Hi Nick, Excellent comments. > -----Original Message----- > From: Nick FitzGerald > Rogier Mulhuijzen wrote: > > > I'm surprised that banks use such simple things as passwords. Banks here > > in the Netherlands use things like one-time PINs, and challenge/response > > stuff that uses your chipped bank card. Seems a little safer to me. > > Banks use such simple things because they are cost effective, or > rather, the cost of doing anything genuinely more effective is so > prohibitive that they won't be doing it unless required by legislation > or until the cost of the fraud due to not doing it significantly > outweighs the cost of doing it properly (I give them about another > 3-5 years on that criterion). I agree, but not just because they will suddenly feel they should; they will be forced by legislation (hopefully). The problem is, as you mention, that banks look at their costs and then see what is best for them, but many are simply not aware of all the security problems and their impact. So this information is not included in the equation and their estimation is incorrect. Also, securing the client and the channel up to the bank's perimeter still has many drawbacks, as there are still several of points within the banks where fraud can be commited. > > Sure, they're a lot more expensive and a lot more "high-tech" but > unless they are doing end-to-end client and server authentication and > strong crypto _AND_ have their own input and output devices that cannot > be interfaced from the host OS _AND_ are required for verifying > (virtually) every step of every transaction (in other words -- if you > have any of the real-world implementations of banking OTP cards used > anywhere in the world, the answer is "no"), they are effectively no > better than the Citi OSK's as they are trivially MiTM'ed via on-client > malware. This is true, and doing it right is even harder than what it seems. Providing an independent hardware security module (i.e. with its own input/output) for the client would be probably the easier part if we forget about the cost. But at the other end, within the bank, there are usually hundreds of applications that have different kinds of interfaces through which transactions flow. Sometimes these applications and systems are connected through things like file transfer protocols for batch processing (let your imagination fly on the security of these systems, you will probably be correct), where persitance of the client's verification for the transaction is nearly impossible to maintain. The right thing to do from an information security point of view is to maintain audit trails, confidentiality (encrypted content) and athorization trails for each transaction, at each step, from the client's end of the channel up to the last server and application (where the transaction is commited). That would practically require banks to rebuild their systems from scratch, which wouldn't be a bad idea, but I don't see that coming in my lifetime. > > Your smug belief in the superior security of your OTP card-based system > is just as misplaced as that of anyone foolish enough to believe that > Citi really ratcheted up the bar with its OSK. The technology is superior, the implementation is flawed. We see this happening all the time in information security. If you have a smart card reader with independent pin pad you can further improve the security by signing and encrypting your transactions on-card (with preinstalled keys in the card by the bank), thwarting any computer based MITM attack becase everyithing in between (including the client's computer) acts just as transport (DoS is still an option though). OSK will stand where it is; it can hardly be improved if at all. But you are right, card systems are as useless as the OSK as they have been implemented right now. > > Now, imagine you have the choice of being a shareholder in your Dutch > bank or Citi and on every other measure these banks rate the same -- > Citi is a better deal as it uses less expensive tech to implement the > same level of flawed "security" so should produce a better RoI... > > Now do you see why banks use such simple things as OSK's and your OTP > card? Some banks who are now realizing the impact of electronic fraud are desperate to transfer the responsibility to their clients (as far as law permits). And I think shareholder's are more interested in that right now than in the technical solutions or placebos for security that they might implement. There have been some discussions on the negative impact on the bank's image that this might cause, but it might still happen. First, it could happen that so many banks at some point adopt this strategy, that you won't have anywhere to run. Second, even if people go back to supposedly traditional banking, electronic fraud is here to stay. The only thing traditional about traditional banking is the physical presence of human beings; everything else has been highly automated (even good old checks are verified automatically through their magnetic band these days). So, instead of loosing your bank account details to a trojan in your computer someone might copy your credit card details with a tampered ATM, or simply get your ID stolen when you identify yourself to a dishonest bank employee. After all, when you are moving a relatively big amount of money, carrying cash is not an option anymore, you will have to use a check at least (e.g. for buying a new, expensive car). In the end, people will realize that running away from e-banking is probably not a safer option after all. This is why my hope lies in legislation (if done right of course). It is the only thing that can force financial institutions to adopt better security, so that at least when your bank tells you that you are responsible for your access credentials to your e-banking account, at least you know (or hope) that someone with knowledge put several controls in place that make fraud by other entities (including dishonest bank employees) a less likely option. Finally, there are also several institutions that say: "I'll put less security, and when someone steals you I'll pay back". My opinion is that this solution won't be very popular in the future if fraud keeps growing at the same rate of the past 3 years. For instance, if someone else steals your money or your identity and does something nasty with it, so that you end up giving explanations to the police, paying back might not be enough for your inconveniences. Cheers, Omar Herrera
