Re: As deadline nears, banks toughen Net protections

["Dennis Henderson" <hendomatic () gmail com>]

Sorry for the rambling rant, but I bubbled over with negative emotion and
dont have much time to write..

>  A federal regulation mandating tougher online financial security measures
> will take effect Monday.
To be correct, its actually guidance, not regulation, published by the
FFIEC. Its does have the backing of all the money agencies, OCC, thrift
etc...  so the acrid smell of Glade "Regulation Fragrance" sets the
expectation...

Another set of restrictions published by non-elected parties in government..
You just gotta love it.

Here is a FAQ for those interested.

http://www.ffiec.gov/pdf/authentication_faq.pdf

It pretty much says you have to do it or else. The or else, we're finding
depends entirely on who your OCC regulator is. In my bank's case, our
examiner is pretty much gung-ho and we're at the ready(almost at
gunpoint)...


Banks, credit unions, and other financial institutions must begin using
enhanced technologies to protect customer data against identity theft. Many
of the nation's biggest banks, including Bank of
America<http://boston.stockgroup.com/sn_overview.asp?symbol=BAC>,
have already introduced "multi factor" authentication systems that go well
beyond the traditional user name and password approach to prevent Internet
fraud.


I would recommend that anyone that models their authentication architecture
after BOA, make sure what you put up actually works, not just looks like
BOA....


To me the risk of this new guidance is pretty high as the banks are not
really being given enough time to deploy this new technology and completely
shake it down.

The OCC would claim that they're not being too prescriptive on what they
want banks to do, but since what they really want us to do is a very cottage
industry, most banks will be deploying nearly identical technology. This
will almost certainly shift the fraud strategy.

Also it would seem that this guidance comes on the heels of surveys of
persons and their feelings about the security of online banking. I asked the
OCC for statistics of monetary fraud that would make this guidance seem
reasonable. To my knowledge there is none, only survey data on peoples
confidence levels..  So now forced into the "Security Theatre" arena to make
the people feel more secure..

Since the banks have been forced to converge to a very similar level, I
predict that it will actually become easier, not harder for fraud, given the
new uniformity of the target.

This seems to me, to be the long road to the two factor token, not much
else. Its a hard pill to swallow for those banks who have never had a single
reported case of internet fraud...


Cambridge Savings customers will receive a user name and password when they
sign up for the service. In addition, the first time a customer uses his
home or work computer to do some banking, the machine is given a unique
digital "fingerprint" associated with the customer's password. Whenever he
banks with that computer, the bank software checks his user name, password,
and computer fingerprint before processing the transaction.If someone tries
to log in from a machine that isn't fingerprinted, the bank will send a
confirmation message to the customer's e-mail address.

As long as users have the expectation that they will get email from their
vendors when things happen, phishing will continue to flourish..


 A crook who's stolen somebody's user name and password probablywon't
>

Probably wont?...


 have access to the victim's e-mail account, so he can't reply to the
> message, and won't be allowed to log in.Bank of America began using
> similar security technology last year. In addition, the bank uses a system
> called SiteKey, marketed by EMC Corp.<http://boston.stockgroup.com/sn_overview.asp?symbol=EMC>of Hopkinton.

Passmark (swallow)   RSA (swallow)  EMC...

 SiteKey shields users from "phishers" who steal passwords by running phony
> websites that resemble those of legitimate banks. SiteKey prevents this by
> letting the user select an image -- say, that of a typewriter --which
> appears on his screen whenever he logs into the real Bank of America site.
> Phony websites are easy to spot because they don't display the user's chosen
> image.
<preaching to the choir>

Once again, these bureaucracies don't seem to understand why accounts get
compromised.. People are easily duped. As long as you rely on the human to
do the right thing where authentication is concerned, there will be
phishing, malware etc...

I'd love to vent about the clusterfsck that this whole thing is, but this
being a public list would just get me in trouble.. :)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.