Posts filed under ‘2FA’
When HMRC (Her Majesty’s Revenue and Customs) lost personal information of nearly half the UK population, I called it “mind boggling”. I also thought that it would be the last time I’d write about data breaches. What could top that?
Never underestimate the Brits. They’ve now pushed the bar even higher.
All it took was a flash drive found in the car park of a pub, The Orbital. It had user names and the hashed passwords of Government Gateway accounts, which provides centralised authentication to important online services such as tax returns. Worse, the flash drive had the source code, security software, and a step-by-step guide to how the Government Gateway works. And, the fact that it belonged to Daniel Harrington, an IT analyst at Atos Origin, the company which manages the Government Gateway.
The flash drive was lost about two weeks ago. Daniel must have just started to believe that his prayers had been answered with the flash drive forever lost. No such luck. Tellingly, it was turned into a newspaper (The Mail on Sunday) rather than given back to the government.
The point isn’t that the flash drive was lost. What was all that data doing on it in the first place? The Prime Minister is pointing the finger at Atos Origin which is fingering Daniel for breaching operating procedures. Really? Sounds exactly like Chancellor Alistair Darling pointing to a junior official in the HMRC case. It really shouldn’t be so easy to evade accountability.
Why was the flash drive unencrypted? The passwords were encrypted but, throw enough resources at it, and it shouldn’t be that hard to break. It’s impossible to say how many copies of the flash drive may be in circulation.
Some will use this to question the UK’s plan for a National Identity Card. Others will again proclaim the death of passwords. Yet others will cry that it’s the tip of the iceberg- who knows how many other unreported breaches of this magnitude are happening around the world? I’m sure at least a few will wonder what if it had been biometric templates.
Me, I mourn the blows to trust in government and online services all over the world. And the frightening reality that past lessons are simply being ignored, taking us ever closer to a tipping point.
Today I went through the whole hot-expectations-followed-by-quenching-reality to re-learn some authentication basics.
First, hot expectations were set off thanks to furious thinking triggered by an article in the Dom Post today Snapper to make a splash.
The article says that, “From June, people will be able to pay for bus tickets and everyday items in shops using the Snapper card, a stored-value smartcard that NZX-listed infrastructure investor Infratil hopes will become more widely used than conventional eftpos cards… Cardholders will be able to top up Snapper cards by credit card over the Internet by clipping their card to a USB device that plugs into a computer… Snapper will also be available in the form of a USB stick, that can be plugged directly into a computer and topped up…Snapper is similar in concept to London’s Oyster cards and the Octopus card in Hong Kong.”
Now the last sentence should have rung loud warning bells but it didn’t. Maybe it was Monday morning and the coffee hadn’t kicked in. Whatever.
Instead, the old brain took off. This could be the key for ubiquitous two-factor authentication in NZ, right? After all, if everyone was carrying a smartcard that could be plugged into a computer, or a smartcard in a USB form factor, surely that would make the perfect second factor for two-factor authentication? Nothing extra to carry around; no extra reader costs; and familiarity with everyday use. Perfect. Heaven. Nirvana.
And then, the quenching reality.
The warning bells finally penetrated this evening. A quick Google search confirmed what the subconscious was trying to tell me. The Oyster card- more specifically, smartcards based on MiFare Classic chips- use MiFare Crypto 1, a lightweight stream cipher which researchers had cracked and concluded, “The security of this cipher is therefore close to zero.”
The critical question of course is whether or not Snapper is based on MiFare Classic chips. There is no publicly available information that I could find which confirms or denies this. It is “similar in concept” but might be based on a stronger version of the chip. That is something I’ll have to find out.
But the point is that reality can be very effective in quenching authentication expectations. And, like quenching, one emerges stronger and remembers authentication basics, such as always check for known vulnerabilities before getting too excited about any authentication method.
It’s a rare pleasure to publicly hear from Stu Woollett (head of e-business at Westpac). That makes his article Internet banking less risky than driving a car a blog-worthy event.
I’ve previously expressed admiration for Westpac’s approach to online banking. For example, they don’t use 2FA and yet are the only major bank that has a guarantee which “promises to reimburse customers for any losses they suffer through Internet banking fraud.” Contrast this with the approach of most other banks who still want to make customers liable even when things are really beyond their control.
So when Stu talks, I listen. And sure enough his article had a few nuggets:
– “As a bank we’re acknowledging that cyberspace can be an unsafe place, but the bank can’t lean on customers to make it safe.”
– “We don’t make it a condition that you have to shell out for the newest, fanciest firewall or anti-virus software. We’ve got all that covered, and more, which is why we’re confident about offering our online guarantee to our customers.”
-“Our January statistics show us that we had nearly four million total logins. We had only one customer affected by a fraudulent transaction and they were refunded under the terms of our guarantee. Some months it doesn’t cost us a thing, and we’d like every month to be a clean month.” [emphasis added]
Wow, 1 fraudulent transaction in 4 million. That’s a pretty incredible statistic and helps put all the media stories about the dangers of transacting online in perspective.
That’s not to say that there aren’t dangers in transacting online. What it does mean is that a combination of security in depth that includes smart back-end systems combined with a commitment to make it work for customers provides the right economic setting for the service provider, not the customer, to take on and manage the risks.
I’m sure Bruce Schneier would approve.
This particular storm in my coffee cup was kicked up by Symantec’s Liam OMurchu’s post in his blog Banking in Silence about the trojan Silentbanker.
Security researchers aren’t given to hyperbole so he certainly raised eyebrows by saying, “The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis…The ability of this Trojan to perform man-in-the-middle [MITM] attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication [2FA].”
Importantly, he noted that “The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid.” It’s important because it means the MITM attack is not on the channel but the user’s computer.
But it’s a sneaky thing. It can redirect users to an attacker-controlled server instead of a real bank in order to perform a classic MITM attack or self-update. There are also quite a few other things about this trojan that make it impossible for a user to know that something is wrong.
Yeah, real nasty.
Then it was the turn of mainstream media to jump in. The Dominion Post accompanied the article Banks admit new trojan threat to internet banking with a huge photograph of a Trojan Horse to make a big splash. With that kind of an approach, why bother to read the article?
Actually, for people who got past the in-your-face approach, the article was quite sensible. It pointed out that no NZ bank has [yet] been targeted and all the banks made soothing noises about the safety of online banking.
Some vendors didn’t exactly help the situation. Authentify sent out an email to people on their sales hit list like me with the headline message “Time for banks to start using REAL TIME, OUT-OF-BAND AUTHENTICATION ON TELEPHONES!”
Yes, some out-of-band authentication systems can defeat MITM attacks. Still, call me a prude but that was like hawking life insurance at a funeral.
So what do we do? Move to three factor authentication? Abandon the online channel? Cross our fingers and hope that our online service is not a target?
Nope, we go back to basics. Authentication basics.
First, authentication is not a silver bullet to solve all security and access control issues. It is an important part of the answer but not the full answer.
My favourite example is credit card companies. They focus on the transaction and not too much on authentication. My second standard example is Westpac bank in NZ. They don’t use 2FA and yet are the only major bank that has a guarantee which “promises to reimburse customers for any losses they suffer through Internet banking fraud.” Both have smart and effective back-end processes that focus on the transaction to complement authentication.
Second, a decision to use 2FA or not needs to be linked to the identity-related risk in the online transaction. Risk assessment comes first, appropriate solutions later. For NZ government agencies, the Authentication Key Strengths Standard specifies (and therefore igovt services like the Government Logon Service provides) the type of logon to be used that is proportionate to the service risk, including consideration of MITM attacks.
It’s not that 2FA can’t defeat MITM attacks. Some can, some can’t. If the risk of MITM attacks needs to be addressed, then there are 2FA solutions out there. Typically, good crypto and hardware tokens in a well designed, well implemented authentication solution (such as requiring per-session local activation) will do the trick.
In my opinion, the real problem is that there are no 2FA solutions that are both economical for the service provider AND convenient for the user.
For online banking specifically, a decent 2FA solution combined with decent back-end processes that focus on the transaction can balance costs and risks to keep losses to an acceptable level.
2FA isn’t dead, just misunderstood. And, for those people who demand or expect that 2FA in itself means zero losses from the online channel, get real.
There are several stories doing the media rounds today about online banking that have some interesting angles:
1. Back in July this year, with the introduction of the new Code of Banking Practice, banks wanted to make online banking customers liable for not patching their OSs or if their “virus scanning, firewall, anti-spyware, operating system and anti-spam software” was not up to date. At that time, I said that none of this makes business, operational, or technical sense for the banks.
Amongst the majors, Westpac was the first to see the obvious and backed down in August (even more interesting when you consider that it is the only major that doesn’t offer two-factor authentication).
Now, Bank of New Zealand (BNZ) has backed down with ANZ National half way there. It’s likely that the others will follow as both Westpac and BNZ are using explicit assurances of no-liability that is believed to be bringing in new customers.
2. BNZ is going to make two-factor authentication compulsory for its online banking customers. Hmmm… the conventional wisdom is to make it optional or only require it beyond some limit. If the other banks follow, this could be the tipping point for two-factor authentication in New Zealand.
3. Unfortunately, BNZ’s two-factor authentication for personal banking barely makes the grade. The bank uses NetGuard that is a “bingo card” with a 7×7 grid. It is “something you have” but fails the test of “something no one else has.” It is trivial for someone to get a copy of the static grid without the customer’s knowledge.
