Re: New security measures at the Cambridge Savings Bank

[Nick FitzGerald <nick () virus-l demon co uk>]

Richard M. Smith wrote:

> A friend just forwarded me the attached email message from the Cambridge
> Savings Bank of Massachusetts about a new security program that they plan to
> roll out soon.  The email seems to be legit, but sending out email messages
> about online banking security is a bit odd since this is how most phishing
> scams operate.
>
> This new security measure apparently works the same as this scheme:
>
>    http://www.nassaued.org/security.html

Oh dear...

> To log onto a bank account, one still uses a username and password.
> However, the computer must also have a special "security" cookie set on the
> computer.  This cookie gets generated by the bank's Web site after someone
> answers a number of "secret" questions about their account.  An account can
> also be locked down to only work on one particular computer.  I'm not sure
> what happens if someone clears out their browser cookies.

They will be asked the security questions again.  From the URL above:

   This superior security technology identifies you as the true "owner"
   of your accounts by recognizing not only your password, but the
   computer you´re working from as well. If access is attempted from a
   computer other than the one at which you set up ELS (if you log in
   from\ a public computer, for instance), a challenge question will be
   presented to prevent unauthorized access.  ...

   ...

   PLEASE NOTE: If you do not enroll a computer in ELS, you will be
   asked the challenge questions each time you log in from that
   computer. To prevent this, log in to Home Banking from the computer
   in question, click the "User Options" button (middle of top row),
   and then click the "Enhanced Login Security" link. Click the radio
   button entitled "Add extra security protection to this computer" and
   click "Submit". You will no longer be asked the challenge questions
   when you log in from that computer. 

There are several shortcomings with this kind of scheme, but if used by 
small institutions, the to bad guys cost of "breaking" any specific 
implementation is unlikely to be worth the return (the opposite of the 
law of large numbers).  However, if large banks use them, then they 
really provide no additional _effective_ benefit.  To break these the 
bad guys have to be in the "we've got malware on the victims' machines" 
league, and of course, once that's the case any scheme that only relies 
on username/account number, password and an on-machine cookie has _no_ 
security (but all manner of "better" man-in-the-middle attacks are also 
possible, making outright stealing of the users' credentials, including 
the cookie, somewhat less of a target).

So, in general, if this kind of scheme becomes at all widely adopted it 
will increase the pressure on the bad guys who are not already in the 
"we've got malware on the victims' machines" league to get into that 
league, or leave the scene, perhaps increasing the likelihood the 
bigger (and "better", aka "worse" from the bank customers' perspective) 
gangs will also target the smaller institutions.

This story being about the US, the main "problem" I persoanlly have 
with these kinds of schemes is that I generally do not trust the banks, 
etc to reliably secure the information they ask in the "extra" security 
questions.  As these are often the same, institution to institution, 
_AND_ tend to be "personally revealing" (in the sense the correct 
answers to these questions help identify me) I won't answer these 
questions truthfully and thus am confronted with the "problem" of 
remembering which incorrect answer I gave to which questions at which 
institutions.  Folk in the US (or maybe just "folk in general"?) are 
far too trusting of their banks, etc to store this information securely 
amd happily answer these questions, making them bigger/better targets 
for identity theft if _other_ systems at the bank, etc are broken and 
this data accessed.

> I suspect there is some company out their that has a patent of this
> technology and they are peddling to the smaller banks to meet upcoming FDIC
> mandates.

My gut tells me just the same...

> What do folks think about this idea? 

It is trivially broken by existing man-in-the-middle Trojan programs 
that already exist.  True, for now, none of those programs may be 
targetting NEFCU or the Cambridge Savings Bank of Massachusetts, but 
it's pretty short-sighted of those organizations to have spent the 
money that this very weak, very, very thin extra layer of "security" 
has cost them when any competent security analysts knows that these 
systems are already broken.


Regards,

Nick FitzGerald


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.