Multi-factor Authentication for Online Banking: Security or Snake Oil?

July 19, 2007 by Richard Conlan

Introduction
Steven Myers

Historically most online banking done with password (single-factor authentication) with the password communicated over SSL/TLS secured channel.  Unfortunately, this system is vulnerable to phishing.  The FDIC and FFIEC required that all banks have “enhanced” login by the end of 2006.  Most banks took this to mean two-factor authentication.

SSL is simply not understood by users, so they give out credentials improperly.  Attempts have been made to help users visualize this by adding security indicators, but they are inconsistent between browsers and users often don’t understand or them, ignore them, or misunderstand them.

What problem is the two-factor authentication supposed to be solving?

  • Do we want to prevent credential loss?
  • Fraud?
  • Money laundering?

How Expensive are the Solutions?

  • Initial enrollment costs
  • Deployment costs
  • Support costs
  • Financial industry is phobic of any client-side solution
  • If costs per transaction is not lower than teller, ignore it

Who are the adversaries?

  • Phishers
  • Pharmers
  • Crimeware
  • Traditional fraud (family members, co-workers, etc.)

Multi-Factor Authentication: Is it Enough?
Jeffrey Friendberg, Chief Privacy Architect, Microsoft

The core of this presentation is a very interesting direct graph depicting the “Internet Battlefield” visualizing users, sites, attackers, and existing defenses.  Though it is obviously not “complete”, it has a whole lot of interesting data.  (link to Internet Battlefield whitepaper)

Key themes discussed in 2005/2006

  • Know who’s who - enable strong mutual authentication
  • Don’t share secrets - leave bad guys empty handed
  • Plug the leaks - comprehensive data governance
  • Nowhere to hide - make it easier to catch the bad guys
  • Lend a hand - help victims contain damage and cleanup

Some progress has been made

  • Agreement on the need for better mutual authn - FSTC, IDSP, Authentication Summit, …
  • Easier to spot bad sites - new filters that use block lists and heuristics
  • Easier to spot good sites - visual secrets part of ceremony
  • New “EV” certs
  • Less likely to get owned - easier to run with lower privilege
  • Lost laptop not as catastrophic - Vista BitLocker full volume encryption (though similar solutions have existed for a long time)

Two-Factor Authentication
Rachna Dhamija

General consensus of the financial industry: “Every countermeasure we introduce reduces fraud temporarily.”

E-Trade financial tried using a RSA fob as a second factor of authentication, but as of their 11/07/06 financial report their fraud losses continue to increase.  That said, they considered this program a success because users indicated they feel safer and are more likely to provide assets.

BankOfAmerica’s implementation of SiteKey is supposed to protect users from phishing, studies show it does not.  RSA’s response was basically that they considered the program a success because users indicated they feel safer and are more likely to provide assets.

Anybody else seeing a disturbing pattern here?  What appears to matter with two-factor authentication is more about public relations and only tangentially about user security.

Current State of Things
Full panel

Back-End Fraud Detection System
The most common solution in the financial industry has been to move their back-end fraud detection system to their online properties, keeping statistics of behavior and stopping suspicious transactions.  The claim is that this is very effective and does not change the user experience.  Some members of the audience disagreed with the claim, citing examples of transactions being denied in a wide range of situations.

Digital OTP I
These are relatively common, the best known example being RSA SecurID.  This solution is fairly expensive, but still evidently profitable.

Digital OTP II
These are less common than the above, but are embedded in the credit card and not timer based.

Paper Based One-Time Passwords I
Paper Based One-Time Passwords II
Grid Based One-Time Passwords I
Grid Based One-Time Passwords II
Paper card issued by bank with series of one-time passwords, the main difference between them being the intended usage of the cards.

Crypto tokens
These are usually SecureID cards or smartcards bundled with a reading in a nice USB form-factor.

Server authentication via images
SiteKey and other similarly useless technologies.

Server authentication via images

Knowledge Based Challenges
What is your mother’s maiden name?

Out of Band Communication
SMS challenge, identifying cookies, etc.

Facial recognition

On-Screen Keyboard

…  other topics that flew by too quickly to catch the titles …

Extended Valuation Certificates
These are basically more expensive SSL certs that cause some extra stuff to happen in the browser chrome.  The claim is that they are guaranteed to be more thoroughly checked.

Those who think these are a waste of time (or worse) wonder if users ignore browser chrome now it isn’t clear why we think they’d pay more attention by just adding more identifiers to the chrome.  They also point out that users don’t understand the concept of CA, probably don’t know anything about the back-end validation, and isn’t likely to change the site they shop at just because of the new type of cert.

