Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/24/2005
06:10 PM
Mitch Wagner
Mitch Wagner
Commentary
50%
50%

How Not To Stop Online Bank Fraud

In the name of protecting against phishing, identity theft and other forms of fraud, federal regulators handed banks and consumers an enormous job recently. The work required will make online transactions a great deal more expensive for banks--who will no doubt pass the expense on to customers. The requirement will make online transactions far less convenient for consumers. And it'll be, at best, partially effective. As reported in a story by my colleague Steve Marlin,

In the name of protecting against phishing, identity theft and other forms of fraud, federal regulators handed banks and consumers an enormous job recently. The work required will make online transactions a great deal more expensive for banks--who will no doubt pass the expense on to customers. The requirement will make online transactions far less convenient for consumers. And it'll be, at best, partially effective.

As reported in a story by my colleague Steve Marlin, the Federal Financial Institutions Examination Council is giving banks until the end of next year to implement two-factor authentication for online transactions. Right now, banks only use one-factor authentication: You go to the bank's web site, enter in a login and password, and you're in your account.

With two-factor authentication, you'll need something else in addition to your password to get in. Generally speaking, that something else is a hardware token, such as a smart card or a gadget the size of a key fob that generates one-time passwords. (For a photo of one of those gadgets, follow the link in the previous story.) Some banks distribute a list of one-time passwords on a scratch-off card.

Implementing support for two-factor authentication is going to be a huge expense for banks.

Moreover, for consumers, it's one more thing to worry about, remember, and eventually lose and have to go to the trouble of replacing.

But it'll be worth it if it wipes out online bank fraud, right?

One problem: It won't.Steve's article points out that crooks will simply trick consumers into giving up their one-time passwords; this has already happened at a Scandinavian bank that implemented two-factor authentication.

Security expert Bruce Schneier, CTO of Counterpane Internet Security, explains further. He notes that two-factor authentication will be impotent to stop two of the most common attacks perpetrated on the Internet today: man-in-the-middle attacks, and attacks using Trojan Horses.

As Bruce describes it, a man-in-the-middle attack is a form of phishing attack. You get an e-mail saying your financial institution needs to update its account records. The e-mail directs you to a Web site where you log into your account. But the Web site is a phony--it's relaying your login information to criminals, who are, in the background, using your login information to log in to the real bank site, and then stick a (metaphorical) vacuum cleaner hose into your bank account and suck all the money out.

A modification of that technique uses a Trojan on your PC, which waits for you to log into your account and then executes whatever transactions the attacker wants.

Note that these attacks won't be stopped by strong authentication, because the legitimate user is using his legitimate credentials to authenticate himself. It's the high-tech version of a venerable method for breaking into apartment buildings: Why bother picking the lock when you can just wait for one of the actual residents of the building to go inside, and follow the resident in.

Bruce is pretty dismissive of the usefulness of two-factor authentication. "This won't help," he writes. "It'll change the tactics of the criminals, but won't make them go away." He predicts there'll initially be a reduction in online fraud, but it'll bounce back as crooks try out different tactics, and go up against softer targets.

I think Bruce is being a little too skeptical. First off, if my bank implements two-factor authentication and that drives the fraudsters to some other bank, then as far as I'm concerned, that makes two-factor authentication a smashing success. (This is the same principle behind car security systems. My car security system doesn't have to be impervious--it just has to be better than the security system on the car parked next to mine.)

Secondly, two-factor authentication will reduce the criminal market in passwords. Right now, crooks can obtain your bank login and password and sell the information to other crooks for fast cash. The information has a shelf life of weeks or months, until you notice the fraud and change your password. But two-factor authentication makes that information a heck of a lot less valuable, because one-time passwords only work once, of course. Even worse (from the crook's perspective): The most popular online automated password generators work on an sophisticated clock algorithm: the password is only good at the time it was generated; it's useless at any other time and therefore its resale value is zero.

So is a government requirement of two-factor authentication worth the cost of implementation? Leave a comment and let us know what you think.

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
All Videos
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Back Issues | Must Reads
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
CVE-2021-20208
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-27458
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
CVE-2020-27241
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
CVE-2021-3497
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.