Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/24/2005
06:10 PM
Mitch Wagner
Mitch Wagner
Commentary
50%
50%

How Not To Stop Online Bank Fraud

In the name of protecting against phishing, identity theft and other forms of fraud, federal regulators handed banks and consumers an enormous job recently. The work required will make online transactions a great deal more expensive for banks--who will no doubt pass the expense on to customers. The requirement will make online transactions far less convenient for consumers. And it'll be, at best, partially effective. As reported in a story by my colleague Steve Marlin,

In the name of protecting against phishing, identity theft and other forms of fraud, federal regulators handed banks and consumers an enormous job recently. The work required will make online transactions a great deal more expensive for banks--who will no doubt pass the expense on to customers. The requirement will make online transactions far less convenient for consumers. And it'll be, at best, partially effective.

As reported in a story by my colleague Steve Marlin, the Federal Financial Institutions Examination Council is giving banks until the end of next year to implement two-factor authentication for online transactions. Right now, banks only use one-factor authentication: You go to the bank's web site, enter in a login and password, and you're in your account.

With two-factor authentication, you'll need something else in addition to your password to get in. Generally speaking, that something else is a hardware token, such as a smart card or a gadget the size of a key fob that generates one-time passwords. (For a photo of one of those gadgets, follow the link in the previous story.) Some banks distribute a list of one-time passwords on a scratch-off card.

Implementing support for two-factor authentication is going to be a huge expense for banks.

Moreover, for consumers, it's one more thing to worry about, remember, and eventually lose and have to go to the trouble of replacing.

But it'll be worth it if it wipes out online bank fraud, right?

One problem: It won't.Steve's article points out that crooks will simply trick consumers into giving up their one-time passwords; this has already happened at a Scandinavian bank that implemented two-factor authentication.

Security expert Bruce Schneier, CTO of Counterpane Internet Security, explains further. He notes that two-factor authentication will be impotent to stop two of the most common attacks perpetrated on the Internet today: man-in-the-middle attacks, and attacks using Trojan Horses.

As Bruce describes it, a man-in-the-middle attack is a form of phishing attack. You get an e-mail saying your financial institution needs to update its account records. The e-mail directs you to a Web site where you log into your account. But the Web site is a phony--it's relaying your login information to criminals, who are, in the background, using your login information to log in to the real bank site, and then stick a (metaphorical) vacuum cleaner hose into your bank account and suck all the money out.

A modification of that technique uses a Trojan on your PC, which waits for you to log into your account and then executes whatever transactions the attacker wants.

Note that these attacks won't be stopped by strong authentication, because the legitimate user is using his legitimate credentials to authenticate himself. It's the high-tech version of a venerable method for breaking into apartment buildings: Why bother picking the lock when you can just wait for one of the actual residents of the building to go inside, and follow the resident in.

Bruce is pretty dismissive of the usefulness of two-factor authentication. "This won't help," he writes. "It'll change the tactics of the criminals, but won't make them go away." He predicts there'll initially be a reduction in online fraud, but it'll bounce back as crooks try out different tactics, and go up against softer targets.

I think Bruce is being a little too skeptical. First off, if my bank implements two-factor authentication and that drives the fraudsters to some other bank, then as far as I'm concerned, that makes two-factor authentication a smashing success. (This is the same principle behind car security systems. My car security system doesn't have to be impervious--it just has to be better than the security system on the car parked next to mine.)

Secondly, two-factor authentication will reduce the criminal market in passwords. Right now, crooks can obtain your bank login and password and sell the information to other crooks for fast cash. The information has a shelf life of weeks or months, until you notice the fraud and change your password. But two-factor authentication makes that information a heck of a lot less valuable, because one-time passwords only work once, of course. Even worse (from the crook's perspective): The most popular online automated password generators work on an sophisticated clock algorithm: the password is only good at the time it was generated; it's useless at any other time and therefore its resale value is zero.

So is a government requirement of two-factor authentication worth the cost of implementation? Leave a comment and let us know what you think.

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
All Videos
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Back Issues | Must Reads
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27348
PUBLISHED: 2020-12-04
In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43...
CVE-2020-16123
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
CVE-2018-21270
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
CVE-2020-26248
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
CVE-2020-29529
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.