Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security The Internet

Banks to Use 2-factor Authentication by End of 2006 313

Posted by samzenpus
from the proof-positive dept.
Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."
This discussion has been archived. No new comments can be posted.

Banks to Use 2-factor Authentication by End of 2006

Comments Filter:
  • by DrRobert (179090) * <rgbuice@mac . c om> on Wednesday October 19, 2005 @07:37PM (#13831905) Homepage
    I am really sick of all the convient things in life suddenly become too cumbersome to use. I would really, really hate to have a hard token to carry around. IT has so many band features:
    1. I have to carry it around
    2. I may lose it
    3. It will probably break
    4. Its code could be duped

    Too little security, too much inconvieniece
    • Good gosh, I can't type... sorry..
    • by ScentCone (795499) on Wednesday October 19, 2005 @07:40PM (#13831920)
      Too little security, too much inconvieniece

      But I'm betting you wouldn't sign a waiver relieving them of liability if you opt out of using their T-FA...
      • But I'm betting you wouldn't sign a waiver relieving them of liability if you opt out of using their T-FA...

        It depends. If the waiver covered them purely for losses incurred through phishing, I would happily sign it. I use only secure computers to get to my bank's web site, and I type the URL by hand. I would rather not carry a token to access just one web site.

        On the other hand, if they wanted to extend the waiver to all forms of account loss, regardless of whether it involved an online transaction or n
    • by LordPhantom (763327) on Wednesday October 19, 2005 @07:45PM (#13831952)
      Isn't that like, say, carrying around an ATM card like we do right now? Sure, a "sooped-up" ATM card if it had a rotating pin, but still an ATM card nonetheless - how is this -more- difficult than what we do now? I usually have my wallet handy somewhere, so is it really that big a deal?
      • That what Winn-Dixie said when they implemnted their grocery store discount card... and Petsmart, and BiLo, and Waldens, and MediaPlay, and Kroger, and Sams,I have stack of cards 2 inches thick.
        • Not ignorant. Its not what the card does that is important, its the implication in the article that everyone would want to conduct electronic busniess this way. Then you have a stack of tokens or you subject yourself to some centralized data scheme.
      • by Tumbleweed (3706) * on Wednesday October 19, 2005 @08:00PM (#13832042)
        how is this -more- difficult than what we do now

        What, you have a magnetic-strip card reader attached to your computer? Sure, no problem - we'll just mandate that all computers that want to access a bank online have to have one, or whatever hardware doohickey they decide to require.

        THAT's the real problem with this proposal. Much like extending Daylight Savings Time, politicians have no idea what impact this has on the real world - programmers that have to code this stuff, and in this really BAD case, new hardware that even the end user is required to now purchase.

        Bleh.
        • by The Monster (227884) on Wednesday October 19, 2005 @09:28PM (#13832490) Homepage
          Much like extending Daylight Savings sic Time, politicians have no idea what impact this has on the real world - programmers that have to code this stuff
          When the new Daylight Saving Time rules were enacted, I figured out that all I have to do is edit the /etc/TIMEZONE or /etc/environment file (depending on which of the 4 flavors of *nix I have to support is involved) and add the string ",M3.2.0,M11.1.0" to the end of the TZ= statement. For instance, change "TZ=CST6CDT" to "CST6CDT,M3.2.0,M11.1.0".

          That's it. No 'reprogramming' involved at all. That's because the interpretation of the TZ variable was already programmed to include this sort of encoded rules.

          On the gripping hand, I have no clue what it'll take to fix Windows timezones.

        • I daresay that major credit card issuers could issue smartcard readers to all their customers and make a profit off of the reduced fraud.

          Keep in mind that those credit card companies lose money every time identity is stolen. They are out the charges as laws protect consumers from credit card fraud. They are out all the administrative expense associated with handling the theft. They also lose out every time somebody chooses not to buy something online for fear of having their identity stolen, or otherwise
    • And it won't work. (Score:4, Insightful)

      by khasim (1285) <brandioch.conner@gmail.com> on Wednesday October 19, 2005 @07:55PM (#13832015)
      Because BOTH methods of identification will be travelling over the SAME channel (your Internet connection), this will still be subject to man-in-the-middle attacks.

