Future of Malware   4 comments

From Bruce’s blog, links to a three part series at CIO.com.

Interesting quote from the article(s):

Notice Rouland did not say you have to secure the client. He never says the banks must figure out a way to protect that machine. That’s careful and deliberate, because Rouland doesn’t believe that’s what banks have to do. When it comes to security PCs, Rouland’s advice is radical: Give up.

“In the next generation,” he says, “we will all do business with infected end points,” he says.

He was asked to repeat what he said, just to be sure. So he did: “Our strategy is we have to figure out how you do business with an infected computer. How do you secure a transaction with an infected machine? Whoever figures out how to do that first will win.”

That’s thinking outside the box, all right. I think he’s got the right idea in one sense – the time has come to assume that client PCs are hacked – but I don’t know that there is a reasonable way to secure a transaction with an infected machine, if your only two endpoints are a server and the infected machine. In the comments on Bruce’s blog is this from Brandioch Conner: “Exactly. I have no problem with a person INITIATING a transaction online. But the CONFIRMATION for that transaction MUST be done on a completely different avenue. I’d suggest using the phone number that the customer has on record.”

I agree with Brandioch, and think this is the ultimate destination for online transactions: two-channel authentication, an idea I’ve been in love with for a while, but is apparently so low on everybody’s radar it doesn’t have a wikipedia page yet (Bruce did beat me to coining the term, however). Two-factor authentication is expensive and is still vulnerable to a man-in-the-middle attack, which is made infinitely more difficult to defend against when the client computer itself can be the man in the middle. Two-factor authentication raises the barrier a bit (it would defend against some of the scenarios described in the CIO article), but ultimately I personally believe the benefits don’t justify the cost (something I wrote about two years ago on this thread). The only way to have a verifiable transaction online is to enforce second-channel confirmation and rollback… that is, a transaction requested by an insecure terminal is held suspended until a confirmation can be acquired through a second channel.

One of the other interesting parts of the CIO article is this bit from Bill Nelson:

If anything, say Nelson and others, blaming banks is precisely backwards. If you want to point fingers look at their customers, who’ve created the demand for the product in the first place. “It’s kind of ridiculous to think you wouldn’t, as a bank, use the Internet as a transport,” notes Hoff. “If you’re not offering some form of online banking, you’re going to wither away and go out of business.”

I agree and disagree simultaneously. He’s absolutely right; if a bank doesn’t offer online banking, they’re going to wither away… and the bank certainly can’t be expected to secure all their customer’s computers. On the other hand, the customers can’t be expected to secure their own computers. I don’t online bank (I personally think it is an insane risk with very little practical reward), but it is certainly possible for me to be nailed; my bank still offers online banking, even though I don’t want it and wouldn’t use it. I don’t even know if it is possible for me to find a bank that doesn’t OFFER online banking, or that would allow me to opt-out. The flip side, here, is that any attempt to make electronic banking more secure is also going to make it less user-friendly and require the user to do more things. Users who want to online bank are going to rebel and take their business elsewhere (something I also talked about two years ago here). So banks have no incentive to change (in fact, they’re penalized by the market if they try and make things more secure).

Here’s an actual place for some good regulation. If banks were forbidden to offer online banking unless it had a second-channel authorization mechanism (or if they offered a wireless, portable secured terminal, an e-checkbook if you will), then all banks would have to change. Now Bank of America must inconvenience its users in order to comply with the regulation, and its users can’t just pack up and move to Wells Fargo, because Wells Fargo has to do it as well.

— edited to add (18-Oct-2007) —

Sad but True.

Posted October 17, 2007 by padraic2112 in security, tech

4 responses to “Future of Malware

Subscribe to comments with RSS.

  1. You’re right that two-factor authentication cannot ultimately stop active man-in-the-middle attacks, as that is an issue of authenticating the server, not the client. However, it clearly solves some problems quite well – for example, it makes the possibility of a mass password-harvesting bot much less likely, since the bot would have to somehow harvest physical tokens as well.

    Of course, software-based two-factor systems are a different ball of wax; it’s trivial for a bot to harvest a SiteKey cookie or the like.

    Also, you mention that two-factor authentication is expensive; it doesn’t have to be, though. My company just rolled out a phone-based two-factor system called PhoneFactor that is free for single server and Web SDK use, and uses users’ cell phones, so there is no cost in terms of hardware or distribution/management/etc.

    At the end of the day, the banks that are the targets of MITM-based fraud will have to step up to the plate, as you point out. I’m a little more optimistic that that can happen, though; there *is* a financial incentive for them to do so, namely, fraud losses. I believe that there will also be a competitive advantage for whichever bank successfully rolls out two-factor to its userbase in a way that works; I know I as a consumer would pay a little extra for it.

  2. > it makes the possibility of a mass password-harvesting bot much less likely

    Oh, certainly… with a simple two-factor authentication method, you eliminate a lot of attack vectors; even MITM attacks are lessened, because the credentials need to be leveraged in real time, they can’t be stored. As the three part CIO article reveals, there’s still a burgeoning market for account harvesters amongst the bad guys.

    The problem is that the technology for a dynamic MITM attacks is already around (and has been used); one of the reasons why criminals aren’t using it right now is because they don’t have to use it to make money. Unfortunately they already have the tools to bypass two-factor authentication methods, so pursuing it as a solution to online banking isn’t going to do you much good. It’s a temporary band-aid – it’s like getting a home security system. When you’re the only person on the block who has one, it probably provides a great deterrent effect, even if a burglar knows how to circumvent it. Why take the risk, when (s)he can go next door and just pop a lock? On the other hand, when most of the houses on the block have one, now that burglar is going to go back to breaking into whichever house looks like it has the most expensive stuff in it, alarm system or no.

    I neglected to mention the fact that two-factor authentication methods are in fact great security solutions for lots of different types of deployments – with certain types of environments they work great. I just don’t think they’re the right solution for online finance.

    Side note: Is Phone Factor two-factor authentication, or two-channel authentication?
    — edited to add — The way you design it now it’s really just two-factor authentication, but it seems like it would be relatively easy to also make a true two-channel version of PhoneFactor for use as a transaction confirmation method.

    Oh, and it may still be expensive, albeit perhaps not in the direct deployment cost. You will have users who have trouble, you’ll have complaints that they couldn’t complete a transaction because they didn’t have signal, etc. Calls and walk-ins put a burden on your customer service resources, and some customers will get frustrated and go over to your competitor. Those are all indirect costs.

  3. I bank online, and I check the account every day. When my pin number was obtained and funds withdrawn using a phony atm card, I spotted it immediately.

    If you do your banking online, irregularities can be spotted and dealt with much faster than if you don’t.

    In my case it was obvious something had happened because of the size of the withdrawals, but imagine if the perps had settled for $20 or $40 at a time, spread out over the course of the month? If I didn’t have online banking, I might have had no clue until I got the statement in the mail.

  4. > If you do your banking online, irregularities can be
    > spotted and dealt with much faster than if you don’t.

    Theoretically, sure. Are you going to balance your checkbook every day?

    > Imagine if the perps had settled for $20 or $40 at a time?

    You’d probably assume you did an atm withdrawal you forgot about, no?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: