Can Technology Stop Social Engineering Tricks — Or Does It Make It Worse?
from the questions-questions-questions dept
There’s been a lot of talk in the past few weeks about new guidelines from federal officials designed to help prevent online banking fraud by requiring some form of two-factor authentication, such as a security token that changes the code every sixty seconds. At a first pass, this may sound like a good idea. It helps get past the single username/password setup that is so easy to break (especially if you can get someone to cough up their password for the simplest of trinkets, or just by asking them for the password). However, some are suggesting that this new plan for two-factor authentication isn’t such a good one. First of all, it will be expensive to implement. Banks will need to send customers the tokens or scratch off cards or whatever other system they use. They’ll have to upgrade their own systems to handle that. Then, it makes life more difficult for users. Customers have to figure out how the token/card works, always carry it around with them and try not to lose it. Then, if the banks don’t agree on a standard system, customers may be required to carry around a bunch of tokens with them at all time — which won’t be much fun. However, the worst of it is that the scammers will adjust so that such methods may not help very much at all. The problem is that most bank fraud is really done by social engineering: tricking people into giving up the info necessary to get into their account. So, now, all the scammers need to do is to trick them into giving up the token/scratch card info as well, or just using a standard man in the middle attack. Yes, it may be more time-limited, but that might not matter. In fact, the article notes that customers of a Scandinavian bank using two-factor authentication have already been scammed. What it comes down to is that most banking scams are done by social engineering — and that’s pretty difficult to stop by technology means.
Comments on “Can Technology Stop Social Engineering Tricks — Or Does It Make It Worse?”
No Subject Given
The best two-factor banking authentication system that I’ve heard of involved sending a passcode to your mobile phone or email in response to an attempted bank login. This doesn’t require the user to carry anything that they don’t carry alread. The system is relatively secure as long as the phone is in the user’s posession. In the case where the code is sent to an email account, the hacker still has to crack two passwords instead of one (unless stupid user reuses them).
Re: No Subject Given
Except that SMS costs money, and I guarantee that the banks will pass that cost to the customer (at the usual retail price, not what they pay for it, and probably with an extra 50% for no better reason than because the customer has NO CHOICE anyhow)
Which means that my internet banking is going to end up costing me even more.
I think the long-term solution to the problem is that the banks should do ABSOLUTELY NOTHING AT ALL about fraud.
If you’re stupid enough to follow an email link and not notice any of the generally HUGE giveaways that suggest a scam (wrong URL, bad spelling, broken links, wrong URL, no encryption, wrong URL, you’ve been told a million times to NEVER follow banking links in email, etc.) then you should accept the resulting fleecing as a fine for your stupidity and a painful reminder to pay more attention in future.
If the banks want to do anything else I suggest they send their own customers a ‘please verify your account’ email of their own. Anyone who falls for this email should have their internet banking dissabled until they attend a mandatory lecture on basic security.
Re: Re: No Subject Given
In South Africa, where banking is quite expensive as it is, and fraud is almost common place, an SMS is sent to the account holder after every single transaction above a certain amount. If you go to a store and make a purchase above that amount you immediatly get an SMS informing you that a transaction has taken place, where and for how much.
But then in South Africa you have to pay to withdraw cash, you pay for the bank to hold your money – basically you pay for everything.
Re: No Subject Given
“The best two-factor banking authentication system that I’ve heard of involved sending a passcode to your mobile phone or email in response to an attempted bank login”
Of course, that assumes that you are in a place with cell phone access. There are a TON of american’s who have poor access to cell phone services of any kind.
Personally, the banks responsability is to make sure that security is tight so that usernames and passwords aren’t given up to hackers. However, if you are dumb enough to give your username and password out, if somebody gets into your account, and takes your money – then the bank should have no liability.
Shouldnt be that bad
I havent read the linked articles, but I guess having a token to be carried does sound like a good idea to me. Many tech corporations already use this technique. I usually attach the token to my car key, and it stays in my pocket at all times along with the key.
Ofcourse this cannot be foolproof, but hardly anything we ever develop will be foolproof. The key is only to get better at avoiding identity theft.
I dont think this is much inconvenient as well.
Better ideas
Dear Banks,
How about first letting me choose a user name that’s not my SSN or account number, or letting me use a password that’s longer than 8-characters and includes characters other than letters and numbers?
Stop the FUD
The regulators never said banks have to adopt two factor authentication. They said banks have to assess risk and, if necessary, adopt “multifactor authentication, layered security, or other controls…”
Banks have options that go way beyond tokens.
Please stop the FUD.
Smart Chip
How about a 6 digit pin and a smart card (or cell phone) and use public/private key encryption.
Then you could use the same ID everywhere. If that bugs you, you could carry multiple cards, or have multiple chips for your phone.
Re: Smart Chip
Bill:
This is what we have done with WiKID. We use asymmetric encryption and a PIN, which gives you the ability to work across multiple servers. It also makes token distribution simple because the keys are generated on the device and then key pairs are swapped.
We have also extended the PC client to validate the SSL certificate of the site for the user, which will help prevent man-in-the-middle attacks. You can test this on the open source version which is on sf.net:
http://sourceforge.net/projects/wikid-twofactor/
Nick
No Subject Given
The only way to reduce fraud is to make the finacial institutions hold the bill. By putting liability on the financial institution for losses attributed to inadequately identifying the account holder (not just authentication) solutions will be found. Until then nothing useful will be done and the costs will be off-loaded to the customer and/or taxpayer.
Biometrics, surely?
Biometrics has to be the way forward. A keyboard with in an in-built fingerporint reader is a viable solution, no longer that costly, and the banks could even sell them as a branded, stand-alone unit for added security.
Or even a keyboard with a chip reader. These technologies already exist, it’s up to the banks to speak to the technology providers to get around this problem.
Why aren’t hardware providers champing at the bit to provide banks with their own solution. I would certainly shift accounts to the first bank that offered security over and above the password/account number scenario.
Meanwhile, I can’t even log onto my HSBC account using Firefox on an iMac at work. The ultimate in security……..?????
social engineering
from tim
RE Social engineering
TXT: The professor snatched the idea by
social skilss. See also:
den Haag-manga, multi mga nga mpd
Mulkti and the computer-room
multi and robbery of your money
multi and sex
MIT and the very Rich Keys.
postmaster save deliver print 2006-06-09
social engineering
add: Stasi training and social engineering ?
Stasi behind the banking crisis.
Perhaps the stasi right now is listening or
reading this. tim