      But because it will be a cool "encryption" key, people will not know that they aren't "secure".

      The only way to improve the security is to use a different channel (example: the bank calls your phone to have you verify the transaction)
      -or-
      The site relays the information to you using your IP address as part of the encryption (this won't work with NAT/PAT/Masquerading, but will be feasible with IPv6).
      • by Sycraft-fu (314770) on Wednesday October 19, 2005 @09:28PM (#13832493)
        Seriously, SSL and SSH2 are not easy to do a man in the middle attack on that is undectable. More to the point, to do a man in the middle attack, you actually have to be in the middle. J. Random Hax0r can't do it, it has to be someone with access to a link that your connection passes through. That's much harder.

        I worry about man-in-the-middle attacks for encrypted channels like not at all. Anyone who has the ability to compramise a major network provider to do that, probably has better thigns to do than go after my info.
        • Ah-ha! The problem isn't protecting the highly-intelligent readers of /. from a MiTM attack, it is protecting people like my father from one. Even though the error message would be big, loud, visible, and wouldn't let him move forward without some acknowledgement, more likely than not, he'd simply click "Yes I trust this new key" and move on.

          People are stupid. Joe Schmoe was never trained in PKCS#11, the importance of the chain of trust in PKI, or even in proper handling of invalid certificate errors.

        • Seriously, SSL and SSH2 are not easy to do a man in the middle attack on that is undectable.

          Actually, it is. Unless you know specifically how to check that the site you are connected to is associated with the site you want to connect to.

          More to the point, to do a man in the middle attack, you actually have to be in the middle. J. Random Hax0r can't do it, it has to be someone with access to a link that your connection passes through. That's much harder.

          No. You're wrong. Here's an example:

          Your computer
          -c

          • I was with ya until this comment: I don't think you're describing it correctly.

            Man-in-the-middle implies that your communication is going to destination A, via intermediaries B, C, and D. Phishing, and what you describe, implies that for some reason you've been tricked in to setting your end destination as D, who will eventually go to A for you, but you addressed it wrong. Yes, I guess this person is technically "in the middle" of the chain of where you WANT to go, but if you had been smart about saying y
      • by gujo-odori (473191) on Wednesday October 19, 2005 @09:44PM (#13832561)
        Yes, you can still try a man-in-the-middle-attack. However, security is not a binary condition (you're either totally secure or wide open), it's relative. AKA, I don't have to outrun the bear, I only have to outrun you. This is also the principle behind car alarms: there are car alarms that can be defeated, some more easily than others, but the main point of a car alarm is to make my car a more difficult/less attractive target than the one next to it.

        Similarily, what does a Smartcard authentication system over https do for you, as opposed to a simple username and password over https?

        It raises the bar, while also making people without a Smartcard more attractive targets. Compromising a username and password is fairly easy - people fall for phishing attacks all the time. If a Smartcard and PIN are also needed, a man-in-the-middle attack doesn't do you much good. You can't get my PIN (you'd also need a keystroke logger on my computer for that) and even if you had it, unless you also stole my Smartcard you'd still be SOL.

        Not to mention that a man-in-the-middle attack is far harder to achieve than sending out a phishing mail or doing a brute-force attack against a weak password. Anyone can send out phishing mails or use a password-attack script; far fewer people have the wherewithal to mount a successful man-in-the-middle attack. So if I have a Smartcard + PIN that I need to use to authenticate to my bank and you don't, I've outrun you. I don't have to worry as much about the bear.

        Where I work, we use Smartcards and PINs for authentication to our network, in addition to a userid and a high-quality password that must be changed regularly and may not closely resemble the old one. How does this raise security? In two ways: first, if someone gains unauthorized accesss to a computer inside one of our facilities, they can't do much with it unless they also have a card and PIN. Assuming they stole a card and got inside the building and found a computer in an isolated place and put the card in, they'd still need the PIN, and brute-forcing it would take a while because it's 6 digits minimum (mine is longer). Of course, you also only get a few tries before the PIN is disabled.

