Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/24/2005
06:10 PM
Mitch Wagner
Mitch Wagner
Commentary
50%
50%

How Not To Stop Online Bank Fraud

In the name of protecting against phishing, identity theft and other forms of fraud, federal regulators handed banks and consumers an enormous job recently. The work required will make online transactions a great deal more expensive for banks--who will no doubt pass the expense on to customers. The requirement will make online transactions far less convenient for consumers. And it'll be, at best, partially effective. As reported in a story by my colleague Steve Marlin,

In the name of protecting against phishing, identity theft and other forms of fraud, federal regulators handed banks and consumers an enormous job recently. The work required will make online transactions a great deal more expensive for banks--who will no doubt pass the expense on to customers. The requirement will make online transactions far less convenient for consumers. And it'll be, at best, partially effective.

As reported in a story by my colleague Steve Marlin, the Federal Financial Institutions Examination Council is giving banks until the end of next year to implement two-factor authentication for online transactions. Right now, banks only use one-factor authentication: You go to the bank's web site, enter in a login and password, and you're in your account.

With two-factor authentication, you'll need something else in addition to your password to get in. Generally speaking, that something else is a hardware token, such as a smart card or a gadget the size of a key fob that generates one-time passwords. (For a photo of one of those gadgets, follow the link in the previous story.) Some banks distribute a list of one-time passwords on a scratch-off card.

Implementing support for two-factor authentication is going to be a huge expense for banks.

Moreover, for consumers, it's one more thing to worry about, remember, and eventually lose and have to go to the trouble of replacing.

But it'll be worth it if it wipes out online bank fraud, right?

One problem: It won't.Steve's article points out that crooks will simply trick consumers into giving up their one-time passwords; this has already happened at a Scandinavian bank that implemented two-factor authentication.

Security expert Bruce Schneier, CTO of Counterpane Internet Security, explains further. He notes that two-factor authentication will be impotent to stop two of the most common attacks perpetrated on the Internet today: man-in-the-middle attacks, and attacks using Trojan Horses.

As Bruce describes it, a man-in-the-middle attack is a form of phishing attack. You get an e-mail saying your financial institution needs to update its account records. The e-mail directs you to a Web site where you log into your account. But the Web site is a phony--it's relaying your login information to criminals, who are, in the background, using your login information to log in to the real bank site, and then stick a (metaphorical) vacuum cleaner hose into your bank account and suck all the money out.

A modification of that technique uses a Trojan on your PC, which waits for you to log into your account and then executes whatever transactions the attacker wants.

Note that these attacks won't be stopped by strong authentication, because the legitimate user is using his legitimate credentials to authenticate himself. It's the high-tech version of a venerable method for breaking into apartment buildings: Why bother picking the lock when you can just wait for one of the actual residents of the building to go inside, and follow the resident in.

Bruce is pretty dismissive of the usefulness of two-factor authentication. "This won't help," he writes. "It'll change the tactics of the criminals, but won't make them go away." He predicts there'll initially be a reduction in online fraud, but it'll bounce back as crooks try out different tactics, and go up against softer targets.

I think Bruce is being a little too skeptical. First off, if my bank implements two-factor authentication and that drives the fraudsters to some other bank, then as far as I'm concerned, that makes two-factor authentication a smashing success. (This is the same principle behind car security systems. My car security system doesn't have to be impervious--it just has to be better than the security system on the car parked next to mine.)

Secondly, two-factor authentication will reduce the criminal market in passwords. Right now, crooks can obtain your bank login and password and sell the information to other crooks for fast cash. The information has a shelf life of weeks or months, until you notice the fraud and change your password. But two-factor authentication makes that information a heck of a lot less valuable, because one-time passwords only work once, of course. Even worse (from the crook's perspective): The most popular online automated password generators work on an sophisticated clock algorithm: the password is only good at the time it was generated; it's useless at any other time and therefore its resale value is zero.

So is a government requirement of two-factor authentication worth the cost of implementation? Leave a comment and let us know what you think.

 

Recommended Reading:

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
All Videos
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Back Issues | Must Reads
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14310
PUBLISHED: 2020-07-31
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a ma...
CVE-2020-14311
PUBLISHED: 2020-07-31
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-5413
PUBLISHED: 2020-07-31
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains mali...
CVE-2020-5414
PUBLISHED: 2020-07-31
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are a...
CVE-2019-11286
PUBLISHED: 2020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the ...