Banks to Use 2-factor Authentication by End of 2006 313
Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."
good idea, in my opinion. (Score:5, Informative)
I would embrace T-FA. I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful. But for modest investment and great added peace of mind, I look forward to this.
Ironically, in the slashdot article reference to T-FA, the wikipedia gives as a downside to T-FA:
I think this actually strengthensstill does not ensure the intrude has access to one of the two pieces (something you know, and something you have).
Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of.
For a little more work or inconvenience, I think this adds much security.
To make it a really boring read (Score:3, Informative)
Straight from the FFIEC's mouth.
Re:good idea, in my opinion. (Score:5, Informative)
If you want to keep it that way, the best thing you can do is commit a little fraud.
File a police report (this is the fraud part) saying something like you were on mass transit, carrying copies of your tax returns. You set them down, and then when you turned around, they were gone. "someone took them"
With this police report, file for a permanent fraud alert on your credit reports (all 3). This will almost immediately stop all credit card offers and will prevent someone from being able to open instant-credit in your name. You can still get credit, but it takes a little more time and takes a little more proof of who you are.
The sad thing is that to get this "opt-out" in the credit-reporting system, you have to commit a crime. Without doing so, you can only get a 3-month "opt-out". Lovely country it is where we have to commit crimes to protect ourselves from crime.
Re:If this.. (Score:2, Informative)
Moreover, anyone maintaining a database with CC #'s (web sites, banks, etc.) cannot store CVV2 codes in their databases beyond the life of a given transaction. Literally seconds. This is how it helps, because anyone that gains unauthorized access to a database with CC's is not going to be able to use those cards at any merchant that requires a CVV2 (95% of any phone or web based business).
No fraud needed (Score:5, Informative)
Now this of course makes it much harder to get credit. No walking in to a cell store and walking out with a phone. You need to plan ahead, find out who the creditor uses for their credit checks (with few exceptions they use only one of the three agencies) and have them take the steps necessary to make your report available.
However it's quite secure, moreso than a fraud alert, and it's totally legal to get.
Because (Score:4, Informative)
Something you have (a key, a smartcard, etc) is strong because it has to be stolen to be of any use, someone has to physically take it. You can't just look at a smartcard and have it do you any good, you have to be in physical posession of it. However that's also the downside, it CAN be stolen. Someone can just grab it when you aren't looking.
Something you know (a password or username) is strong because it's stored in your head, nothing to physically steal, nothing to lose. However it's weak because if someone discovers it, you'll never know. They don't need to take anything, just know what it is and they can use it. Also complexity is limited by what you can remember.
Something you are (a fingerprint, an iris scan) is strong because you are unique, and it's a part of you. You never lose it, and peopel can't really fake it because, well, it's a part of you. The weakness is that what you are changes, and the ability to read it isn't 100% accurate, so someone CAN fake it out potentially.
Now, because of this, real strength comes form having two or three of these methods. If you just have passwords, even if you have 3, all someone needs to do is learn them and they are in. However if you need a smart card, a password, and a fingerprint the person has to get an impression of your finger and make a convincing dupe, then find out what your password is, then steal your smartcard, and then use it all before you notice any of this and invalidate the account.
So it's not worthless to have more of the same kind of authentication, but it's not nearly as good as having multiple kinds of authentication.
Re:And it won't work. (Score:5, Informative)
Similarily, what does a Smartcard authentication system over https do for you, as opposed to a simple username and password over https?
It raises the bar, while also making people without a Smartcard more attractive targets. Compromising a username and password is fairly easy - people fall for phishing attacks all the time. If a Smartcard and PIN are also needed, a man-in-the-middle attack doesn't do you much good. You can't get my PIN (you'd also need a keystroke logger on my computer for that) and even if you had it, unless you also stole my Smartcard you'd still be SOL.
Not to mention that a man-in-the-middle attack is far harder to achieve than sending out a phishing mail or doing a brute-force attack against a weak password. Anyone can send out phishing mails or use a password-attack script; far fewer people have the wherewithal to mount a successful man-in-the-middle attack. So if I have a Smartcard + PIN that I need to use to authenticate to my bank and you don't, I've outrun you. I don't have to worry as much about the bear.
Where I work, we use Smartcards and PINs for authentication to our network, in addition to a userid and a high-quality password that must be changed regularly and may not closely resemble the old one. How does this raise security? In two ways: first, if someone gains unauthorized accesss to a computer inside one of our facilities, they can't do much with it unless they also have a card and PIN. Assuming they stole a card and got inside the building and found a computer in an isolated place and put the card in, they'd still need the PIN, and brute-forcing it would take a while because it's 6 digits minimum (mine is longer). Of course, you also only get a few tries before the PIN is disabled.