Those claiming it is useful point to the guarantee of the extra checks, the display of the CA info in the bar, and the other UI improvements.

zeveck wrote:

Wow. A whole lot of the above didn’t really get discussed. I think there were waaaay too many tactics for the time alloted. This would have been rather interesting as a multi-part discussion, or perhaps being given it’s own day, but as presented it felt like a breeze-by overview just brushing on each issue. =( The only clear thing to come out of the discussion, from my point of view, is that EV certs are a waste of time.

 

I made a comment on the economics of EV certificates that may not have been as articulate as I would have liked it. I do have a short essay on the topic here:

http://declutterist.wordpress.com/2007/06/02/the-game-theory-of-phishing/

 
schlumamol wrote:

What we need a is mutual authentication solution that validates that our users are indeed at the correct sites… and not some bogus ones…

think there may be some solutions out there that can solve the MITM and the fistful of devices effect..

Check out what this company called Gemalto has been pushing recently….

Check out what this company called Gemalto is pushing…

Found a video on you tube http://www.youtube.com/watch?v=cA8QZ7DvIts

Found an older post on Slashdot that was describing the process…. http://www.engadget.com/2007/02/01/gemalto-intros-usb-smart-card-to-curb-phishing/

I sent an email to nim@gemalto.com and someone contacted me…

We are in Pilot right now and looks like this solution is going to make the lives of our users so easy!!
The onus of recognizing if you are at the correct site is done by the simple device securely.. each time every time!

The acceptance from our users has been fantastic.

 

[...] Hopefully Final Word on EV July 24, 2007 Posted by Jeremy in Uncategorized. trackback Last week, I presented a paper at the Symposium on Usable Privacy and Security (SOUPS). During apanel discussion, the topic of EV certificates came up. I shared a short version of my position. Afterwards, I got into a discussion with several people whose disagreement with my position led me to clarify a few things. I thought I would share them. [...]

 

Week’s Links…

Multi-factor Authentication for Online Banking: Security or Snake Oil?DCT, MPack developerThe Nduja Job: Into The World Of XSS WormsLessons Learned From the Deployment of a Smartphone-Based Access-Control SystemMeasuring Privacy Loss and the Impact of …

 

Appreciate on good and concise information put in here by Rachna. Is it really that difficult to target the problem of MITM / Phishing / Pharming.

My 2 cents on it, Whatever it be, Challenge based Tokens, Hardware Tokens, scratch cards, biometric solutions, as long as the user enters something directly into the “Public Form”, without any derived modification/manipulation it is MITM’able.

In most of the popular deployed systems, there has been no concrete solution to this issue, despite all the claims.

If I have to list down the needs of the security system, to be able to prevent it from the Phishing, Pharming, MIMT, following needs to be addressed

The need is to protect what user enters into a Public Form from getting reused, if entered from anywhere else

If Fraudster captures the information submitted by user, he should not be able to use it in same form or any form.

The information submitted by user should not only be based on the challenge provided by server. To prevent any kind of relay scenarios

The need is to prevent user from entering something into public form that provides key to user identity.

OK, here is the shadow, and am turning around to face the light.

-Cheers,

 

I think that Two Factor Authentication is indeed enough though the technology does need to mature to a certain degree. As it does get better, expect to see security measures become increasingly difficult to crack. I agree to that while client side SSL is helpful, many don’t understand that process. I’d like to see those who create these systems focus more on bio metrics and things like vocal recognition etc.

 

This is very true, fraud is increasing..
Let me share my experience of email phishing..

Sort of Email-Phishing

Phishing is one way of taking your identity..

 

It is my opinion that two factor authentication while imperfect (what technology isn’t) is the best type of security out there, especially for banks that deal in online banking. PayPal has implemented a type of TFA and has had success with it. Why must everyone paint doom and gloom for this technology? Once biometrics advance and become more affordable I think that this will be the type of security everyone uses, not just big business.

 

It’s not “doom and gloom” to point out that a technology isn’t actually providing security, which is exactly the case with many deployments of two-factor auth. In some cases banks have admitted it hasn’t really affected fraud….but it makes customers more confident so is good for business anyways. What do you mean by “it worked for Paypal”? What does it mean to work? Did they release numbers of how it actually cut fraud? (If so, please provide link?)

Boy do I hope we avoid the “everybody uses biometrics” world….at least until they can figure out how to “replace” my voice, iris, or whathaveyou when the system is inevitably compromised.

 

you really have to be sure in every step you made, especially in giving your personal informations to others. this may led to identity fraud, where, they will take your identity and pretend that they are you. we must be aware.