funsec mailing list archives
Re: New security measures at the Cambridge Savings Bank
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 01 Nov 2006 10:09:55 +1300
Richard M. Smith wrote:
A friend just forwarded me the attached email message from the Cambridge Savings Bank of Massachusetts about a new security program that they plan to roll out soon. The email seems to be legit, but sending out email messages about online banking security is a bit odd since this is how most phishing scams operate. This new security measure apparently works the same as this scheme: http://www.nassaued.org/security.html
Oh dear...
To log onto a bank account, one still uses a username and password. However, the computer must also have a special "security" cookie set on the computer. This cookie gets generated by the bank's Web site after someone answers a number of "secret" questions about their account. An account can also be locked down to only work on one particular computer. I'm not sure what happens if someone clears out their browser cookies.
They will be asked the security questions again. From the URL above: This superior security technology identifies you as the true "owner" of your accounts by recognizing not only your password, but the computer you´re working from as well. If access is attempted from a computer other than the one at which you set up ELS (if you log in from\ a public computer, for instance), a challenge question will be presented to prevent unauthorized access. ... ... PLEASE NOTE: If you do not enroll a computer in ELS, you will be asked the challenge questions each time you log in from that computer. To prevent this, log in to Home Banking from the computer in question, click the "User Options" button (middle of top row), and then click the "Enhanced Login Security" link. Click the radio button entitled "Add extra security protection to this computer" and click "Submit". You will no longer be asked the challenge questions when you log in from that computer. There are several shortcomings with this kind of scheme, but if used by small institutions, the to bad guys cost of "breaking" any specific implementation is unlikely to be worth the return (the opposite of the law of large numbers). However, if large banks use them, then they really provide no additional _effective_ benefit. To break these the bad guys have to be in the "we've got malware on the victims' machines" league, and of course, once that's the case any scheme that only relies on username/account number, password and an on-machine cookie has _no_ security (but all manner of "better" man-in-the-middle attacks are also possible, making outright stealing of the users' credentials, including the cookie, somewhat less of a target). So, in general, if this kind of scheme becomes at all widely adopted it will increase the pressure on the bad guys who are not already in the "we've got malware on the victims' machines" league to get into that league, or leave the scene, perhaps increasing the likelihood the bigger (and "better", aka "worse" from the bank customers' perspective) gangs will also target the smaller institutions. This story being about the US, the main "problem" I persoanlly have with these kinds of schemes is that I generally do not trust the banks, etc to reliably secure the information they ask in the "extra" security questions. As these are often the same, institution to institution, _AND_ tend to be "personally revealing" (in the sense the correct answers to these questions help identify me) I won't answer these questions truthfully and thus am confronted with the "problem" of remembering which incorrect answer I gave to which questions at which institutions. Folk in the US (or maybe just "folk in general"?) are far too trusting of their banks, etc to store this information securely amd happily answer these questions, making them bigger/better targets for identity theft if _other_ systems at the bank, etc are broken and this data accessed.
I suspect there is some company out their that has a patent of this technology and they are peddling to the smaller banks to meet upcoming FDIC mandates.
My gut tells me just the same...
What do folks think about this idea?
It is trivially broken by existing man-in-the-middle Trojan programs that already exist. True, for now, none of those programs may be targetting NEFCU or the Cambridge Savings Bank of Massachusetts, but it's pretty short-sighted of those organizations to have spent the money that this very weak, very, very thin extra layer of "security" has cost them when any competent security analysts knows that these systems are already broken. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- New security measures at the Cambridge Savings Bank Richard M. Smith (Oct 31)
- Re: New security measures at the Cambridge Savings Bank John LaCour (Oct 31)
- Re: New security measures at the Cambridge Savings Bank Nick FitzGerald (Oct 31)
- Re: New security measures at the Cambridge Savings Bank Valdis . Kletnieks (Oct 31)
- Re: New security measures at the Cambridge Savings Bank Nick FitzGerald (Oct 31)