        The second case is if someone were to steal my laptop in an airport, from my trunk, etc. It has a VPN client to our company network, but that won't do you any good without the Smartcard and PIN, either.

        In both cases, our network is made far more secure by using Smartcards and PINs. It is not only the accepted wisdom that "something you have and something you know" is far more secure than a username/password-only system, it is just plain correct.

        Many banks in Europe have been using one-time PADs for years; it's about time US banks are getting with the program on security, and disappointing that they're only doing it because somebody made them. If any bank here could offer me Smartcard + PIN or one-time PAD authentication today, they'd have my business right now.
        • If any bank here could offer me Smartcard + PIN or one-time PAD authentication today, they'd have my business right now

          There's so very few of you though.

          Does anyone remember the Amex blue? It had some basic authentication and no one wanted to use it. There's no reason a consumer is going to demand this. That's why the U.S. might be the last place in the world to implement EMV. The banks don't want to pay and the consumer's don't want it.

          Do a search for NavyCash on google. It just barely scratches the s
        • However, security is not a binary condition (you're either totally secure or wide open), it's relative.

          No, I don't see how it can be described as "relative".

          If it were so, you could move from "secure" to "insecure" ... not through anything you did or did not do ... but just because everyone improved their "security" beyond your's.

          That's kind of like saying "I don't have to lock my doors, as long as my neighbors don't shut their doors".

          This is also the principle behind car alarms: there are car alarms tha

        • by bigtrike (904535)
          This is also the principle behind car alarms: there are car alarms that can be defeated, some more easily than others, but the main point of a car alarm is to make my car a more difficult/less attractive target than the one next to it.

          A car alarm usually just alerts thieves that there might be something worth stealing in your car. Nobody pays any attention to car alarms going off any more, as 99.999% of car alarm noises are false alarms due to poorly adjusted shock sensors.
          The car alarm probably makes
    • by Anonymous Coward
      Man, I remember back in the day we had to physically visit the bank between 9am and 5pm on a Monday thru Friday and carry around a little green savings book if we wanted money from our accounts. Get this... When I got paid by my employer, I had to go to that same bank during those same hours and deposit the check in my account through my teller and I had to have that green book with me. At one point, that bank put an odd looking hole in the wall with a big heavy metal door. I think it was called a "nigh
      • by bluGill (862)

        As I recall the banks always closed at 3pm, except on Friday they were open until 7, but anything done after 3pm Friday was just put in a box and not processed until the next Monday.

        I'm told that it was because they didn't have computers back then, so everything was processed by hand, and they used the last 2 hours to balance the books. I don't know that I believe that though - I'm young enough that computers have always been around in banks. (They didn't reach general business until latter, but comput

        • by aaza (635147)
          3pm? Man, you had it bad. For me it was 4pm Monday to Thursday, and 4:30 on Fridays. If you worked 9-5 Monday to Friday, you needed a lunch hour (along with everybody else) to do your banking in.
    • Just because the banking overseers and some bankers agree that this measure could reduce identity theft, it doesn't follow that this two-level ID system will actually come into wide usage. Sure they passed a regulation mandating it at a time in the future.
      But this mandate can be quietly suspended, extended, or admended when it becomes apparent to the people who live in the real world how difficult it would actually be to get working.

      But even if it does come to pass, and you
      • Ok, I personally like what you're saying. If I had more than 2k dollars (american), I might bite. But the majority of Americans would never think of going to a bank outside the US. I mean, maybe we'd think about it, but even if we liked the idea (doubtful), we're still pretty lazy (I'm no exception). I generally don't rely on any sort of expectations that involve any voluntary action from an average American. Especially if it's that complex. I mean, it's an option for a multimillionare's accounts, but
  • by yagu (721525) * <[moc.liamg] [ta] [ugayay]> on Wednesday October 19, 2005 @07:37PM (#13831906) Journal

    I would embrace T-FA. I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful. But for modest investment and great added peace of mind, I look forward to this.

