Thursday, July 14, 2005

Doomsday Hackers and Evildoing Robots

I can't sleep tonight because I have apocalypse on the mind, thanks to Federal judge Richard Posner's recent publication Catastrophe: Risk and Response. Posner's tale of horror would curl Stephen King's toes--except for the part about doomsday hackers and evildoing robots. I'd sooner expect Tom Cruise et al to fall prey to invading martians.

But just because hackers can't wipe out our species doesn't mean they won't do the same to my bank account. That's why I've stopped banking online...

Like prior threats to the internet (viruses destroying all data, P2P files crashing the network, worms immobilizing air travel, spam rendering email useless...), phishing will eventually decline thanks to some combination of technology, legislation, education, and prosecution. (George Stewart's novel Earth Abides, which describes the aftermath of an infection that devastates humanity, predicts the rapid rise and fall of new species infestations--an apt analogy for the scourges that come and go in the new digital wild.) But right now identity theft is in full swing, and this plague is going to take a much longer time to mitigate.

As Willie Sutton observed, the banks are where the money is, and so it's no surprise that ID thieves bring a lot more patience and resource to bear than their evildoing predecessors have. Further, the banks have ignorantly succumbed to 3 myths that render them incapable of solving the problem. Only after dollar losses reach the billions will these superstitions yield to reason:

Myth 1: User education is the key to solving the phishing problem.

What a convenient way to (literally) pass the buck: blame ID theft on users, because they clicked on something naughty. This myth stems from the most rudimentary understanding of primitive phishing attacks. Even sophisticated computer users have no way of knowing that, for example, their ISP's DNS stack has been compromised by a pharming attack, or that a credit agency employee lost her laptop with their credentials on it, or that an unreported Windows vulnerability has allowed malware to redirect their browsers or capture their keystrokes. Most new attacks no longer exploit user naivete, and you can bet that once "education" prevails, all the attacks will move that way.

Myth 2: We need smart cards and biometrics instead of passwords.

Smart cards and biometrics may solve some problems, but NOT THIS ONE. Phishing is essentially a man-in-the-middle attack, in which the thief pretends to be your bank as well as the bank's customer. The "man in the middle" can capture your biometrics just as easily as your password. If the banks deploy SecurID cards, you can bet that the phishers will simply log into the bank while the SecurID code is still valid. Simply put, any authentication that utilizes the computer can be compromised by malware.

That's why solutions in the future will move away from 2-factor authentication and toward 2-channel authentication. (Spy agencies have known this a long time--if you want to authenticate someone, call on a different phone line.) Since your bank knows your phone numbers, a bank computer can simply call you when it needs to confirm your identity, and authorize the specific transaction ("This is Wells Fargo--please enter the code on your screen to authorize the transfer of $50,000 from your account to the account of the Boys and Girls Club of Belfast"). This is a very inexpensive and fast solution to deploy, and requires much less customer training. Not to mention that it's secure (at least for many years, until hackers can easily identify and commandeer affiliated phone lines).

Myth 3: Banks need to deploy strong authentication at the login so that only trusted individuals enter the bank.

The login is the wrong step to focus on. Most logins do not lead to worrisome transactions. It's the withdrawals and transfers that require close scrutiny. Why not simply frisk people at the door of the bank branch, and those who pass can fetch their own money without the inconvenience of security? Security dollars are much better spent on regulating traffic around the cash itself, not around the lobby.

The best security works through escalated response--identify the high risk actions and focus your attention on them (if you've ever flown El Al Airlines, you know that profiling works). Escalated response includes increasingly difficult challenge and response questions, followed by 2-channel authentication. Settle for passwords at the login, but when money (or stock, or real estate...) is changing hands, escalate. When something anomalous is happenning (e.g. $100,000 transfer after 3 years of $1,000 transfers), escalate further. When one of the IP addresses looks Latvian, escalate. Note also that escalated response is cheaper to implement and less inconvenient for customers.


If you still believe any of the three myths, consider the slipstreaming attack, an old fashioned technique of following someone else into a door with controlled access. Slipstreaming malware exists today that waits for you to login, and then passes your session over to the thief. You can educate, and use all the retina scans you want at login, but slipstreamers will still get the money. That's why we need more than strong authentication--we need strong authorization on every transaction.

I don't really believe that billions of dollars will be stolen, but as Cyota CEO (and Israeli Army Commander) Naftali Bennett observed: in the past 18 months people have already stopped responding to banks' emails as a result of phishing; as losses mount over the next 18 months, users will stop banking online. After all these years of banks building low cost online businesses, the reversion to branch and telephone banking will cost the industry billions.

Unlike Richard "Chicken Little" Posner, I don't really think the sky is falling. But common sense tells me that banks can protect my money only by combining escalated response with 2-channel authorization. Until that happens, I'm using the ATM.


5 comments:

  1. Someone so averse to risk seems unfit for the VC business.

    ReplyDelete
  2. Anonymous5:11 AM

    ...the banks are where the money is...

    Exactly. The US Marines practice something called "maneuver warfare", which states in part that when confronted with a strong point, bypass it and move on the weaker target(s). Overlay that onto the online banking process, and you can quickly and easily identify the weakpoints...the user's systems. In my book, I mentioned the exploits of one young man in Manhatten a couple of years ago...he installed keyloggers on systems at Kinko's all over the island, and collected account information on over 450 people.

    Home systems, and even corporate systems are at risk.

    H. Carvey
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com

    ReplyDelete
  3. Manu,

    Indeed I may be unfit for venture capital (I have always suspected that I've just been lucky), but not because I'm risk averse. Good venture investors clearly think through which risks they are willing to fund, and avoid funding the others. (Still, luck trumps all!) Later, to answer Abhinav's comment on another post of mine, I will try to blog a bit specifically about the risks we like to fund.

    Then again, judging from your profile, you probably also assess VC's based on astrological signs....

    ReplyDelete
  4. "judging from your profile, you probably also assess VC's based on astrological signs"

    :) You see, that's an interface design problem.

    Though the folks who redesigned blogger last year did a commendable job, they still left pretty unusable forms all across the app.

    I never liked my sunsign featuring on my profile but never actually looked for an option to disable it either. Just discovered that there's no direct option in the user profile form to disable it. The sign and Zodiac year are culled from the Birthday field. Since that's usually a required field on forms (for verification purpose in case one loses the password), I didn't leave it blank.

    And now that I made the change to remove the sign and the Zodiac year, my age no longer reflects on the profile either, which I would actually like to show. Someone obviously didn't pay much attention to user needs again. Oh well, Blogger is still an awesome service for free.

    ReplyDelete
  5. Anonymous4:00 PM

    I am really enjoying this! Please continue blogging....

    ReplyDelete