Featured Savings Rates

Popular Posts

Featured Accounts

Security Improvements for Online Banking

POSTED ON BY

The Feds may require banks to go beyond user names and passwords for online banking logins. According to this AP article:
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.

Two-factor authentication confirms identity based on information that a user knows (like passwords) and information that a user physically has (like a device which displays randomly changing codes).

Two-factor authentication should reduce the chance that phishing attacks and key logging programs can be used to hijack your online accounts. So I hope banks will soon implement this kind of system. One thing I worry about is having to carry a dozen electronic devices which hold the random codes needed to log in. Perhaps the government could set up a system in which one device could work with multiple banks and financial institutions.
Comments
Nick Owen
Nick Owen (anonymous)   |     |   Comment #1
Banking guy:

Don't get lulled into a false sense of security. There are attacks against one-time passwords systems too. For example, DNS-cache poisioning is an attack against your ISP or other DNS provider that will re-route your hand-typed URL to a fraudulent web-site. If that site has software that will automatically login to your bank, your hosed.

Mutual authentication - of both the user and the website - will be key for online banking.

You are right about carrying multiple tokens. That is a big problem with hardware-based solutions. They use a shared-secret, which means they can't be shared across services. Public key cryptography is much better suited to consumer authentication applications as there is no reduction in security when public keys are shared across authentication services. Do you really want the government to manage all your authentications?

More of my thoughts here:
Banking Guy
Banking Guy (anonymous)   |     |   Comment #2
Thanks for the information.

How about a combination of Bank of America's SiteKey system and ING Direct's PIN Guard system?

SiteKey should prevent bogus sites from tricking you. PIN Guard should prevent key loggers from stealing your pin.

I suppose sophisticated key loggers could also capture the screen graphics and mouse click locations. Any other holes?

-Ken
Nick Owen
Nick Owen (anonymous)   |     |   Comment #3
Since you've asked about specific solutions, I should let you know that I work for a competitor to those solutions - full disclosure.

Any combo should increase the difficulty of an attack. You're right about PIN Guard: Entering a PIN via a screen isn't much diffent than the keypad though, there are screen capture loggers too.

I think Sitekey is susceptible to man-in-the-middle attacks. There is nothing crpytographic about sitekey. It relies on DNS and IP addresses,which are weak and easily spoofed. Sitekey also lacks consistency: it falls back on a '10 questions' system if the secure cookie isn't there.

What sitekey is selling is ease of deployment, not security. Just my biased $.02 ;).