication Summit, …
- Easier to spot bad sites - new filters that use block lists and heuristics
- Easier to spot good sites - visual secrets part of ceremony
- New “EV” certs
- Less likely to get owned - easier to run with lower privilege
- Lost laptop not as catastrophic - Vista BitLocker full volume encryption (though similar solutions have existed for a long time)
General consensus of the financial industry: “Every countermeasure we introduce reduces fraud temporarily.”
E-Trade financial tried using a RSA fob as a second factor of authentication, but as of their 11/07/06 financial report their fraud losses continue to increase. That said, they considered this program a success because users indicated they feel safer and are more likely to provide assets.
BankOfAmerica’s implementation of SiteKey is supposed to protect users from phishing, studies show it does not. RSA’s response was basically that they considered the program a success because users indicated they feel safer and are more likely to provide assets.
Anybody else seeing a disturbing pattern here? What appears to matter with two-factor authentication is more about public relations and only tangentially about user security.
Current State of Things
Back-End Fraud Detection System
The most common solution in the financial industry has been to move their back-end fraud detection system to their online properties, keeping statistics of behavior and stopping suspicious transactions. The claim is that this is very effective and does not change the user experience. Some members of the audience disagreed with the claim, citing examples of transactions being denied in a wide range of situations.
Digital OTP I
These are relatively common, the best known example being RSA SecurID. This solution is fairly expensive, but still evidently profitable.
Digital OTP II
These are less common than the above, but are embedded in the credit card and not timer based.
Paper Based One-Time Passwords I
Paper Based One-Time Passwords II
Grid Based One-Time Passwords I
Grid Based One-Time Passwords II
Paper card issued by bank with series of one-time passwords, the main difference between them being the intended usage of the cards.
These are usually SecureID cards or smartcards bundled with a reading in a nice USB form-factor.
Server authentication via images
SiteKey and other similarly useless technologies.
Server authentication via images
Knowledge Based Challenges
What is your mother’s maiden name?
Out of Band Communication
SMS challenge, identifying cookies, etc.
… other topics that flew by too quickly to catch the titles …
Extended Valuation Certificates
These are basically more expensive SSL certs that cause some extra stuff to happen in the browser chrome. The claim is that they are guaranteed to be more thoroughly checked.
Those who think these are a waste of time (or worse) wonder if users ignore browser chrome now it isn’t clear why we think they’d pay more attention by just adding more identifiers to the chrome. They also point out that users don’t understand the concept of CA, probably don’t know anything about the back-end validation, and isn’t likely to change the site they shop at just because of the new type of cert.
Those claiming it is useful point to the guarantee of the extra checks, the display of the CA info in the bar, and the other UI improvements.