funsec mailing list archives
Re: As deadline nears, banks toughen Net protections
From: "Dennis Henderson" <hendomatic () gmail com>
Date: Fri, 29 Dec 2006 09:01:22 -0600
Sorry for the rambling rant, but I bubbled over with negative emotion and dont have much time to write..
A federal regulation mandating tougher online financial security measures will take effect Monday.
To be correct, its actually guidance, not regulation, published by the FFIEC. Its does have the backing of all the money agencies, OCC, thrift etc... so the acrid smell of Glade "Regulation Fragrance" sets the expectation... Another set of restrictions published by non-elected parties in government.. You just gotta love it. Here is a FAQ for those interested. http://www.ffiec.gov/pdf/authentication_faq.pdf It pretty much says you have to do it or else. The or else, we're finding depends entirely on who your OCC regulator is. In my bank's case, our examiner is pretty much gung-ho and we're at the ready(almost at gunpoint)... Banks, credit unions, and other financial institutions must begin using enhanced technologies to protect customer data against identity theft. Many of the nation's biggest banks, including Bank of America<http://boston.stockgroup.com/sn_overview.asp?symbol=BAC>, have already introduced "multi factor" authentication systems that go well beyond the traditional user name and password approach to prevent Internet fraud. I would recommend that anyone that models their authentication architecture after BOA, make sure what you put up actually works, not just looks like BOA.... To me the risk of this new guidance is pretty high as the banks are not really being given enough time to deploy this new technology and completely shake it down. The OCC would claim that they're not being too prescriptive on what they want banks to do, but since what they really want us to do is a very cottage industry, most banks will be deploying nearly identical technology. This will almost certainly shift the fraud strategy. Also it would seem that this guidance comes on the heels of surveys of persons and their feelings about the security of online banking. I asked the OCC for statistics of monetary fraud that would make this guidance seem reasonable. To my knowledge there is none, only survey data on peoples confidence levels.. So now forced into the "Security Theatre" arena to make the people feel more secure.. Since the banks have been forced to converge to a very similar level, I predict that it will actually become easier, not harder for fraud, given the new uniformity of the target. This seems to me, to be the long road to the two factor token, not much else. Its a hard pill to swallow for those banks who have never had a single reported case of internet fraud... Cambridge Savings customers will receive a user name and password when they sign up for the service. In addition, the first time a customer uses his home or work computer to do some banking, the machine is given a unique digital "fingerprint" associated with the customer's password. Whenever he banks with that computer, the bank software checks his user name, password, and computer fingerprint before processing the transaction.If someone tries to log in from a machine that isn't fingerprinted, the bank will send a confirmation message to the customer's e-mail address. As long as users have the expectation that they will get email from their vendors when things happen, phishing will continue to flourish.. A crook who's stolen somebody's user name and password probablywon't
Probably wont?... have access to the victim's e-mail account, so he can't reply to the
message, and won't be allowed to log in.Bank of America began using similar security technology last year. In addition, the bank uses a system called SiteKey, marketed by EMC Corp.<http://boston.stockgroup.com/sn_overview.asp?symbol=EMC>of Hopkinton.
Passmark (swallow) RSA (swallow) EMC... SiteKey shields users from "phishers" who steal passwords by running phony
websites that resemble those of legitimate banks. SiteKey prevents this by letting the user select an image -- say, that of a typewriter --which appears on his screen whenever he logs into the real Bank of America site. Phony websites are easy to spot because they don't display the user's chosen image.
<preaching to the choir> Once again, these bureaucracies don't seem to understand why accounts get compromised.. People are easily duped. As long as you rely on the human to do the right thing where authentication is concerned, there will be phishing, malware etc... I'd love to vent about the clusterfsck that this whole thing is, but this being a public list would just get me in trouble.. :)
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- As deadline nears, banks toughen Net protections Richard M. Smith (Dec 29)
- Re: As deadline nears, banks toughen Net protections Dennis Henderson (Dec 29)