    Ironically, in the slashdot article reference to T-FA, the wikipedia gives as a downside to T-FA:

    ..., According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief access to their information. On the other hand, opponents argue that, (among other things) should a thief have access to your computer, he can boot-up in such a way as to bypass the physical authentication processes, scan your system for all passwords and enter the data manually, thus - at least in this situation - making T-FA no more secure than the use of a password alone....

    I think this actually strengthensstill does not ensure the intrude has access to one of the two pieces (something you know, and something you have).

    Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of.

    For a little more work or inconvenience, I think this adds much security.

    • Does this mean slashdotters can tell their bank to read TFA?
    • Great, when I got mugged before they just wanted my wallet. Now they'll want my left index finger too.

      This is another in a long series of laws/policy that servers the "It sounds like we should do this" crowd. Read through the BS and its the insurance (FDIC in the US) behind the banks pushing policy. It does nothing to protect the idenitiy/credit of consumers.
    • by hazem (472289) on Wednesday October 19, 2005 @08:05PM (#13832071) Journal
      I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful.

      If you want to keep it that way, the best thing you can do is commit a little fraud.

      File a police report (this is the fraud part) saying something like you were on mass transit, carrying copies of your tax returns. You set them down, and then when you turned around, they were gone. "someone took them"

      With this police report, file for a permanent fraud alert on your credit reports (all 3). This will almost immediately stop all credit card offers and will prevent someone from being able to open instant-credit in your name. You can still get credit, but it takes a little more time and takes a little more proof of who you are.

      The sad thing is that to get this "opt-out" in the credit-reporting system, you have to commit a crime. Without doing so, you can only get a 3-month "opt-out". Lovely country it is where we have to commit crimes to protect ourselves from crime.
      • No fraud needed (Score:5, Informative)

        by Sycraft-fu (314770) on Wednesday October 19, 2005 @09:24PM (#13832473)
        What you can do legally is to freeze your credit reports. You have to do it with each agency and yes it costs a fee, but a nominal one like $15. Then nobody can get your credit information, they will simply refuse it. When you then need credit you call the correct agency and have them temporarily thaw your account. Sometimes it's a time based thing, sometimes it's a code based thing (as in they give you a code to give to the person checking your credit).

        Now this of course makes it much harder to get credit. No walking in to a cell store and walking out with a phone. You need to plan ahead, find out who the creditor uses for their credit checks (with few exceptions they use only one of the three agencies) and have them take the steps necessary to make your report available.

        However it's quite secure, moreso than a fraud alert, and it's totally legal to get.
    • This will almost certainly lock Linux/BSD users out of online banking, and probably will lock out Mac users too.

      Banks could much more portably just start requiring signed client certificates. For windows users they could be stored on a USB keyfob instead of the HDD for slightly better security. Users of other systems could set it up that way if they wanted, but implementastion on FreeBSD or whathaveyou would be left to the client.

      It is a good idea for host login, though. CF the article in the November
  • by thewils (463314) on Wednesday October 19, 2005 @07:39PM (#13831914) Journal
    At least so they said in that email they sent me...
  • by Kelson (129150) * on Wednesday October 19, 2005 @07:40PM (#13831924) Homepage Journal

    Sounds great, as long as they don't take the opportunity to lock out their actual customers.

    Good ideas:

    • Hardware that doesn't actually need to be plugged into the computer (such as the token with constantly-changing access codes)
    • Hardware dongle that plugs into the USB port and talks to the computer using standard USB protocols

    Bad ideas:

    • Hardware dongle that requires you to install drivers. Even if they commit to producing cross-platform drivers, there's always going to be some obscure platform that they didn't think was worth implementing. (See today's article on the lack of 64-bit Flash for an example of why this is an issue.)
    • Smart cards for the next few years, until readers are as ubiquitous as USB is today. Lots of computers still ship without memory card readers, and I shouldn't be forced to buy one to do something I can already do without it. (In my case I'm just stubborn, but you can bet there will be people for whom the money to buy a card reader is money that they'd rather spend on, say, food for that week.)

    Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.

    • I think the executives at RSA Security just all simultaneously ejaculated upon hearing this news. They'll no doubt be pushing their SecurID solution very heavily.
    • The likely candidate is a device like this one [vasco.com], which you carry in your pocket.

      It doesn't interface to a computer except by you pressing the button, looking at the number and then typing it into the login screen.

      My bank, HSBC, already uses them. I have a red and grey one sitting here on my desk. It's annoying to have to carry it around, but it's not huge, so the main annoyance would be losing it.

      By the way, I'm not the only person who thinks these devices are the way it will go. Vasco stock went up 9.36% to [yahoo.com]

      • *If* they start requiring hardware crypto devices, I'd like to see them do it as a two-parallel-keys system to make loss/theft easier to deal with. The idea is that they issue you two completely seperate keys (as in seperate seeds inside them in the case of rolling pin devices like the one you describe or RSA's SecureID). Both are registered to your account. Either one can be used for full access, and either one can be used to request that the bank terminate the access of the other. You keep one on you,
  • by Anonymous Coward on Wednesday October 19, 2005 @07:46PM (#13831959)
    And what are the chances that the second factor (USB tokens or fingerprint readers, most likely) will have drivers for minority operating systems? I use Linux as my only operating system. Until now, I had no problems accessing my bank account or my credit cards online. Now, I fear I may have to start visiting the bank branch in person...

    The reason for my suspicion is that I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.
    • No problem - the FFIEC isn't so sure about open source software either FFIEC Guidance on open source software [fdic.gov]
    • The most popular second-factor token is the SecurID [rsasecurity.com] by RSA [rsasecurity.com]. It is a device which generates pseudo-random numbers every 60 seconds. This would be the easy solution for any bank interested in a cross-platform solution with no driver support to worry about.

      That said, I hate the SecurID. I'm a much bigger fan of PKI-based solutions, because of all the other things you can get along with it (secure email, secure transactions, strong authentication, persistent digital signature and encryption) for almost no
  • Federal Financial Institutions Examination Council (FFIEC) has given a deadline

    Hmm..I'm going to need a notification from atleast one other organization than the FFIEC before I believe this.

    • For banking regulators, the FFIEC is the word of God. When they issue a "Thou shalt..." commandment, it must be followed.
    • The FFIEC is an alphabet soup of the guys who matter in this respsect: OCC, FDIC, NCUA, the Fed, and the OTS. Regardless of what the other reply to your message says about regulators, the more important piece is the weight placed by banks & credit unions behind any FIL (financial institution letter) published by the FFIEC.

      It very well may (and probably will) take past Dec. `06, but the key piece to remember when reading any legislation, regulation or guidance on such, is the interpretation varies.

      What

  • Sounds great, but what about forgetful people? So called "Strong Authentication" or 2-factor authentication sounds great in theory. Rather than just cracking your password, a woodbe theif would also have to steal a physical item from your posession. However most people are dumb and forgetful, they would put a piece of scotch tape on the physical item and write their password onto it so that when the woodbe theif pick pockets them, then they don't have to even bother trying to crack their password. Sounds
    • Please don't tell me that "most people" write their PIN numbers on their ATM cards.
      • Probably not, but if you had an ATM card from bank A, and one from bank B, along with several credit cards with online passwords, chances are people are going to write them down SOMEwhere. Hopefully not on the card itself.
    • There is an easy solution for forgetful people that many banks already use. Allow them to just reset their password by inputing in the answer to a "secret question" like "What is the name of your hometown". Its foolproof!

      ...unless of course someone else has access to the name of your hometown.

      ...which they could easily get from your driver's license when they pick your pocket to get your bankcard.

      On second thought, maybe carying around a copy of your password is actually more secure.

