Keyloggers: Why Banks Need Two-Factor Authentication

Recently I briefed banking executives in Bangkok on how easy it is to steal userIDs and passwords from their on-line banking customers and why they must have two-factor authentication.   To illustrate my key points, I showed the captive audience various pictures of hardware keyloggers, for example the small black keylogger circled in the figure below.

A Keylogger

There are PS2 keyloggers (illustrated above) and USB keyloggers. There are even keyboards with the keyloggers built into normal looking keyboards, so you have no idea a keylogger is there.    Don’t believe me?   You can search the net and find so many!

Today I was reminded about my recent meeting in this Network World article, Two-factor authentication: Hot technology for 2008.  This article mentions numerous token-based two-factor authentication (2FA) solutions.  However, it misses a popular and inexpensive two-factor authentication used here in Thailand and APAC:  SMS-based 2FA.

In a nutshell, SMS-based 2FA involves having your on-line banking system send an SMS message with a one-time password (OTP) to your cell phone.   You then must enter the OTP to complete your transaction.

Is this a perfect solution?

No.

But, it is much better than than just passwords!

A ten year old child can easily steal your userID and password, really.

So, the next time you are at an Internet cafe, trusting your SSL link to your bank, don’t forget to take a peek at the computer and look for a small keylogger.   

Well, on the other hand, also don’t forget to bring your own keyboard (or laptop) 🙂

Advertisements

7 Responses to Keyloggers: Why Banks Need Two-Factor Authentication

  1. Kevin says:

    Yes! Finally someone who sees it my way. I too believe all banks need to utilize some type of Two Factor Authentication. Passwords work but are so easily obtained by individuals who would do you harm, it’s much safer to use TFA. I know several banks like Wells Fargo, and even Bank of America use such technologies both on and offline. By no means is this, the be all and end all of security measures but it’s the best we have and it should be used everywhere.

  2. Paul says:

    Two Factor Authentication takes a lot of hits from people especially in the last year or so but I agree with you. I consider it the “hot” technology of 2008. It is relatively easy to implement and it’s reasonably affordable too. I think that many people shy away from it because it’s been hacked before.

  3. Tim Bass says:

    Not considering two factor authentication with OTP because it could be compromised by a sophisticated MITM (Man-in-the-Middle) attack is like shying away from door locks because people have kicked in doors before. There is no perfect security controls, controls reduce risk, not eliminate it.

  4. Trenchwars says:

    Banks and end users need not only two factor authentication — but true mutual authentication. Two factor authentication, at its best, can only work to let the bank authenticate the end user. Period.

    But it does NOTHING to enable the end user to authenticate the bank identity. SSL certificates (even EV SSL certificates) are all subject to MITM (Man in the middle) attacks.

    There is one way to enable end users to confirm a bank’s identity using a new type of digital certificate (Content Verification Certificates). These certificates bind web content to an IP, eg. Bank login box, and provides the users a confirming, non browser based verification of the content (if it is authentic). Because the indicator is NON browser based – it is not subject to manipulation by internet hackers as in MITM attacks.

    In this model the bank can confirm the user’s ID and the reverse is true because only authenticated content belonging to legitimate banks will give the users the confirming indicator.

    This true mutual authentication schema is delivered by Comodo – one of the world’s largest certificate authorities.

    We believe it is time to evolve beyond two factor authentication to true mutual authentication.

    Judy Shapiro

  5. Tim Bass says:

    Hi Judy,

    What you are saying is not entirely correct. from a risk management perspective.

    The way 2FA with OTP (plus SMS based account change confirmation and status messages) is implemented does, to some degree, help confirm the identity of the bank because the mobile phone number is a shared secret between the bank and the client.

    Yes, it can be argued that the mobile number can be known, stolen, phones cloned, etc. but there is no such thing as perfect security. There is risk management and risk mitigation, and the purpose of controls is to significantly reduce the risk, i.e. SMS-based 2FA with OTP, especially when the bank sends an SMS when there is any change to account activity.

    We often read and hear “endless debates” about “perfect security” over and over, and what happens is that organizations get so distracted with “perfection” that they leave gaping holes in what can be mitigated as a “less than perfect” solution.

    As the old saying goes,

    The Enemy of Good is Great …..

    This is especially true in IT security and risk management.

    Yours sincerely, Tim

  6. Trenchwars says:

    indeed I see your point and nothing in security is 100%. We share a common understanding that security needs to be layered.

    My main concern (and tirade) is the regulators seeming lack of concern to demand that users be able to authenticate the bank with the same discipline that banks can now use to verify end users.

    It is not lost on any of us that since banks have a larger lobby voice, the first set of regulations, e.g. two factor authentication, protects the banks quite nicely but do nothing to really protect the end user from phishing sites. I even had a conversation with a regulator who believed that an SSL certificate protects against MITM!!!!

    So with the basic premise that nothing in security is foolproof – I only advocate equal identity protection within the construct of a mutual authentication schema.

    Judy Shapiro

  7. Tim Bass says:

    Hi Judy,

    I like your passion about the issues and appreciate your concerns.

    In your passion, you accidentially write a few statements that are not totally accurate. For example, you say:

    “Two factor authentication, protects the banks quite nicely but do nothing to really protect the end user from phishing sites/”

    However, if someone steals my on-line banking user ID and password (phishing or not) and then logs into my account and attempts a transaction in my account, Am I not “protected” (in an efficient, economic manner) by the SMS I receive on my mobile phone that says “You have requested to transfer $10 out of your account, please enter this OTP to complete this transaction.”

    Isn’t this a degree of moderate protection for the user?

    Furthermore, even with access to my on-line account, a criminal cannot change my mobile phone number, because this change cannot be done on-line, per implementation specification.

    I do agree with you that SSL does not protect against _all_ MITM attacks. On the other hand, I am sure you can see the point, that some could argue that SSL does protect against _some_ types of MITM attacks, but certainly not all.

    My experience is that many security professionals confuse efficient (economical, easy to implement and maintain) risk reduction (and controls) with trying to prevent all threats and all vulnerabilities, mistakenly treating all threats and vulnerabilities equally.

    In cyberspace, risk must be reduced; and while many controls are not perfect, they are far greater than nothing (like locks on doors, for example); and we always must weigh the costs of the controls versus the actually risk.

    Just like locks on doors cannot prevent a serious professional in coming into our home; on-line banking controls cannot prevent all threats from a clever, motivated attacker with the means to exploit a vulnerability. And, just as we live peacefully (for the most part) in the world of the lowly door lock, knowing that a determined professional attacker can circumvent this control, we continue to lock our doors at night before we go to sleep.

    Thank you for visiting my blog, Judy. You are welcome anytime.

    Yours sincerely, Tim

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: