Monday, July 18, 2005

Easy Pickings for Bank Robbers

I predicted it in my recent post "Doomsday Hackers and Evildoing Robots" but it hurts all the same...

Bank of America has announced adoption of Sitekey technology, developed by Passmark Security to combat ID theft. But Sitekey suffers from the classic misconception underlying so many security products that the attacker will not bother to adapt in any way to the defense (even to sweep juicy bank accounts). Rather than restore trust to online banking, Sitekey promises to confuse and inconvenience customers, instilling a false sense of security that will, when it quickly fails, further impede online banking.

Sitekey promises confidence that customers are logging into the genuine bank, not a spoof site, by asking customers to upload a "trusted image" that the bank will display when accessed from a "trusted computer". To establish trust on the device (because it's a fresh computer, or the cookies have been deleted, which happens quite often), SiteKey asks the customer some challenge questions. Passmark claims to prevent phishing because users will be trained not to provide passwords to spoof sites that can't display the trusted image.

So sometimes B-of-A will ask the questions and sometimes it won't, depending upon the cookies. Sometimes it shows the image right away, and sometimes it first asks the challenge questions. Somehow, the customer is supposed to understand all this, and the next time he or she is phished, figure out that something important (the image) is missing. So there's a lot of set up, and some rather generous predictions around customer sophistication.

The bigger problem, though, is that Sitekey utterly fails to defeat phishing or malware attacks. What stops phishers from simply logging into the bank at the same time that the victim is logged into the spoof site? The phishers pass the challenge questions from the bank to the customer, and shuttle the responses right back. The bank then exposes the trusted image to the phisher, which uses it to prompt the customer for the password.

And what about slipstreaming malware that simply waits on your PC for authentication to happen before passing your session to the thief? These attacks may be relatively uncommon today, but you can expect B-of-A to change that.

But wait, don't change banks so fast! According to the same AP article, Wachovia is rolling out a similarly vulnerable system, but one that is also wildly expensive to deploy and support. Wachovia will distribute tokens that display a different number every 60 seconds, so that Wachovia "knows" that the token holder, not a phisher, is logging in. Forget about the problems associated with dead batteries and lost tokens. Those nasty slipstreamers and man-in-the middle phishing attacks defeat this security system just as handily.

Whoever said Crime Doesn't Pay wasn't an ID thief in the year 2005. Until banks adopt all 3 of the following (easy and inexpensive) authentication methodologies, I'll continue to bank offline:

1. Authenticate the transaction
Don't let slipstreamers take over my validly opened online session only to execute unauthorized transactions.

2. Escalated Response
If my bank profiles transaction risk and escalates authentication based on that risk, I won't have to deal with inconvenient security mechanisms except when it really matters. And when it matters (e.g. cash transfers), I will be pleased to see the escalated security.

3. Multi-channel authentication
This method involves a computer that calls the customer on a separate network (POTS, cell phone, SMS) to prompt the customer for an authorization code. Unlike multi-factor authentication, multi-channel authentication is not defeatable by slipstreamers and man-in-the-middle attacks. It's also much less expensive, and can cheaply layer on biometric security by analyzing the voice pattern of the person at the other end of the phone line.


  1. Anonymous2:50 PM

    Hi David,

    First, welcome to the bloggosphere! I hope you can keep up with these posts!

    Is there a voice biometric out there that works when I have a cold, or a rotten cell phone connection?


  2. Adam, good question. All the more reason for Escalated Response. If I fail the biometric test due to a cold or poor cell coverage, I'd like to know that my bank will escalate the authentication process to a human operator. And even if you dismiss the voice recognition, multi-channel authentication is still the secure and inexpensive way to authorize transactions.

  3. Anonymous5:02 AM

    I've worked with what places like Citi* and B-of-A call "security", and as you've pointed out, it's needlessly complex, a house of cards ready to fall.

    Another thing to keep in mind is that while this protects the user from phishing/pharming/ph-word-du-jour scams, it does *not* necessarily protect the user. A young man in Manhatten showed us only a couple of years ago that loading keyloggers on Kinko's PCs can net you about 450 people's online banking usernames and passwords...

    The more complex you make something, the less likely the average user is to actually use it.

    H. Carvey
    "Windows Forensics and Incident Recovery"

  4. Anonymous2:14 PM

    One really simple approach I heard suggested is that every debit to your account gets sent to your cellphone by SMS. It wouldn't stop fraud, but make detection really rapid.
    Edward French

  5. I've never had to worry about banking online and phishing in particular has not been a cause of concern. I think much of phishing can be defeated by a single measure - by visiting your bank's site only using a bookmark or through a previously memorised URL and keeping an eye on the URL during the session.

    My bank uses two tier authentication: the usual login/pswd combination to view account details and a transaction password for whenever I transact online. I've only used one bank online, so I don't know how common this is but it seems pretty safe to me. Other measures on the site are, disabling of back/forward and reload buttons, disabling double clicking of buttons/links and the usual session timeout. Although inconvenient, one gets used to it after a while. In addition, I've enabled SMS alerts of the kind Edward describes. Any debit to my account over a specified amount is immediately conveyed to me on my cellphone by SMS.

    With these measures in place, I only need to worry about keylogging malware at my end. I'm not concerned because, I use discretion on what software I install and I have the usual firewall/antivirus/antispyware utilities in place. Of course, there are circumstances outside of my control that can make the theft possible (such as the bank's systems getting hacked) but that threat would exist even if I don't transact online so I don't know how stopping to bank online will help.

    I think it all boils down to risk vs. convenience. Sure the risk exists but I believe it doesn't overshadow the huge convenience one gets from banking online. I believe when we're constantly exposed to online fraud in media as we are today and particularly someone who's in the business of security; the threat perception inflates many more times than it's justified.

    Ask a 22 year old to spend time at a hospital and by the end of the week you'll have perfect candidate for health insurance. :) Ask him to spend a week at a therapist and he'll think the world is full of weird people (many critics of Freud actually credit this as the reason for his beliefs).

    I really like the Multi-channel authentication idea though and would like to see my bank implement it for any big transaction I make. But I'd rather call the bank's toll-free number myself to authenticate the transaction than have the bank call me on a number that may be busy or to which I may not have access while traveling.

  6. Anonymous11:28 PM

    I live in South Africa, and even here the big 4 banks have realised the risk to security. 1 of the 4 uses RSA rolling code generators and the other 3 send an authentication SMS to the user. The authentication SMS is a one time per transaction code. If you type it in wrong a new code is sent. This seems to work very well. So well in fact that later this year the banks are making it mandatory to use the service for internet banking.

  7. Anonymous2:03 AM

    One really simple approach I heard suggested is that every debit to your account gets sent to your cellphone by SMS. It wouldn't stop fraud, but make detection really rapid. Agree

    USA Bank Directory