    • Agreed, people are idiots, and will likely write their pin on their token using a permanent marker. Still, when their token is gone, they KNOW it is gone. They know that they no longer have the token itself and they know that someone else likely has their pin. The token can then be revoked and the pin changed.

      With single-factor auth, the authenticator (a.k.a. the pin) can be "stolen" without the user's knowledge. Their pin still works, they still know it. This give the bad guy time to do bad stuff.

  • by TykeClone (668449) * <TykeClone@gmail.com> on Wednesday October 19, 2005 @07:58PM (#13832032) Homepage Journal
    FFIEC [64.233.167.104]

    Straight from the FFIEC's mouth.

  • by geekoid (135745) <dadinportland AT yahoo DOT com> on Wednesday October 19, 2005 @07:58PM (#13832033) Homepage Journal
    have the customer register an email account, perferably by going into a branch.

    then when they login into the system, it sends a temporary use code to the email address.
    Not used in 5 minutes, to is no longer anygood.

    Older then 30 minutes, your logged out, the number is no longer any good.

    In the email, you jsut send the number. If all banks used the same sender to send the code, then people intercepting it would not know what bank it came from.

  • Before these banks implement high-tech security, they ought to consider common sense security. How many banks have I walked into where the back of the computers are exposed for a would be "hacker" to slip a keystroke recorder onto the PS/2 port? How many banks have I walked past on the sidewalk and their windows are wide open with no blinds and you can see directly onto the monitor with account numbers, etc on them? How many banks have I called and asked for information about my account and they failed to v
  • Why doesn't... (Score:3, Insightful)

    by msauve (701917) on Wednesday October 19, 2005 @08:01PM (#13832055)
    having to know both username and password count as two factor ID?

    The wikipedia link claims that TFA contrasts to a system where only the password need be known. That may be a problem with some systems where the username is essentially public (i.e. *nix), but for online banking access, the username need not be easily guessed or based on any personal information, just unique.

    Isn't requiring two non-obvious pieces of information (non-personally identifiable username + password) a form of two factor ID? (yes, I know the traditional mantra of "something you have/know")

    If not, why is an ATM card and PIN considered to be, knowing the ease with which mag stripes can be copied? It's not like there should be high confidence the ATM card stripe is proof of possession of a unique object, as might be the case with a SecureID or retinal scan.

    • Because (Score:4, Informative)

      by Sycraft-fu (314770) on Wednesday October 19, 2005 @09:34PM (#13832517)
      They are both the same kind of authentication, and thus both have the same venurability. The reason people talk about the something you have/know/are thing is each is strong and weak in a different way:

      Something you have (a key, a smartcard, etc) is strong because it has to be stolen to be of any use, someone has to physically take it. You can't just look at a smartcard and have it do you any good, you have to be in physical posession of it. However that's also the downside, it CAN be stolen. Someone can just grab it when you aren't looking.

      Something you know (a password or username) is strong because it's stored in your head, nothing to physically steal, nothing to lose. However it's weak because if someone discovers it, you'll never know. They don't need to take anything, just know what it is and they can use it. Also complexity is limited by what you can remember.

      Something you are (a fingerprint, an iris scan) is strong because you are unique, and it's a part of you. You never lose it, and peopel can't really fake it because, well, it's a part of you. The weakness is that what you are changes, and the ability to read it isn't 100% accurate, so someone CAN fake it out potentially.

      Now, because of this, real strength comes form having two or three of these methods. If you just have passwords, even if you have 3, all someone needs to do is learn them and they are in. However if you need a smart card, a password, and a fingerprint the person has to get an impression of your finger and make a convincing dupe, then find out what your password is, then steal your smartcard, and then use it all before you notice any of this and invalidate the account.

