Image via WikipediaAfter reading this article over at Errata Security and this article over at un-excogitate.org about Blizzard (makers of StarCraft and World of Warcraft) selling security token devices for €6 on their European website. In a nutshell, you have a small device that displays a random six digit number that corresponds to a number on a login server. Coupled with a username and password it meets the standards of two-factor authentication (something you know and something you have). The general sense I get from these two blogs and others I have read on the subject is that banks and other insitutions should be providing similar tokens to their customers. For instance:Isn't it kind of funny when an online game has better security than most banks?
- Errata Security
If Blizzard is able to offer One Time Password Tokens for a MMORPG platform, then there is no longer a reason why your financial institute doesn’t offer the same.I agree with the sentiment but I wanted to start a conversation regarding why you won't be seeing these tokens in the mail from your bank any time soon. The reason most banks, e-commerce sites, and even corporate VPN connections aren't protected by two-factor authentication can be broken down into a few reasons:
- un-excogitate.org
- cost: additional cost to customer, shipping, inventory, infrastructure, licensing, staff, overhead, etc.
- complexity: dealing with lost tokens, mistyped numbers causing locked acconts, countless help desk calls, etc. If you are locked out of your WoW account you can't play a game, when you are locked out of your bank account you can't pay bills, transfer funds, check your balance, etc. Simply put, the downside risk of customer convenience is greater than the upside risk of greater levels of security.
- motive: Blizzard is providing these tokens to help secure customers accounts, but also to further secure their future revenue stream and also to combat piracy and cheating, in short, it makes business sense. Banks don't typically suffer very much if a customer account is breached as they very rarely take the hit themselves but instead either insure against the loss (either federally or privately) or simply passing the costs onto customers.
Perhaps there needs to be an OpenID style system of purchasing a security token that is centrally managed and can be accessed by multiple businesses. Verisign was demonstrating that very technology at the RSA conference this year. But until the technology becomes ubiquitous and cheap keep your passwords strong and your cookies safe.
3 comments:
Hey Dan,
I firstly want to agree with your post, there are difficulties with implementing a token based two-factor auth/auth technology, but I believe that some of these can be distilled by implementing a different style of 2nd factor, such as SMS over your mobile phone. By using SMS you can minimise the cost (compared to tokens), and potentially minimise complexity (this has many dependencies of course, for example: the geographical/cultural area. I’m aware that Australia has one of the highest mobile phone take ups in the world and people are comfortable with the use of SMS, I can’t comment on elsewhere). Of course, as I mentioned in my post, if we find ourselves in a situation whereby our mobile phones are the new weakest link, the baddies will change their tactics.
In regards to the motive though I may disagree to some extent. I’m unsure how most finance institutes work, but I’m sure there’s some point at which the amount they lose to unauthorised transactions starts to impact upon them, regardless of insurance or allocated/budgeted costs. In addition to the direct fraud losses, financial institutions also suffer intangible losses, such as brand or reputation being impacted when customers lose faith in the ability to perform actions without negative impact upon themselves.
I also like your comments on the OpenID style system, and it’ll be interesting to see how that technology pans out. Cheers for the post!
-Christian
Hi Dan and Christian,
As someone working in the banking industry it would apper that most banks that don't already provide an extra layer of security beyond login id and password, like two factor authentication with SMS or Tokens, are thinking about it.
What seems incredible to me is how long they have been thinking about it without actually doing anything. I suspect it is a case of having too many options with each security vendor trying to disprove the other vendors technology in an effort to win the business.
Take RSA as an example of a well trusted company that has confused the market. A few years ago they were "full on" promoting their 2FA SecureID One Time Password security tokens. Then they purchase CYOTA, who produce fraud detection software, and overnight they basically start suggesting tokens are old hat and you'd be a mug to use "old" tokens when you could use something less intrusive on the customer, less expensive etc etc. Those financial institutions who had been dealing with RSA for years and maybe tought tokens were ok , then had to reevaluate that way of thinking.
Sticking with this particular example, the fact is for most financial institutions integrating a fraud detection system into their banking system would be very expensive and time consuming, and that's forgeting about the ongoing management of suspected fraudulent transactions.
So here we have a case where an institution is dealing with a well respected security company like RSA but has received very mixed messages within a short period of time. What does the bank do???
The answer in most cases is nothing.
For the person in a bank responsible for making the decision it is much easier to do nothing than make a decision where there isn't a clear cut answer.
For someone working at a dynamic organisation like World of Warcraft or PayPal/eBay making a decision to go with tokens (a perfectly good choice that isn't as troublesome to manage as is often suggested) it wouldn't feel like a such a monumental decision.
The fact is doing something is better than nothing and it is a fact that using security tokens or SMS will almost completely prevent security breaches of protected accounts.
Yeah, yeah, I understand man in the middle and other types of attacks that can get around various two factor authentication methods but there is NO SILVER BULLET and there is unlikey to ever be one magic solution to protect account access.
Great post and good luck to OpenId with 2FA and better online security.
Well, I'm afraid I'm going to have to burst your bubble, but Dutch banks already have security tokens. It's a little pocket-sized thingy that looks like a calculator with a card slot; you put your card in, enter your PIN, then type in the number the login screen presents you with and it generates a response code. At the very least I know ABN Amro and Rabobank use these.
Post a Comment