Keyloggers: Why Banks Need Two-Factor Authentication
Recently I briefed banking executives in Bangkok on how easy it is to steal userIDs and passwords from their on-line banking customers and why they must have two-factor authentication. To illustrate my key points, I showed the captive audience various pictures of hardware keyloggers, for example the small black keylogger circled in the figure below.
There are PS2 keyloggers (illustrated above) and USB keyloggers. There are even keyboards with the keyloggers built into normal looking keyboards, so you have no idea a keylogger is there. Don’t believe me? You can search the net and find so many!
Today I was reminded about my recent meeting in this Network World article, Two-factor authentication: Hot technology for 2008. This article mentions numerous token-based two-factor authentication (2FA) solutions. However, it misses a popular and inexpensive two-factor authentication used here in Thailand and APAC: SMS-based 2FA.
In a nutshell, SMS-based 2FA involves having your on-line banking system send an SMS message with a one-time password (OTP) to your cell phone. You then must enter the OTP to complete your transaction.
Is this a perfect solution?
No.
But, it is much better than than just passwords!
A ten year old child can easily steal your userID and password, really.
So, the next time you are at an Internet cafe, trusting your SSL link to your bank, don’t forget to take a peek at the computer and look for a small keylogger.
Well, on the other hand, also don’t forget to bring your own keyboard (or laptop) 
Filed under: Asia Pacific, Cybersecurity, Fraud Detection, Risk Management, Security Event Management, Thailand, Threats and Vulnerabilities
Yes! Finally someone who sees it my way. I too believe all banks need to utilize some type of Two Factor Authentication. Passwords work but are so easily obtained by individuals who would do you harm, it’s much safer to use TFA. I know several banks like Wells Fargo, and even Bank of America use such technologies both on and offline. By no means is this, the be all and end all of security measures but it’s the best we have and it should be used everywhere.
Two Factor Authentication takes a lot of hits from people especially in the last year or so but I agree with you. I consider it the “hot” technology of 2008. It is relatively easy to implement and it’s reasonably affordable too. I think that many people shy away from it because it’s been hacked before.
Not considering two factor authentication with OTP because it could be compromised by a sophisticated MITM (Man-in-the-Middle) attack is like shying away from door locks because people have kicked in doors before. There is no perfect security controls, controls reduce risk, not eliminate it.
Banks and end users need not only two factor authentication — but true mutual authentication. Two factor authentication, at its best, can only work to let the bank authenticate the end user. Period.
But it does NOTHING to enable the end user to authenticate the bank identity. SSL certificates (even EV SSL certificates) are all subject to MITM (Man in the middle) attacks.
There is one way to enable end users to confirm a bank’s identity using a new type of digital certificate (Content Verification Certificates). These certificates bind web content to an IP, eg. Bank login box, and provides the users a confirming, non browser based verification of the content (if it is authentic). Because the indicator is NON browser based – it is not subject to manipulation by internet hackers as in MITM attacks.
In this model the bank can confirm the user’s ID and the reverse is true because only authenticated content belonging to legitimate banks will give the users the confirming indicator.
This true mutual authentication schema is delivered by Comodo – one of the world’s largest certificate authorities.
We believe it is time to evolve beyond two factor authentication to true mutual authentication.
Judy Shapiro
Hi Judy,
What you are saying is not entirely correct. from a risk management perspective.
The way 2FA with OTP (plus SMS based account change confirmation and status messages) is implemented does, to some degree, help confirm the identity of the bank because the mobile phone number is a shared secret between the bank and the client.
Yes, it can be argued that the mobile number can be known, stolen, phones cloned, etc. but there is no such thing as perfect security. There is risk management and risk mitigation, and the purpose of controls is to significantly reduce the risk, i.e. SMS-based 2FA with OTP, especially when the bank sends an SMS when there is any change to account activity.
We often read and hear “endless debates” about “perfect security” over and over, and what happens is that organizations get so distracted with “perfection” that they leave gaping holes in what can be mitigated as a “less than perfect” solution.
As the old saying goes,
The Enemy of Good is Great …..
This is especially true in IT security and risk management.
Yours sincerely, Tim
indeed I see your point and nothing in security is 100%. We share a common understanding that security needs to be layered.
My main concern (and tirade) is the regulators seeming lack of concern to demand that users be able to authenticate the bank with the same discipline that banks can now use to verify end users.
It is not lost on any of us that since banks have a larger lobby voice, the first set of regulations, e.g. two factor authentication, protects the banks quite nicely but do nothing to really protect the end user from phishing sites. I even had a conversation with a regulator who believed that an SSL certificate protects against MITM!!!!
So with the basic premise that nothing in security is foolproof - I only advocate equal identity protection within the construct of a mutual authentication schema.
Judy Shapiro
Hi Judy,
I like your passion about the issues and appreciate your concerns.
In your passion, you accidentially write a few statements that are not totally accurate. For example, you say:
“Two factor authentication, protects the banks quite nicely but do nothing to really protect the end user from phishing sites/”
However, if someone steals my on-line banking user ID and password (phishing or not) and then logs into my account and attempts a transaction in my account, Am I not “protected” (in an efficient, economic manner) by the SMS I receive on my mobile phone that says “You have requested to transfer $10 out of your account, please enter this OTP to complete this transaction.”
Isn’t this a degree of moderate protection for the user?
Furthermore, even with access to my on-line account, a criminal cannot change my mobile phone number, because this change cannot be done on-line, per implementation specification.
I do agree with you that SSL does not protect against _all_ MITM attacks. On the other hand, I am sure you can see the point, that some could argue that SSL does protect against _some_ types of MITM attacks, but certainly not all.
My experience is that many security professionals confuse efficient (economical, easy to implement and maintain) risk reduction (and controls) with trying to prevent all threats and all vulnerabilities, mistakenly treating all threats and vulnerabilities equally.
In cyberspace, risk must be reduced; and while many controls are not perfect, they are far greater than nothing (like locks on doors, for example); and we always must weigh the costs of the controls versus the actually risk.
Just like locks on doors cannot prevent a serious professional in coming into our home; on-line banking controls cannot prevent all threats from a clever, motivated attacker with the means to exploit a vulnerability. And, just as we live peacefully (for the most part) in the world of the lowly door lock, knowing that a determined professional attacker can circumvent this control, we continue to lock our doors at night before we go to sleep.
Thank you for visiting my blog, Judy. You are welcome anytime.
Yours sincerely, Tim
Well, Estonia banks have long time ago (say 8 years? at least) good security for banks.
First u have username
then u have password
and then u have pin number card. Every time when u log in bank asks different pin (like : enter pin nr 23 from ur security card, etc). U can change the pin card anytime u want. We also have pin calculators in one bank but because they are based on some algorithm im little bit skeptical about that…
Some banks force u to change pin car after all pins are used (so it would not matter if u have key logger in ur computer on unsecure connection - they cant log in second time using same info). If someone steals ur pin card they still need to know ur generic username and password (they also force u to change password after so many months/days)
we also have ID card log-in http://en.wikipedia.org/wiki/Estonian_ID_card. U need ID card reader (its part of most Estonia computers) and ID card pins ( pin1 for first level, pin2 for second level and puk for security changes). - u have use for keylogger only if u steal the physical card and owner will not report about it.
Are bank system was compromised by special keylogger who collect bank pin card numbers and send full package back to keylogger owner but these work only for banks who do not have full “one time security pin’s”. (one bank had had 10 incidents per one YEAR if people was reporting their money was stolen – most of them was just someone stupid and they was compromised by people who had psychical access to their pin cards.
I still cant understand these people though who type in Credit card information to websites… they have so many markets online where u can buy “packages” like “10 USA credit card numbers” for full package u get phone nr, pins, email account access etc… wonderful, isn’t it?
[...] using a SMS PayCode and ATM transfer, avoiding the possibility of on-line credit card fraud; and in Keyloggers: Why Banks Need Two-Factor Authentication I described how KBank uses SMS-based one-time-passwords (OTP) to authenticate [...]