Re: [nznog] New phish - Westpac
I'm not a application Security expert, but why can the banks issue a authentication Certificate, and only allow connections to those who are authenticated?
Certs would help, but they are a PITA to get working reliably. I know of one place that does use them (www.vir.co.nz - only for dealers) - but Banks are very much mass-market, and mom-and-pop would have a lot of troulbe working it out. I think one of the banks (ANZ??) tried it a while back. Not sure what they use now tho. The worst I have used was BNZ - they had a Java applet, and you had to CLICK on your password, on a keyboard on the screen. Wow, how secure, if someone is shoulder surfing, or capturing mouse clicks. And, it was just crap to use, especially if you didn't have Java (you just couldn't get in without Java!) 2-factor authentication is one of the few ways they could tighten up on security. ASB already does this, to some extent, with NetCode (ditto BankDirect - same company tho). They send you a text to confirm (you have to enter the code in the text) if the amount is over a specific value ($2500 per day). Works great. Why not do it on ALL transactions under a certain value (eg, $50)? Want to log in and check accounts? Fine. Usename + password. Want to move money? You then MUST use 2-factor authentication. I'd say that 99% of people with computers, also have cellphones, so text messages is a good way. Going overseas? Get one of those fancy SecureID cards on loan. I'm SURE that a load of people on this list know those cards - credit card sized "random" number generators on their keyrings. Same idea could be implemented for LESS cost than the banks usually loose.... Of course, the banks have to be motivated to do it.... And they are not, really, at the moment. It might still give the phishermen entry, but only within a VERY small window (60 seconds to 5 mins, usually), which would solve most of the problems. Of course, you'd need to sync it up with the Beer Tap at the pub somehow..... Maybe give the "keys" away free with every pint sold? Righto. Back to work :) Nic -- Nic Wise - Senior Developer - Microsoft MVP (.NET) t. +64.21.676.418 w. http://www.aftermail.com/ e. nic.wise(a)aftermail.com b. http://www.fastchicken.co.nz/blog/
BNZ tried using certs in 2000 for IB for public - was a nightmare - far too early for browser compatibility usual portability of certs etc. And of course, and this will come as a surprise to some, certs aren't very good for authentication remember - their power in is in persistently marking transactions/data or whatever That BNZ system was tried to get round key loggers but as you say anything that needs specific machine setups/configs will fail for retail banking. And there are screen grabbers now anyway. 2-factor also does not solve the problem and can introduce more. Netcode relies on a now-defunct, unsupported product from RSA - it was dropped from the RSA product line due to the issues with SMS delivery and security - ask yourself how secure the SMS network is, would you know, do you know ? I would be more concerned about that than anything. Also, the banks cannot control SMS delivery nor guarantee anything and therefore don't like it. 2 factor is relatively complex to manage in big deployments, expensive (relatively compared to a password) and probably overkill for retail but spot on for business - which of course you'll know has been used in for a number of years now by most banks.... Remember though - you can use a computer - most people who use retail Internet Banking can't - IB is the pinnacle of their PC knowledge And anyway banks don;t make any money from retail banking so until phishing and e-banking scams become sufficiently common they still pale in comparison to manual frauds. The real answer is to remove some functionality but of course we'd all moan...Free beers for life for the person that cracks the portability vs security conundrum ! Nic Wise wrote:
I'm not a application Security expert, but why can the banks issue a authentication Certificate, and only allow connections to those who are authenticated?
Certs would help, but they are a PITA to get working reliably. I know of one place that does use them (www.vir.co.nz - only for dealers) - but Banks are very much mass-market, and mom-and-pop would have a lot of troulbe working it out. I think one of the banks (ANZ??) tried it a while back. Not sure what they use now tho.
The worst I have used was BNZ - they had a Java applet, and you had to CLICK on your password, on a keyboard on the screen. Wow, how secure, if someone is shoulder surfing, or capturing mouse clicks. And, it was just crap to use, especially if you didn't have Java (you just couldn't get in without Java!)
2-factor authentication is one of the few ways they could tighten up on security. ASB already does this, to some extent, with NetCode (ditto BankDirect - same company tho). They send you a text to confirm (you have to enter the code in the text) if the amount is over a specific value ($2500 per day). Works great. Why not do it on ALL transactions under a certain value (eg, $50)? Want to log in and check accounts? Fine. Usename + password. Want to move money? You then MUST use 2-factor authentication. I'd say that 99% of people with computers, also have cellphones, so text messages is a good way. Going overseas? Get one of those fancy SecureID cards on loan. I'm SURE that a load of people on this list know those cards - credit card sized "random" number generators on their keyrings. Same idea could be implemented for LESS cost than the banks usually loose....
Of course, the banks have to be motivated to do it.... And they are not, really, at the moment.
It might still give the phishermen entry, but only within a VERY small window (60 seconds to 5 mins, usually), which would solve most of the problems.
Of course, you'd need to sync it up with the Beer Tap at the pub somehow..... Maybe give the "keys" away free with every pint sold?
Righto. Back to work :)
Nic
-- *Colin Slater* Director Securify NZ Ltd IT Security and Risk Management *p*: 021 190 1112 *e*: colin.slater(a)securify.co.nz *w*: www.securify.co.nz
On Wed, 21 Sep 2005, Colin Slater wrote:
the banks cannot control SMS delivery nor guarantee anything and therefore don't like it. SMS is not a guaranteed-delivery system, which both Telecom and Vodafone go to great lengths to remind people of whenever there's a problem. Using it for security systems is optimistic at best. Both T and V have had system failures where messages haven't been delivered for several hours, even days, if at all.
And anyway banks don;t make any money from retail banking so until phishing and e-banking scams become sufficiently common they still pale in comparison to manual frauds.
Article I read on Monday said that banks (I'm assuming in the US) write off 50 billion (yes, with a b) dollars a year in low-tech faked-identity frauds involving "legitimately" issued credit cards. Phishing is a miniscule problem by comparison - average phish is four figures, with relatively low incidence, compared to five figures for the credit card frauds and quite a high incidence. -- Matthew Poole "Don't use force. Get a bigger hammer."
On Wed, 21 Sep 2005, Matthew Poole wrote:
Article I read on Monday said that banks (I'm assuming in the US) write
Article found here: http://www.theregister.co.uk/2005/09/16/gartner_phantom_fraud/ And, yes, it was in the US. My memory is failing. -- Matthew Poole "Don't use force. Get a bigger hammer."
2-factor authentication is one of the few ways they could tighten up on security. ASB already does this, to some extent, with NetCode (ditto BankDirect - same company tho). They send you a text to confirm (you have to enter the code in the text) if the amount is over a specific value ($2500 per day). Works great. Why not do it on ALL transactions under a certain value (eg, $50)? Want to log in and check accounts?
ASB has $2500 only as the default (and maximum). You can alter it to any lower value if you wish. Ian
participants (4)
-
Colin Slater -
Ian McDonald -
Matthew Poole -
Nic Wise