From Bruce’s blog, links to a three part series at CIO.com.
Interesting quote from the article(s):
Notice Rouland did not say you have to secure the client. He never says the banks must figure out a way to protect that machine. That’s careful and deliberate, because Rouland doesn’t believe that’s what banks have to do. When it comes to security PCs, Rouland’s advice is radical: Give up.
“In the next generation,” he says, “we will all do business with infected end points,” he says.
He was asked to repeat what he said, just to be sure. So he did: “Our strategy is we have to figure out how you do business with an infected computer. How do you secure a transaction with an infected machine? Whoever figures out how to do that first will win.”
That’s thinking outside the box, all right. I think he’s got the right idea in one sense – the time has come to assume that client PCs are hacked – but I don’t know that there is a reasonable way to secure a transaction with an infected machine, if your only two endpoints are a server and the infected machine. In the comments on Bruce’s blog is this from Brandioch Conner: “Exactly. I have no problem with a person INITIATING a transaction online. But the CONFIRMATION for that transaction MUST be done on a completely different avenue. I’d suggest using the phone number that the customer has on record.”
I agree with Brandioch, and think this is the ultimate destination for online transactions: two-channel authentication, an idea I’ve been in love with for a while, but is apparently so low on everybody’s radar it doesn’t have a wikipedia page yet (Bruce did beat me to coining the term, however). Two-factor authentication is expensive and is still vulnerable to a man-in-the-middle attack, which is made infinitely more difficult to defend against when the client computer itself can be the man in the middle. Two-factor authentication raises the barrier a bit (it would defend against some of the scenarios described in the CIO article), but ultimately I personally believe the benefits don’t justify the cost (something I wrote about two years ago on this thread). The only way to have a verifiable transaction online is to enforce second-channel confirmation and rollback… that is, a transaction requested by an insecure terminal is held suspended until a confirmation can be acquired through a second channel.
One of the other interesting parts of the CIO article is this bit from Bill Nelson:
If anything, say Nelson and others, blaming banks is precisely backwards. If you want to point fingers look at their customers, who’ve created the demand for the product in the first place. “It’s kind of ridiculous to think you wouldn’t, as a bank, use the Internet as a transport,” notes Hoff. “If you’re not offering some form of online banking, you’re going to wither away and go out of business.”
I agree and disagree simultaneously. He’s absolutely right; if a bank doesn’t offer online banking, they’re going to wither away… and the bank certainly can’t be expected to secure all their customer’s computers. On the other hand, the customers can’t be expected to secure their own computers. I don’t online bank (I personally think it is an insane risk with very little practical reward), but it is certainly possible for me to be nailed; my bank still offers online banking, even though I don’t want it and wouldn’t use it. I don’t even know if it is possible for me to find a bank that doesn’t OFFER online banking, or that would allow me to opt-out. The flip side, here, is that any attempt to make electronic banking more secure is also going to make it less user-friendly and require the user to do more things. Users who want to online bank are going to rebel and take their business elsewhere (something I also talked about two years ago here). So banks have no incentive to change (in fact, they’re penalized by the market if they try and make things more secure).
Here’s an actual place for some good regulation. If banks were forbidden to offer online banking unless it had a second-channel authorization mechanism (or if they offered a wireless, portable secured terminal, an e-checkbook if you will), then all banks would have to change. Now Bank of America must inconvenience its users in order to comply with the regulation, and its users can’t just pack up and move to Wells Fargo, because Wells Fargo has to do it as well.
— edited to add (18-Oct-2007) —