People can be surprisingly foolish, especially when it comes to safeguarding their sensitive information online. If you work for Vasco, RSA Security or another multi-factor authentication outfit, that happens to be great news right now because security tokens and two-factor authentication are hot stuff. Token-based authentication is hardly new. Traditionally, tokens were expensive, niche and considered extremely cool by those working in the information security business.
Back in 1995, displaying a key-chain with an RSA SecureID token attached earned you more status than whipping out a set of Porsche keys.
Alas, the token is no longer a mysterious gadget looking like a prop from a James Bond movie. In just a few years a significant number of people will carry one. While online financial fraud hasn’t rendered passwords useless, they’re certainly not strong enough for today’s computing environment. The market has spoken. The market wants tokens.
Criminal syndicates have been using Trojan horse malicious software — or malware — to steal the login credentials of ordinary users for years. Phishing scams, which fool internet banking customers into divulging their login details to fake banking websites, have also proven alarmingly effective.
At first glance, two-factor authentication seems to be the silver bullet. Login details are rendered useless to attackers if they don’t also have access to the two-factor device, like a token. But a silver bullet they are not. Token-based authentication significantly raises the bar. However, fraudsters have already bypassed the authentication measure — cyber-scammers got around the tokens and defrauded Citibank customers in the United States last year.
They’d successfully staged a man-in-the-middle phishing attack that siphoned funds out of Citibank customers’ accounts in real time. In this instance, the tokens were rendered useless.
“The end user’s computers were compromised. It doesn’t matter what token they use, the two-factor token only proved the user was actually holding the device,” Ted Egan, chief executive of TrustDefender says. “What happens is the Trojan sitting on the computer was able to transact in real time while the user put in the details.”
Egan’s no fan of tokens, though it’s hardly surprising — his company makes software designed to prevent man-in-the-middle attacks.
Then there’s the elephant in the room — just how many security devices, be they smart cards, tokens or something else — will the average consumer have to carry?
Currently, federated identity solutions, which would allow consumers to use one token to authenticate themselves to many organisations, are not up to it, says Geoff Noble, a banking and finance specialist with RSA Security. They would require cooperation between competing commercial interests and perhaps even the government. "Is bank A going to trust bank B? Is the government going to trust enterprise? It’s bigger than bank versus bank, it’s government versus private enterprise," he says. "There’s no line of least resistance through all of this."
Still, Noble says he doubts ordinary consumers will have to lug around multiple tokens. "The only people I know who have more than one password generating device work for the bank," he says. "I don’t know that we’re going to see people with many tokens."
RSA sells token-based solutions, but Noble isn’t particularly evangelical about the technology’s potential as a cure-all. Criminals will adapt to the new devices. "We forecast that universal man-in-the-middle kits will become more prevalent," he says. "The most robust form (of authentication) is getting something out of band." (See sidebar: Popular security measures)
Hey honey, it’s me
Two-factor authentication isn’t limited to tokens. Last year Australian Health Management (AHM) deployed a voice biometric system in its call centres to authenticate its customers. In all, 8500 of the not-for-profit health fund’s 130,000 members are registered with the VeCommerce voiceprint system. AHM’s operations manager, Melinda Charlesworth, says the added security is a bonus, though improving the customer experience and shortening call times was the primary objective.
“We started looking at it about 12 months ago. We were looking for a way to simplify the calls we were getting from our members so we could shorten them and improve the customer experience,” she says. "When we started looking at how to improve the call experience for members we stumbled across biometrics. We recognised pretty quickly that it was going to solve a number of issues, as well as improving the customer experience."
Once a client is registered, call centre agents no longer have to ask customers for their date of birth, mother’s maiden name or any other identifying information. It makes life easier for call centre staff, who no longer waste time authenticating customers who are using the system. They can get straight down to the work that matters.
While AHM’s 400,000 calls a year is hardly an earth-shattering figure, the average call-time saving of 40-80 seconds equates to approximately 6500 hours of call time saved. “When they ring us there’s an IVR system at the beginning of the call that simply asks them to say their membership number," Charlesworth says. "The system then goes and checks to see if we have a biometric record for them. If we do, it transfers them straight through to an agent (who knows) if they’re authenticated."
The system will pay for itself within 12 months.
Some boffins say voice biometrics is unreliable, but Charlesworth insists the system works well. AHM has a call centre operator step through the registration process with users to make sure there’s no background noise and the phone line is good. This ensures a high-quality biometric capture.
Protecting health insurance information comes with its own unique challenges, Charlesworth says. AHM’s customer data is more likely to be targeted by unhappy ex-wives in Bondi than fraudsters in Tajikistan. “That’s where health insurance differs from the bank,” Charlesworth says. “The people who are most likely to try to get this sort of sensitive information are the people who know you. It’s not the stranger on the street, it’s your ex-wife, it’s your neighbour, it’s your disgruntled brother and they’re the people who know the answers to your secret questions.”
Charlesworth says AHM sought a legal opinion on whether voice biometrics is strong enough to ensure compliance with privacy and data protection regulations. Apparently, the technology’s kosher.
Both Suncorp-Metway and Commonwealth Bank have rolled out two-factor authentication solutions, though their approaches differ. Both offer tokens, but by default, Commonwealth Bank customers sign up to Netbank SMS. One-time passwords are sent as SMS text messages to the customer’s mobile phone every time they want to perform specific actions, like transferring money to a previously unknown third-party.
“There are two drivers for us. One is the cost of the fraud. In the last year, over the past couple of years, we’ve seen fraudulent attacks on our customers rising,” says Marcus Judge, Commonwealth’s general manager, e-Commerce. “The second thing was not so much about the hard dollars, but one of the important things to our customers, always, is that they’re confident about the bank.”
Increasing discussion and nervousness among customers around internet banking was eroding confidence in the online service. Something had to be done to make customers feel good about using it again.
While the Commonwealth bank is using token and SMS-based authentication at this stage, its chief information security officer, Sarv Girn, says that may not always be the case. He’d even consider voice biometrics as the technology improves. “There’s still some question marks on how useful it can be and how reliable. But having said that, it’s constantly changing,” he says. “There’s no reason (the bank’s) out of band (authentication) channel couldn’t be voice.”
The split between SMS and token-based authentication is useful on a couple of fronts. Aside from giving customers a choice, the Commonwealth team says there’s little point giving a hardware token to someone who’ll only use it once a year.
For Queensland-based Suncorp, the decision was a tad tougher. Its own study showed SMS authentication wasn’t an option for the group’s customers. Suncorp has a large regional customer base so ruled out using SMS. "In terms of SMS, we talked to our customers back when we were looking at our two-factor implementation. At that stage we found the reach of SMS through our customer base and mobile phone usage wasn’t at a rate we felt that SMS was viable," says Suncorp’s Jamie Glenn, the company’s manager of e-commerce.
High-risk customers, who conduct multiple payments to third parties through their bank accounts, were issued with tokens, but any Suncorp customer who wants one can purchase a Suncorp branded token for A$20.
We haven’t got it nutted yet
The picture painted by analysts is fairly grim. According to Gartner, “stronger authentication alone is not sufficient: Emerging attacks can succeed no matter how strong user authentication is”.
The company’s analysts say banks must rely heavily on fraud detection and transaction verification to defend themselves against fraud, not just strong authentication technologies. Is a customer logging in through an IP address registered in Botswana? Best give them a call — if they’re down at the shops when they answer, you know something’s amiss. Are 20 customers all trying to log in from the one IP and transfer money into a single account? Again, it should give fraud departments cause for concern.
Still, the analysis firm says password authentication for rudimentary internet banking functions, like checking your balance or moving money between users’ own accounts, should be sufficient. “Especially with complementary controls in place, authentication by a simple password alone may still be appropriate for some, less-critical online banking functions,” Gartner says.
POPULAR SECURITY MEASURES
A small device that fits on a key ring, security tokens display a numerical code on an LCD display. The code changes every minute or so, and only the bank and the token holder know what the code is at any given time.
PROS: Cheap, simple.
CONS: Tokens raise the bar significantly, but they’re not fraud-proof.
Users receive one-time passwords via SMS (text) when they wish to perform high-risk actions.
PROS: SMS allows the authenticating party to communicate a message with the password. For example, “To transfer $500 to account number 3432 4343, use one-time password: 76987.” Out-of-band authentication means the one-time code is sent to the user via their handset, not the internet.
CONS: SMS is an insecure protocol. Not everyone has a mobile phone.
Smart cards, a chip embedded on a credit-card sized piece of plastic, contain a cryptographic processor and an embedded cryptographic key that cannot (in theory) be extracted from the card.
PROS: Strong form of two-factor authentication. Ties in with established PKI technology.
CONS: Requires too much infrastructure on the client side. (Smart card reader.)
Voice biometrics allow for fairly confident verification of a user through a voiceprint over the phone.
PROS: Cheap, saves a bunch of money in call centres. Out-of-band authentication, i.e. auto-dialler can ring an internet banking customer to get voiceprint.
CONS: Questions around reliability.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.