2FA is dead, right?

January 30, 2008 at 10:54 pm 7 comments

Not quite.

This particular storm in my coffee cup was kicked up by Symantec’s Liam OMurchu’s post in his blog Banking in Silence about the trojan Silentbanker.

Security researchers aren’t given to hyperbole so he certainly raised eyebrows by saying, “The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis…The ability of this Trojan to perform man-in-the-middle [MITM] attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication [2FA].”

Importantly, he noted that “The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid.” It’s important because it means the MITM attack is not on the channel but the user’s computer.

But it’s a sneaky thing. It can redirect users to an attacker-controlled server instead of a real bank in order to perform a classic MITM attack or self-update. There are also quite a few other things about this trojan that make it impossible for a user to know that something is wrong.

Yeah, real nasty.

Then it was the turn of mainstream media to jump in. The Dominion Post accompanied the article Banks admit new trojan threat to internet banking with a huge photograph of a Trojan Horse to make a big splash. With that kind of an approach, why bother to read the article?

Actually, for people who got past the in-your-face approach, the article was quite sensible. It pointed out that no NZ bank has [yet] been targeted and all the banks made soothing noises about the safety of online banking.

Some vendors didn’t exactly help the situation. Authentify sent out an email to people on their sales hit list like me with the headline message “Time for banks to start using REAL TIME, OUT-OF-BAND AUTHENTICATION ON TELEPHONES!”

Yes, some out-of-band authentication systems can defeat MITM attacks. Still, call me a prude but that was like hawking life insurance at a funeral.

So what do we do? Move to three factor authentication? Abandon the online channel? Cross our fingers and hope that our online service is not a target?

Nope, we go back to basics. Authentication basics.

First, authentication is not a silver bullet to solve all security and access control issues. It is an important part of the answer but not the full answer.

My favourite example is credit card companies. They focus on the transaction and not too much on authentication. My second standard example is Westpac bank in NZ. They don’t use 2FA and yet are the only major bank that has a guarantee which “promises to reimburse customers for any losses they suffer through Internet banking fraud.” Both have smart and effective back-end processes that focus on the transaction to complement authentication.

Second, a decision to use 2FA or not needs to be linked to the identity-related risk in the online transaction. Risk assessment comes first, appropriate solutions later. For NZ government agencies, the Authentication Key Strengths Standard specifies (and therefore igovt services like the Government Logon Service provides) the type of logon to be used that is proportionate to the service risk, including consideration of MITM attacks.

It’s not that 2FA can’t defeat MITM attacks. Some can, some can’t. If the risk of MITM attacks needs to be addressed, then there are 2FA solutions out there. Typically, good crypto and hardware tokens in a well designed, well implemented authentication solution (such as requiring per-session local activation) will do the trick.

In my opinion, the real problem is that there are no 2FA solutions that are both economical for the service provider AND convenient for the user.

For online banking specifically, a decent 2FA solution combined with decent back-end processes that focus on the transaction can balance costs and risks to keep losses to an acceptable level.

2FA isn’t dead, just misunderstood. And, for those people who demand or expect that 2FA in itself means zero losses from the online channel, get real.


Entry filed under: 2FA, authentication, igovt, NZ, security.

NZ: update on data breach law Webstock shaping up as a must-attend

7 Comments Add your own

  • 1. 2FA is dead, right? | Online Services  |  January 30, 2008 at 11:21 pm

    […] post by Vikram Share and Enjoy: These icons link to social bookmarking sites where readers can share and […]

  • 2. Temporary Test Blog » Blog Archive » 2FA is dead, right?  |  January 30, 2008 at 11:46 pm

    […] Original post by Vikram […]

  • 3. Blog » Blog Archive » 2FA is dead, right?  |  January 30, 2008 at 11:55 pm

    […] Vikram wrote an interesting post today on 2FA is dead, right?Here’s a quick excerptThis particular storm in my coffee cup was kicked up by Symantec’s Liam OMurchu’s post in his blog Banking in Silence about the trojan Silentbanker. Security researchers aren’t given to hyperbole so he certainly raised eyebrows by … […]

  • 4. 2FA is dead, right?  |  January 30, 2008 at 11:59 pm

    […] post by Identity and Privacy Blog internet marketing Post a […]

  • 5. NZ: Online banking and fraud « Identity and Privacy Blog  |  March 11, 2008 at 11:20 pm

    […] previously expressed admiration for Westpac’s approach to online banking. For example, they don’t use 2FA and yet are the […]

    • 6. anand  |  October 26, 2010 at 2:36 am

      ya that g8 idea of online banking and me also use that mostly

  • 7. Bhushan Pal  |  December 14, 2010 at 12:27 am

    2FA is decade old technology, hackers have been launching more sophisticated threats. Of course, 2FA is important but can this alone save us from the hackers???

    The answer is No, to explore more beyond 2FA visit Uniken.com. This is an innovation and has been implemented at various banks in India. Bhushan Pal


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: