Banks to Use 2-factor Authentication by End of 2006

Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."

One more damn thing to carry around

[DrRobert]

I am really sick of all the convient things in life suddenly become too cumbersome to use. I would really, really hate to have a hard token to carry around. IT has so many band features:
1. I have to carry it around
2. I may lose it
3. It will probably break
4. Its code could be duped

Too little security, too much inconvieniece

Re:One more damn thing to carry around

[ScentCone]

Too little security, too much inconvieniece

But I'm betting you wouldn't sign a waiver relieving them of liability if you opt out of using their T-FA...

Re:One more damn thing to carry around

[LordPhantom]

Isn't that like, say, carrying around an ATM card like we do right now? Sure, a "sooped-up" ATM card if it had a rotating pin, but still an ATM card nonetheless - how is this -more- difficult than what we do now? I usually have my wallet handy somewhere, so is it really that big a deal?

Second factor Windows-only?

[Anonymous Coward]

And what are the chances that the second factor (USB tokens or fingerprint readers, most likely) will have drivers for minority operating systems? I use Linux as my only operating system. Until now, I had no problems accessing my bank account or my credit cards online. Now, I fear I may have to start visiting the bank branch in person...

The reason for my suspicion is that I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.

And it won't work.

[khasim]

Because BOTH methods of identification will be travelling over the SAME channel (your Internet connection), this will still be subject to man-in-the-middle attacks.

But because it will be a cool "encryption" key, people will not know that they aren't "secure".

The only way to improve the security is to use a different channel (example: the bank calls your phone to have you verify the transaction)
-or-
The site relays the information to you using your IP address as part of the encryption (this won't work with NAT/PAT/Masquerading, but will be feasible with IPv6).

Re:One more damn thing to carry around

[Tumbleweed]

how is this -more- difficult than what we do now

What, you have a magnetic-strip card reader attached to your computer? Sure, no problem - we'll just mandate that all computers that want to access a bank online have to have one, or whatever hardware doohickey they decide to require.

THAT's the real problem with this proposal. Much like extending Daylight Savings Time, politicians have no idea what impact this has on the real world - programmers that have to code this stuff, and in this really BAD case, new hardware that even the end user is required to now purchase.

Bleh.

Why doesn't...

[msauve]

having to know both username and password count as two factor ID?

The wikipedia link claims that TFA contrasts to a system where only the password need be known. That may be a problem with some systems where the username is essentially public (i.e. *nix), but for online banking access, the username need not be easily guessed or based on any personal information, just unique.

Isn't requiring two non-obvious pieces of information (non-personally identifiable username + password) a form of two factor ID? (yes, I know the traditional mantra of "something you have/know")

If not, why is an ATM card and PIN considered to be, knowing the ease with which mag stripes can be copied? It's not like there should be high confidence the ATM card stripe is proof of possession of a unique object, as might be the case with a SecureID or retinal scan.

Silly

[jesser]

This will cost every Internet banking customer money, time, and convenience. (RSA fobs are not free; if your bank gave you one for free, it will have to pass the cost on to you in some way.) Meanwhile, it will not significantly reduce the impact of phishing or pharming attacks; it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.

How about requiring banks to use https correctly [squarefree.com], which would at least reduce the impact of pharming attacks?

Re:Second factor Windows-only?

[DangerTenor]

The most popular second-factor token is the SecurID [rsasecurity.com] by RSA [rsasecurity.com]. It is a device which generates pseudo-random numbers every 60 seconds. This would be the easy solution for any bank interested in a cross-platform solution with no driver support to worry about.

That said, I hate the SecurID. I'm a much bigger fan of PKI-based solutions, because of all the other things you can get along with it (secure email, secure transactions, strong authentication, persistent digital signature and encryption) for almost no additional cost. However, I'd understand if organizations went the SecurID route to save money not having to support something that didn't work well in multiple platforms.

"Reprogramming" Daylight Saving Time?

[The Monster]

Much like extending Daylight Savings sic Time, politicians have no idea what impact this has on the real world - programmers that have to code this stuff

When the new Daylight Saving Time rules were enacted, I figured out that all I have to do is edit the /etc/TIMEZONE or /etc/environment file (depending on which of the 4 flavors of *nix I have to support is involved) and add the string ",M3.2.0,M11.1.0" to the end of the TZ= statement. For instance, change "TZ=CST6CDT" to "CST6CDT,M3.2.0,M11.1.0".

That's it. No 'reprogramming' involved at all. That's because the interpretation of the TZ variable was already programmed to include this sort of encoded rules.

On the gripping hand, I have no clue what it'll take to fix Windows timezones.

You try and man-in-the-middle SSL

[Sycraft-fu]

Seriously, SSL and SSH2 are not easy to do a man in the middle attack on that is undectable. More to the point, to do a man in the middle attack, you actually have to be in the middle. J. Random Hax0r can't do it, it has to be someone with access to a link that your connection passes through. That's much harder.

I worry about man-in-the-middle attacks for encrypted channels like not at all. Anyone who has the ability to compramise a major network provider to do that, probably has better thigns to do than go after my info.

Re:Silly

[jjohnson]

it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.

The fob's digits expire in 60 seconds. I hadn't heard that real-time phishing attacks were a problem.

Re:And it won't work.

[bigtrike]

This is also the principle behind car alarms: there are car alarms that can be defeated, some more easily than others, but the main point of a car alarm is to make my car a more difficult/less attractive target than the one next to it.

A car alarm usually just alerts thieves that there might be something worth stealing in your car. Nobody pays any attention to car alarms going off any more, as 99.999% of car alarm noises are false alarms due to poorly adjusted shock sensors.
The car alarm probably makes your situation worse.

Re:Why couldn't they just

[heytal]

instead of email, why not use SMS. Register your mobile number with the bank and the bank texts you the code, which has to be used within some time period.