      So it's not worthless to have more of the same kind of authentication, but it's not nearly as good as having multiple kinds of authentication.
  • Australian Bank (Score:4, Interesting)

    by Cave_Monster (918103) on Wednesday October 19, 2005 @08:02PM (#13832061)
    There is a bank here that already has implemented this strategy. They offer small devices that display an ever-changing PIN that you must enter alongside your user ID and password to login to their website. They provide two options, one is a small device that simply requires you to press the button for the PIN to be displayed. The other is slightly larger but requires you to input a seperate PIN into the device before it displays the other PIN needed for their website. The extra size is simply to accomodate the keypad.

    Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.

  • TFA Readers (Score:3, Funny)

    by EEBaum (520514) on Wednesday October 19, 2005 @08:02PM (#13832062) Homepage
    So does this mean that all banks will be required to have machines that read TFA?
  • T-FA ... ! (Score:2, Funny)

    by icepick72 (834363)
    The linked Wiki article actually states "A common example of T-FA is a bank card". Who knew TFA had another meaning ... I wonder if the banks realize -- so Don't get offending the next time you walk up to the bank teller wicket and are asked for TFA !!! They'll wonder why you are snickering. Woo-hoo
  • Silly (Score:5, Insightful)

    by jesser (77961) on Wednesday October 19, 2005 @08:09PM (#13832088) Homepage Journal
    This will cost every Internet banking customer money, time, and convenience. (RSA fobs are not free; if your bank gave you one for free, it will have to pass the cost on to you in some way.) Meanwhile, it will not significantly reduce the impact of phishing or pharming attacks; it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.

    How about requiring banks to use https correctly [squarefree.com], which would at least reduce the impact of pharming attacks?
    • I think what ING Direct does can be considered 2-factor authentication, and that doesn't require giving the customer anything additional.
    • Re:Silly (Score:3, Insightful)

      by jjohnson (62583)

      it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.

      The fob's digits expire in 60 seconds. I hadn't heard that real-time phishing attacks were a problem.

  • I have a bank account with a UK bank, and over there (I'm a US citizen) to use their web site, you have to have additional information. For me, I have to provide:
    - a membership number
    - a secret word (they ask for letters or numbers from the secret word)
    - a passcode
    - an account number

    It takes several forms, but I don't have yet a third bulky RSA key to carry around.

    How about just have people answer 10 questions and then use 3 of those answers, things like, your favorite color (blue, no green), car color (fu
  • Found this... (Score:3, Interesting)

    by azatht (740027) on Wednesday October 19, 2005 @08:21PM (#13832142) Homepage
    http://www.schneier.com/blog/archives/2005/03/the_ failure_of.html [schneier.com]

    Also, is this simlar what we have had in sweden for a couble of years for our banking systems? We have a personal badge that we enter a pin and a temporary code to get a new temporary code to be able to authenticate??
  • by PhiberOptix (182584) on Wednesday October 19, 2005 @08:24PM (#13832160)
    I received a mail from my bank with 70 different 3 digit codes.
    01-252 06-743
    02-053 07-064
    03-113 08-766
    04-963 10-244
    05-855 11-111 ...
    everytime i login, it asks for a pin number(which can't be typed in the keyboard, you have to pick the numbers in the screen keyboard with your mouse), a secret phrase and a random code from this card.

    sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.
  • by ElDuderino44137 (660751) on Wednesday October 19, 2005 @08:56PM (#13832322)
    Don't let anyone fool you.
    If you gain physical access to a device ... you will get in.
    These n-factor authentication schemes ... may delay you ... but I doubt it.

    Step 1: Remove hard drive from device.
    Step 2: Run away really fast.
    Step 3: Rule the world.
  • by faqmaster (172770) <jones...tm@@@gmail...com> on Wednesday October 19, 2005 @09:10PM (#13832400) Homepage Journal
    The two factor system has always worked well for me. I have no problem making withdrawls using a gun AND a note.
  • by Ron Bennett (14590) on Wednesday October 19, 2005 @09:42PM (#13832552) Homepage
    I'm surprised no one mentioned it yet - bank customers that choose to use (likely have no choice eventually) two factor authentication may be in for a nasty surprise ... I bet, much like Verified by Visa, the onus of proving fraud will be further shifted to the customer - banks will contend that two factor authentication is super-duper secure and any security violation must be solely the customer's fault.

