Recently my financial institutions have begun implementing “security enhancements” in order to fain compliance with guidelines set by the FFIEC. In a nutshell, the recommendation is as follows:
Using nothing more than a login ID and password to access banking and financial transaction services via the Web is insecure. Instead, financial institutions should turn to multi-factor authentication schemes to ensure client safety.
In order to understand what this means, here is a quick security lesson.
The authentication factors for humans are generally classified by three methods:
- Something the user is (e.g., fingerprint or retinal pattern, DNA sequence, voice pattern, signature recognition, or other biometric identifier)
- Something the user has (e.g., ID card, security token, software token or cell phone)
- Something the user knows (e.g., a password, a pass phrase or a PIN)
Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case the term ‘two-factor authentication’ is used.
Both Bank of America and Citibank have announced that their idea of complying with the multi-authentication recommendation is to essentially do two things:
- Require users to define secret Questions and Answers in their system for challenge purposes.
- Implement a system of “machine tagging” which looks for irregularity in terms of where the banking system is being accessed from.
Since passwords and login IDs are things that a user knows, adding question and answer challenges do not meet the criteria of multi-factor authentication since they also are things a user knows. In essence this isn’t really two-factor, more like 2 one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow.
(Sidebar: Even multi-factor authentication can be beaten, so 2 one-factors is a joke!)
Look at it this way. Do you or someone you know EVER make a note of your login information to any site on the Internet? I mean on a piece of paper, in your MS Outlook notes, on a card in your wallet? Or have you ever allowed an automatic form filler like Internet Explorer to remember a password?
Every one of these can be easily compromised and how hard do you think it is to then answer your secret Question / Answer? Many people will write it on the same note so as not to forget it! Otherwise, it’s easy to find out your mother’s maiden name, etc. using investigative sources on the Web.
The bottom line is, multiple shared secrets are not any more secure. In fact they simply inconvenience the user and leave a false sense of security.
These are not merely my thoughts, they are shared and have been heavily debated on the Web for years:
- SecurityFocus.com discussion
- Nabble Web App Security Forum
- Slashdot.org discussion
- BankersOnline.com discussion
Here is a presentation which outlines how the use of cheap fingerprint scanners could be a secure and cost effective answer to this entire issue; and here is a bank which chose to go the “smart card” route and do this right.
At the end of the day, it’s going to be costly to add true multi-authentication to online financial transactions. But the elimination of $billions in fraudulent transactions will more than make up for it. Do not be fooled into believing that the banks doing everything they can to ensure your protection. In fact, they are doing less than the minimum expected.
Finally, make sure that you’ve read my previous information regarding Protecting Your Digital Secrets.