The second case is if someone were to steal my laptop in an airport, from my trunk, etc. It has a VPN client to our company network, but that won't do you any good without the Smartcard and PIN, either.
In both cases, our network is made far more secure by using Smartcards and PINs. It is not only the accepted wisdom that "something you have and something you know" is far more secure than a username/password-only system, it is just plain correct.
Many banks in Europe have been using one-time PADs for years; it's about time US banks are getting with the program on security, and disappointing that they're only doing it because somebody made them. If any bank here could offer me Smartcard + PIN or one-time PAD authentication today, they'd have my business right now.
Re:Check authentication (Score:1, Informative)
When you walk into your local branch and hand the teller your paycheck or the latest rebate checks for those gadgets you bought on sale at Best Buy two months ago, we accept your deposit and a hold is placed on the non-cash items accepted for deposit. Each teller's "work" (deposit tickets, cash-in/cash-out debit/credit slips, checks, and other paperwork) is bundled together at the end of the business day. This used to be 2 pm local time for most banks, although it varies from bank to bank these days. At the bank I work for, the business day ends at 3 pm and we tellers settle our cash drawers for the *business day* at that time. We might be open until 5 or 6 pm some days, but after 3 pm, we are on the next business day, where business days are generally Monday through Friday, excluding federal bank holidays.
All of the teller "work" at a branch is bundled together and sent in packets to regional bank operations centers for overnight processing. Basically, checks are sorted, verified, stamped with our bank's transit endorsement, and sent for collection to their respective banks on which they are drawn (via the other bank's Federal Reserve Bank, if it's in another FRB district). Usually, check deposits (and other negotiable items such as drafts and money orders) are then credited to your account as the bank's funds availability policy allows. Some banks are nicer than others: if your account is in good standing and generally has a balance and the check you deposited can be electronically verified as good by the other bank, your bank may decide to give you credit before the check is actually paid by the bank on which it is drawn.
It would be VERY hard and VERY risky for a bank to do instant clearing of a check. Think about it: all the verification and transit endorsements would be done at the teller line. In order to complete the process, we tellers would also have to access other financial institutions' systems to verify signatures, verify that there are no stop payments on the check, verify that funds are available, etc. Oh, and that's assuming that all the hundreds and hundreds of financial institutions' different computer systems would interoperate flawlessly. Trust me: I don't think you want tellers at other banks looking at YOUR account because they are NOT bound by your bank's privacy regulations! And, to make matters worse... what if the check's counterfeit, bogus, unauthorized, or otherwise non-negotiable? The bank then takes the loss, and guess who we pass it on to: you, the customers.
The check clearing system is fine as it is, and arguably, yes, sometimes we banks place longer holds than are necessary, but those are at our discretion: if we believe the check you deposit will not be paid, we can place a hold. (Note that we have to justify such a decision.) And...if you have a problem, talk to your local branch manager. Generally, the branch manager can release holds and make funds available to you if your account is in good standing with the bank.
I suggest you read up a bit on Check21. Check21 has already sped up check clearing because checks at many institutions are now truncated and transmitted digitally instead of by plane or truck as before. And generally, if you're a customer in good standing, the bank will make funds available to you FASTER (because to them, you're a lower risk than someone who overdrafts every other week) depending on the amounts deposited.
Re:Burden of Proving Fraud Shifted to Customer (Score:2, Informative)
What we use is a security card (like one-time pad) and we get a certificate key from a key authority identifying the user by using the one-time pad.
The problem is, everytime there is a news of someone's bank account getting hacked (and there has been few instances of such), the bank blames the user for not handling the security properly and usually will reset the balance.
However, on the other hand, I do see the point of the bank. If the user doesn't take minimum precautions, what is the bank supposed to do?
Re:You don't understand man-in-the-middle. (Score:3, Informative)
Man-in-the-middle implies that your communication is going to destination A, via intermediaries B, C, and D. Phishing, and what you describe, implies that for some reason you've been tricked in to setting your end destination as D, who will eventually go to A for you, but you addressed it wrong. Yes, I guess this person is technically "in the middle" of the chain of where you WANT to go, but if you had been smart about saying your correct destination, D would have no way to work unless they were able to hijack your stream the first time and every time thereafter to inject their own cert (I guess only the first time matters, since if they have your info once they can fuck you over royally.. but if it's not the first time you'll get a cert error).
Phishing is NOT man in the middle. It's just social engineering to get people to think that D really is A. This is why anything that matters, you type it in yourself. But, most people don't know to do that, I'm afraid.