    Speaking of fault ... two factor authentication, as proposed, is faulty from the start ... sure the barrier for fraudsters is a bit higher, but not by much ... a variant of the traditional man in the middle attack is all it takes...

    Keys, etc are no good if the fraudster takes control of the victim's computer itself ... and even worse, the fraudster may not even have to program a complicated trojan, since many folks already use software (or unknowingly have it installed) that allow for remote access.

    Banks are going to love this - sure the key tokens, etc are going to be a hassle for them to distribute, etc, but in the longrun banks will be able to shift more of the risk to the customer unless consumer groups speakup ... perhaps they have ... if anyone here knows more, please reply - thanks!

    Ron
  • While keeping the back door wide open.

    In order to draft from your account, the only thing anybody needs is your account number. Heck, companies are now allowed to convert your paper checks into "electronic checks" (ie computer drafts) using only the information printed on the bottom of your check. There was something on the local radio station this week (Clark Howard, consumer guy out of Atlanta) about a woman whose $1600 mortgage payment got fat-fingered as $6600 and it took her MONTHS to get her money b
  • From the article:

    The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.

    Could someone find the idiot administrator or politication or member of this council that came up with this idea and give them a nice, firm smack in the head with a laptop computer? It should be easy to pull this off, because obviously anyone who would suggest this has never heard of laptops, and therefore wouldn't see it coming.

    God for

  • At a former employer I was responsible for initiating borrowings and wire transfers into the millions of dollars on a daily basis. The system our bank set up for doing this was they gave me a userid and a random password generating device(it looked strangely like one of those cheapo calculators). To connect to the bank's system you used a piece of software provided by the bank that dialed an 800 number. You got only three tries to get the random password typed in right or you were cut off and your userid
  • by Frank T. Lofaro Jr. (142215) on Thursday October 20, 2005 @12:50AM (#13833379) Homepage
    Just who is the "Federal Financial Institutions Examination Council (FFIEC)", under what statuatory authority (if any) do they have to mandate two factor authentication and what penalties will there be if a bank allows customers to continue to use a userid and password alone.

    Userid and password is simple, and effective in most cases.

    The Feds want more security here, yet if I ask my bank to only accept ACTUAL PHYSICAL checks with my signature on them before honoring them and paying the other banks, it is ILLEGAL for my bank to give me what I want and refuse to accept a "substitute check". It is ILLEGAL for a bank to insist on security which would go a long way towards stopping check fraud, something which I can't protect against.

    Whereas phishing attacks require stupidity on the part of the user.

    Why protect people from seomthing they can protect themselves against, yet not protect us from something we can't protect ourselves from (people can forge our signature, and anyone getting a check from us has the routing number and account number, which is all they need)?!

    If you don't understand the basics of computer security, you shouldn't be allowed to bank on the Internet. If you don't understand the basics of operating a car, you shouldn't be allowed to drive on public roads. Same principle at work here.

    Don't take away my convience and require me to carry a smart card (oops, left it at home and can't do some needed banking at work or on vacation - sucks to be me) because of other's stupidity.

    Let the stupid people lose their money, get off the Internet and/or go broke and die.

    We molly coddle the stupid way too much in this country (USA).

    If they must DO SOMETHING, just mandate the banks block *.aol.com at the firewall and be done with it.

    95% of the problem will be solved.

    Or have the server attempt the common Windows exploits, if they fail, the user isn't on Windows or has actually secured Windows - in either case they likely aren't terminally stupid - and the banking session should be allowed.

    Now 99% of the problem is solved.

    As for the remaining 1%, guess what, nothing is perfect. Even with 2 factor authentication, once logged in, a malicious hacker with control of your PC can add an illicit transaction request to the banking session.

    In any event, people should be responsible for computer security. Secure your damn PC, learn to not trust spammers and scammers and don't be a dumbass.

    Or stay off the Internet, and don't cross the street either if you are an idiot.

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...