In fact, one of the actual attacks against the NetGuard bingo card has been to try to get the intended victim to fill in the entire grid in a spoofed page. This demonstrates that the bingo card is much more a shared secret one-factor than true two-factor authentication.
4. BNZ has an example where the time from an account was compromised to actual cash in hand (in Canada) was 15 minutes. That shows how important real-time fraud detection and limits imposed by business rules have become to complement authentication. The credit card companies, such as Visa, are the masters in this area.
5. Two-factor authentication works. In a recent phishing scam against BNZ customers, eight customers had their username and passwords phished. The four who were using NetGuard were still safe. Obviously, even low-grade two-factor authentication is better than passwords alone!
There is a reasonable amount of consensus on what the answer is. I was therefore surprised when an analyst from Burton Group was being less than clear. Surely it is to everyone’s advantage in the industry to be precise and consistent so that unnecessary confusion is not created.
Two factor authentication is when two of the three factors of authentication are used:
- something you know
- something you have
- something you are
There is also reasonable consensus that “something you are” refers to biometrics which itself consists of both physiological (e.g. fingerprints) and behavioural (e.g. keystroke dynamics).
Mark Diodati, Identity and Privacy Strategies analyst at the Burton Group, in an article in eWeek called What Is Password Hardening and How Does It Work? tends to confuse things.
He describes password hardening as “you do something extra to make the password harder to guess or spoof without actually distributing a piece of hardware or software to the consumer.” Fair enough, sounds like a good idea.
His first example is using keystroke dynamics from BioPassword. Right, so that’s two factor authentication, i.e. password hardening is two factor authentication? He seems to imply that because a Flash plug-in is used, which means that there is no hardware or software distributed; therefore it is not two-factor authentication. That just confuses two different things.
He goes on to give a second example of password hardening using Bharosa, specifically “a bitmap image of a scrambled keyboard for them to type their password on using mouse clicks.” He describes this as “pseudo-multifactor “, whatever that may be.
I prefer to call a spade a spade and wouldn’t know what a pseudo-spade is if I saw one. An example of what this confusion does for the industry is the fact that FFIEC in the US had to issue supplemental guidance in August 2006 that clarified, “By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors.”
This definition has nothing to do with “distributing a piece of hardware or software to the consumer” that Mark seems to be advocating. As an example, a one-time-password texted to a person’s mobile phone is two factor authentication and does not involve any distribution of hardware or software.
There are many things to like about Austria’s national identity system. A good overview is the presentation given at Liberty Alliance’s eGovernment Workshop held in Brussels earlier this year.
First, the absence of an external national unique identifier. Every person gets assigned a unique personal identification number (Source-PIN) that is under his/her own control. Each governmental sector is provided its own specific identifier for that person (Sector Specific PIN) which is derived from the Source-PIN using a one-way cryptographic function.
Secondly, their Citizen Card is more of a concept in that it can be issued in a variety of smartcard form factors, for example a Bank Card or Health Card or even a mobile phone.
The Citizen Card contains both limited personal information (first name, last name, date of birth, Source-PIN) as well as the person’s public key information. The card can therefore be used for both authentication and electronic signatures.
Thirdly, their system is based on open standards, specifically SAML (v1.0 Browser Artifact Profile with plans to go to v2.0).
Finally, the system meets the test that Identity 2.0 experts love. These experts argue that the issuer of the identity credential (government) should not know where the person chooses to establish his/her identity. So, if a person goes to a video/DVD rental store and uses the Citizen Card to prove his/her identity, government has no business in knowing or tracking that. The Austrian system passes that test.
Ironically, in my personal opinion, it is also its major weakness. This is one area that I differ from the Identity 2.0 experts.
As a national identification system, I believe there needs to be a way for government to inform places where an identification credential is used in the event of proven identity fraud. It is not enough to stop future use of a fraudulent identity (say by means of a revocation list in the PKI infrastructure) but an ability to proactively unwind transactions based on that fraudulent identity.
There seem to be a few more minor issues but they are comparatively minor. The first is that all the person’s attributes (first name, last name, and date of birth) are available to everyone to whom identity is proven. Notwithstanding the fact that there is a very small amount of personal information on the Card, there are cases where even these attributes are not required and therefore should not be given. For example, to buy alcohol and prove the person is 18+.
Secondly, it is not clear how the person’s attributes stored on the Card can be easily changed or updated, e.g. in case of a change of name or administrative error.
Finally, as with all smartcards used for online authentication, the need for smartcard readers to access the digital certificate. However, it may be that widespread availability of smartcard readers (one for every computer) is not a problem in Austria.
Overall, there are many, many positive things about Austria’s national identity system that other countries can learn from.