Plans to bolster online security with code-generating doodads, fingerprint readers or smart cards are not likely to solve the identity fraud problems currently plaguing database companies and online stores, a security expert has warned.
Two-factor authentication, or the use of a method in addition to a password to verify identity, could still be defeated by Trojan horses and phishing attacks, Bruce Schneier, a renowned cryptographer and the chief technology officer for network protection company Counterpane Internet Security, said on Tuesday.
"Since we have proposed the solution, the problems have changed," Schneier said in an interview with ZDNet UK sister site CNET News.com. "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."
The well-known encryption expert, who has authored books on information security and terrorism, argued in a posting to his blog that e-commerce companies and security providers need to think more deeply about what two-factor authentication can solve.
"It's not going to prevent identity theft," he wrote. "It's not going to secure online accounts from fraudulent transactions."
Schneier's no-confidence vote comes a day after Microsoft renewed calls at the CeBIT conference in Hannover, Germany, to supplement passwords with another identity check. It also comes on the same day that the US Congress held a hearing on several high-profile data leaks that occurred in the past month.
A representative of Microsoft was not immediately available for comment, but the company confirmed that it did argue for further security checks at the German conference.
While his arguments seem to run counter to Microsoft's effort, Schneier stressed that the software maker's focus on improving security beyond passwords, for example with the use of key fob-size hardware tokens, is a good one.
"Doing away with passwords is a good idea," he said. "Tokens work great, with employees logging onto the corporate server."
However, what's good in a closed corporate network is not as useful on the "anything goes" Internet, Schneier said. Trojan horses can be created that let the attacker know when someone is logged into their bank account and, even with a second identity check, could insert new transactions into the session. Also, online thieves could take control of a server that routes Internet traffic and then develop programs to similarly insert fraudulent transaction into a banking session.
"The tactics will change," Schneier said.
That may be true, but that does not mean that enhancing security with a fingerprint-reading or code-generating device is a bad thing, said Chris Voice, chief technology officer at security company Entrust. Raising the bar for attackers will give some respite from attacks and make fraud that much harder to do, he said.
"You don't stand still just because the criminals are going to evolve," he said. "You still put the lock on the door."
Yet online service providers should look to more permanent solutions, Schneier said. While two-factor authentication does not solve the problem, security companies should still re-analyse the issues, he said.
"Focus on the problem: Fraudulent transactions," he said. "There are two strategies: You can make identities harder to steal, or you can make identities less useful. I think the first fails in the end."
Talkback
Indeed. A multi-level approach is needed.
Think about two-factor authentication (or even more) combined with sequential response challenges (eg: the bank customer in question would have a piece of paper with a few hundred responses on it and the first transaction would ask for response number one, the second transaction for the second response and so forth; thus making it harder for a phising attack to know what the next question number is; thus alerting the bank customer in case they guess the wrong number) combined with logging the source of transaction requests and cross-referencing that with historical data to pinpoint which sources initiated transactions for various accounts all of a sudden and without reasonable explanation. Etc, etc.
What also might be of interest is the good old call-back security measure. Meaning that the bank customer initiates a transaction and once identity has been confirmed the transmission is ended and the bank will initiate a call back to the previous agreed upon location (e.g. the IP address of the customer, the e-mail adress of the customer or even the phone number of the customer [press 1 to confirm transaction request 411 or something]).
Yes, that will cost the banks some money but on the other hand it'll save them money (and face) as well.
In short, there's enough that can be done with existing technology and solutions. No need to let all those customers run to the store and empty their wallets for some half-baked solution so a few years from now they can run to the stores again.
Hmmm, perhaps I should software patent this and charge each and every one of you so I can pay my laywers to keep the laywers of the banks and big software companies of my back.
Robert,
I saw your article on the CNET site on 16th March 2005 and then went back to read Bruce's original article on Cryptogram. It's all good stuff, however...
The reality is two factor authentication IS a solution to identity theft – just not a sole solution. If I can use a house as an analogy – putting a lock on the front and back door doesn’t secure the whole house. You need to look at window locks, an alarm system etc.
Two factor authentication is an essential part of the overall defence against phishing. It's critical to move away from static passwords to something stronger and two factor authentication is just part of the arms race to secure all our defences!
Used in a traditional way, e.g. to authenticate a web session, two factor authentication can be compromised , however if you use two factor authentication across TWO independent communications channels (i.e. Web plus Phone or SMS) then you really can defeat these sophisticated attacks, and it's not as complex to use as it sounds. In real life it would work like this:
The user logs in to their on-line bank account via the web channel with a one time passcode (OTP), to complete basic functions such as check balances etc. However if s/he wants to do a significant transaction - such as set up a new payee and transferring a large sum, then this transaction must be specifically authorised by the user via the second channel.
The bank would use an automated system to SMS or phone the user on their registered mobile/home phone to inform them of the transaction and ask for confirmation. To confirm the transaction the user would enter a new OTP via the phone keypad. S/He is also given a choice to be connected to a security helpdesk if they are NOT aware of the transaction and want to raise an alert.
So in this situation the SAME OTP-based 2 factor authentication system is being used, but in a more flexible way to authenticate the user via more than one channel.
The key is that banks and businesses must buy into 2 factor auth systems that CAN be used over multiple channels. OTP based systems work in this way, but biometrics and PKI smartcards and USB devices cannot be easily used over both web and phone.
So, banks & businesses who are investing in the right form of 2 factor auth with the flexibility to work over multiple channels are NOT wasting their money. Others who are investing in 2 factor auth that can only work over the web are going down a blind alley.
I hope this is a useful summary. We at Signify spend our (sad) lives purely designing different authentication systems to suit different market places, so we are aware that there's no silver bullet to solve all problems. But there are solutions if you look for them. :-)
If you want to chat it over - please do feel free to call or e-mail.
Best regards
John Stewart