As reported in a story by my colleague Steve Marlin, the Federal Financial Institutions Examination Council is giving banks until the end of next year to implement two-factor authentication for online transactions. Right now, banks only use one-factor authentication: You go to the bank's web site, enter in a login and password, and you're in your account.
With two-factor authentication, you'll need something else in addition to your password to get in. Generally speaking, that something else is a hardware token, such as a smart card or a gadget the size of a key fob that generates one-time passwords. (For a photo of one of those gadgets, follow the link in the previous story.) Some banks distribute a list of one-time passwords on a scratch-off card.
Implementing support for two-factor authentication is going to be a huge expense for banks.
Moreover, for consumers, it's one more thing to worry about, remember, and eventually lose and have to go to the trouble of replacing.
But it'll be worth it if it wipes out online bank fraud, right?
One problem: It won't.Steve's article points out that crooks will simply trick consumers into giving up their one-time passwords; this has already happened at a Scandinavian bank that implemented two-factor authentication.
Security expert Bruce Schneier, CTO of Counterpane Internet Security, explains further. He notes that two-factor authentication will be impotent to stop two of the most common attacks perpetrated on the Internet today: man-in-the-middle attacks, and attacks using Trojan Horses.
As Bruce describes it, a man-in-the-middle attack is a form of phishing attack. You get an e-mail saying your financial institution needs to update its account records. The e-mail directs you to a Web site where you log into your account. But the Web site is a phony--it's relaying your login information to criminals, who are, in the background, using your login information to log in to the real bank site, and then stick a (metaphorical) vacuum cleaner hose into your bank account and suck all the money out.
A modification of that technique uses a Trojan on your PC, which waits for you to log into your account and then executes whatever transactions the attacker wants.
Note that these attacks won't be stopped by strong authentication, because the legitimate user is using his legitimate credentials to authenticate himself. It's the high-tech version of a venerable method for breaking into apartment buildings: Why bother picking the lock when you can just wait for one of the actual residents of the building to go inside, and follow the resident in.
Bruce is pretty dismissive of the usefulness of two-factor authentication. "This won't help," he writes. "It'll change the tactics of the criminals, but won't make them go away." He predicts there'll initially be a reduction in online fraud, but it'll bounce back as crooks try out different tactics, and go up against softer targets.
I think Bruce is being a little too skeptical. First off, if my bank implements two-factor authentication and that drives the fraudsters to some other bank, then as far as I'm concerned, that makes two-factor authentication a smashing success. (This is the same principle behind car security systems. My car security system doesn't have to be impervious--it just has to be better than the security system on the car parked next to mine.)
Secondly, two-factor authentication will reduce the criminal market in passwords. Right now, crooks can obtain your bank login and password and sell the information to other crooks for fast cash. The information has a shelf life of weeks or months, until you notice the fraud and change your password. But two-factor authentication makes that information a heck of a lot less valuable, because one-time passwords only work once, of course. Even worse (from the crook's perspective): The most popular online automated password generators work on an sophisticated clock algorithm: the password is only good at the time it was generated; it's useless at any other time and therefore its resale value is zero.
So is a government requirement of two-factor authentication worth the cost of implementation? Leave a comment and let us know what you think.