X
Tech

Banks cheating their way to web security guidelines

We need to get past this idea that the Bank has to issue the authentication device because it would be far cheaper, more convenient, and equally secure if the user owned his or her own strong authentication tokens. This way only one or two (for redundancy) $60 devices are used for strong authentication access to multiple banks and even other purposes. Any token that is lost can easily be centrally revoked and a second authentication token can be used for backup similar to the practice of two sets of car keys and house keys. The type of device used by the user should not be of anyone's concern so long as it is FIPS certified.
Written by George Ou, Contributor

Fellow blogger David Berlind made some great observations about the Banking industry taking the easy road to meet vague federal web security guidelines on multifactor authentication.  David writes:

On page 3, the Federal guidelines go so far as to list the three factors of security: 

  • Something the user knows (e.g., password, PIN);
  • Something the user has (e.g., ATM card, smart card) and ;
  • Something the user is (e.g., biometric characteristic, such as a fingerprint).

    Multifactor authentication therefore relies on two or three of the above factors in combination.  Yet, according to the InfoWorld article, instead of adding one or two additional factors to the most common form of online banking authentication (what the user knows: userID & password), they're just  piling additional "what the user knows" items into the authentication process.

    First, I'm sure there are security experts that would disagree.  But adding more questions (in the "what you know" factor category) is not to me, a multifactor authentication feature.

  • Passwords and fingerprints are at best supplemental authentication mechanisms that should not be used as the active ingredient in a strong authentication environment.

    No David, you're absolutely right here and no security expert should ever count multiple instances of "something the user knows" as "multifactor authentication".  I would go further to say that even true "multifactor authentication" is over hyped as a method of good security.  What's really needed is "strong-factor authentication" because "Something the user knows" and "Something the user is (biometrics)" are actually the weaker methods of authentication.  Biometric authentication is not the cure-all to security woes that it is commonly perceived to be.  You cannot rely on passwords and fingerprints alone to build a strong universal authentication system because the password and even the fingerprint is just a static secret that's known by a minimum of multiple parties which can be compromised.  Passwords and fingerprints are at best supplemental authentication mechanisms that should not be used as the active ingredient in a strong authentication environment.  Furthermore I'm hesitant to rely on something that I cannot change (something I am) and I really don't want to give people the idea that they may need to detach any of my body parts to compromise my Bank account.  No material item in this world is worth life or limb.

    True strong authentication is a smartcard or some other forms of cryptographic tokens.  Just the plain old ATM card or credit card does not qualify as strong authentication.  There is absolutely no way around the issue of strong authentication and smartcards for good security but the problem seems to be a matter of education in the United States.  European countries have been using strong authentication for years and many of them laugh at the Americans for pathetic security.  The problem is that some people always manage to confuse strong authentication with government tracking and the storing private data on a single card when nothing could be further from the truth.  Smartcards or cryptographic tokens are just tiny computers with random numbers inside of them with absolutely no personal data inside of them.  It is true that they can store encrypted private data but that is an optional feature not essential to the strong authentication aspect of smartcards or cryptographic tokens.  The issue of tracking of people has absolutely nothing to do with strong authentication.  With the right court orders today, people can be tracked through conventional credit card transactions and strong authentication doesn't affect this one way or the other.

    The cost factor of implementing strong authentication is an issue that needs to be dealt with.  While it's true that strong authentication technology costs real money, it certainly has to be a lot less than the amount of money lost to fraud which eventually has to be passed on to the consumer.  But one of the biggest cost factors overlooked is the unnecessary redundancy of multiple Banks issuing multiple strong authentication tokens.  We need to get past this idea that the Bank has to issue the authentication device because it would be far cheaper, more convenient, and equally secure if the user owned his or her own strong authentication tokens.  This way only one or two (for redundancy) $60 devices are used for strong authentication access to multiple banks and even other purposes.  Any token that is lost can easily be centrally revoked and a second authentication token can be used for backup similar to the practice of two sets of car keys and house keys.  The type of device used by the user should not be of anyone's concern so long as it is FIPS certified.

    With strong authentication technology, you the user can use your own authentication device and you simply need to register the device or devices in person or even do online registration by sending signed public keys to any new organization you wish to conduct business with.  The beauty of strong authentication technology is that it can increase security and convenience at the same time.  The same token can be used for as many services as the user desires from corporate VPN to online Banking to online shopping.  Most users are sick and tired of memorizing multiple passwords for all the different online services and sites they use.  Multiple weak authentication methods and multiple passwords don't improve security and are likely to make matters worse because users will either have to write things down or they end up using the same password anyways.  Consolidated strong authentication devices will provide superior security while reducing complexity and simplify all of our lives.

    Editorial standards