By way of Bruce Schneier's blog comes news of a press release issued by a credit union that reeks of the sort of spin control that bank PR people must resort to in order to pretend (to the public) that their security is better than it is. Says the press release from New Horizon's Community Credit Union regarding the theft of a computer containing sensitive customer account information:
The computer was protected by two layers of security, a unique user-identifier and a multiple-character, alpha-numeric password.
In his blog, Schneier was quick to point out that there's only one layer of security here, and not a very good one at that:
Um, hello? Having a username and a password -- even if they're both secret -- does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.....I wouldn't trust the New Horizons Community Credit Union with my money.
So laughable is the wording of the press release that you have to wonder how this description of the bank's security made it into the final draft. If for example, this is how the bank's own IT security people described its security to the PR people, well, then I can see why Bruce is saying he would trust the banks with his money. Note to bank managers: if your IT people are telling you that a userID/password combination equates to two layers of security, then you must do one of two things; get out of the banking business or fire your IT people.
At this point, you banking IT people out there are cringing because you know that no IT person worth their salt would describe a userID/password combination as two layers of security. The only idiot that would do that is a PR person looking to cover the bank's ass so that it's customers don't lose complete confidence. I could see the debate now:
PR person: So, let me get this right. You're saying that to really secure our systems, we need two factors of security -- one is the userID/password combination and the other is something like a fingerprint reader or a smartcard?
IT person: That's right.
PR person: But what you're also saying is that our systems are only a single factor of security -- the userID and password?
IT person: That's right.
PR person: So, our systems really aren't that secure.
IT person: That's right.
PR person: Well, that's not going to fly with the press and our customers. So, what if we use a different word. Let's call it "layer" and say we have "two layers" of security as though it were two factors.
PR person's assistant: <man, now I know why my boss is going places!>
IT person: Ummm.....
PR person: Thank you. That'll be all.
IT person: But...
PR persons: I said thank you.
Bank manager: Brilliantly done my man. Thank God we have you.
Take your pick. Did the IT guy say two layers? Or was it the PR person? Or was nobody paying attention when an intern wrote and released this? Whatever the case, this isn't a bank you want to do business with. Either it has chimpanzees working in the IT department or the information it releases to the public is being consciously or unconsciously sanitized. Pick one, any one. None of it should sit well with anyone.
But wait. It gets worse. What Schneier didn't mention is how a userID/password combination is about as helpful to securing hard drive content as one of those little toy padlocks that comes with your luggage is at securing, well, your luggage. How much do you want to bet that the userID and password we're talking about are operating system credentials. You know, the kind you input into Windows' login screen. News alert: OS credential can't protect the content on hard drives from someone with physical access to the system.
Don't believe me? Download Knoppix and create a bootable CD from it. Pop it into your computer's CD-ROM drive and set the PC's BIOS to boot from the CD before booting from any other device. Then, behold as Knoppix reveals the entire hard drive to you without ever entering a userID or password of any sort.
It's cases like these that are enough to make you ill about what's happening out there in banking security land. And this isn't the first time something idiotic like this has happened. Last June, I reported on a similar case where another financial institution attempted to downplay the gravity of a security breach by classifying it as a phishing scam when it 100 percent unequivocally nothing of the sort. You see... if a bank can turn a security breach into a phishing scam, then it doesn't have to accept any blame for the breach since the bank can hardly be responsible if some crooks send you an email that pretends to come from your bank. The banks have no way of intercepting that email and can only take certain measures to educate its customers on how to recognize (1) fradulent e-mail and (2) the authentic banking site. And even then, those efforts may be in vain.
According to fellow blogger Richard Stiennon, Bank of America's deployment of SiteKey -- an RSA-based technology designed to help BofA's customers know whether they are actually on BofA's Website, or an imposter that's posing as one -- has now been proven fallible by a grad student at Indiana University's School of Informatics.
And hey, I'm just getting warmed up. Don't even get me started about the language tweak that has allowed the term "strong factor" security to sneak into the place of "multi-factor" security and why the feds are bending over and allowing that ridiculous substitution when auditing the security practices of financial institutions. Bottom line. There is NO substitution for multi-factor security. None. While I'm at it, does anyone know of an American bank that offers true multi-factor security as an option?