Is more simple bank web security better?
June 6, 2008 6:22 AM Subscribe
I have noticed that there seems to be a split between some banks/financial institutions who maintain complex security around their on-line account access and others who seem to have actively migrated towards a much simpler approach. Is there any evidence that the "simple" approach is either more or less secure than the "complex" one?
By "complex" I am talking about institutions that ask their users to memorise several passwords and then ask for one or two of these at random on login. There is also a likelihood that use might be tied to a particular PC with a physical token or a cookie. An additional one-time access code may be required. By "simple" I am talking about cases where users are asked something like "enter characters x, y and z from your password" - and perhaps for one other fixed detail. Users are also able to log in from pretty much any PC they choose.
My guess is that the latter group has lower support costs and less frustrated users. But are there real world difference in the security levels?
By "complex" I am talking about institutions that ask their users to memorise several passwords and then ask for one or two of these at random on login. There is also a likelihood that use might be tied to a particular PC with a physical token or a cookie. An additional one-time access code may be required. By "simple" I am talking about cases where users are asked something like "enter characters x, y and z from your password" - and perhaps for one other fixed detail. Users are also able to log in from pretty much any PC they choose.
My guess is that the latter group has lower support costs and less frustrated users. But are there real world difference in the security levels?
And fail to tell them that their research also shows that while people feel more secure, they also hate it.
...and that people will write their passwords on post-its and stick it to the monitor or in a text file on the desktop if they have too many to remember.
From a keylogging pov, putting in 3 complete passwords out of a list of say 8, would be exactly as secure as putting in 3 letters of your 8 letter password each time - its just a matter of time before all the information needed to log in is obtained.
And if you can get a keylogger onto someone's computer you can steal their cookies so tying it to an individual machine via a cookie only protects opportunists (those who happen to know/see your password list) and brute forcers (which isn't common these days - most organisations are smart enough to block access after 3-5 failed login attempts)
If the multiple passwords also required only to type in a few of the characters it would take longer to get all the relevant data, and therefore be more secure, but they would eventually get it all.
posted by missmagenta at 8:27 AM on June 6, 2008
...and that people will write their passwords on post-its and stick it to the monitor or in a text file on the desktop if they have too many to remember.
From a keylogging pov, putting in 3 complete passwords out of a list of say 8, would be exactly as secure as putting in 3 letters of your 8 letter password each time - its just a matter of time before all the information needed to log in is obtained.
And if you can get a keylogger onto someone's computer you can steal their cookies so tying it to an individual machine via a cookie only protects opportunists (those who happen to know/see your password list) and brute forcers (which isn't common these days - most organisations are smart enough to block access after 3-5 failed login attempts)
If the multiple passwords also required only to type in a few of the characters it would take longer to get all the relevant data, and therefore be more secure, but they would eventually get it all.
posted by missmagenta at 8:27 AM on June 6, 2008
Best answer: I worked for one of the first major brick-n-mortar banks to offer Internet transactions -- a company which most residents of the US are going to be familiar with -- which early on used a Social Security number and a PIN. The compliance and liability folks were deeply, deeply paranoid about what transactions could and could not be done under such lightweight authentication (especially since at the time the alphanumeric PIN was actually stored and authenticated as 10-key telephone keypad digits) and only very gradually allowed transactions beyond viewing and making payments. The institution in question has since shored up the PIN and password subsystem and moved away from the SSN as a customer identifier, using a name of the customer's choosing instead. No additional authentication tokens are used and there don't appear to be any planned, and just about any transaction you would want to do in the bank branch is possible on the Internet now.
I can't say I heard about every single incident of fraud in the 12 or so years I was there, but I'm pretty confident I was aware of a majority of them. Problems were relatively rare and I'm not aware of any big heists. Billions of dollars in transactions continue to flow through this system every day, on behalf of tens of millions of customers.
Having been a long-time employee there, I never did banking business with other retail banks. It astonished me all to hell the kind of contortions those institutions were putting their customers through when I found out about them. Scratch-off tickets, DES timer fobs, challenge-response rigs, and so on. Nothing wrong with multifactor authentication, really, but it's a lot of work (collectively speaking) for only a little bit more security. We used multifactor authentication to access the bank's internal network from the Internet, but obviously the risk there is a hell of a lot higher than vulnerability of a single customer's account.
I'm now a customer of an institution that uses a couple of additional useless voodoo steps that seem to be intended for mutual authentication purposes, on top of an ID/PIN system. It throws a picture of my choosing and a passphrase of my choosing up on the authentication screen, and if they are correct I enter my PIN with pointing device only. All the extra mutual authentication steps are pretty silly to my mind, but then I actually know how to use an SSL client. I guess the pointing device thing is intended to defeat keystroke logging but really as far as I'm concerned the security of the client device really isn't (and shouldn't be) the bank's problem since it's just not a smart idea to perform financial transactions on untrusted hardware. Maybe that's because I come from the other side of the fence.
In any case, I'd be surprised if the cost of supporting multifactor authentication to retail banking customers were much lower than the cost of dealing with any security problems that arise out of using a simple ID/password combination. Most people are going to go to reasonable lengths to protect the tokens they use to do banking, regardless of how many of them there are. And of course, if the service is too much of a pain in the ass to use, the bank will lose customers to an institution that makes life easier. There's a cost associated with that, too.
Each institution is going to make its own call about the risks and how to mitigate them, and there's no objective measure of what's the right approach beyond simply what works from the business' and customers' perspectives.
(To be fair, the wholesale banking division of the company in question used multifactor authentication from the get-go, but the account sizes were larger by a factor of as much as 1,000,000 and the transaction size and volume was considerably higher as well. Once again it's back to the risk/effort ratio for authentication.)
posted by majick at 8:32 AM on June 6, 2008
I can't say I heard about every single incident of fraud in the 12 or so years I was there, but I'm pretty confident I was aware of a majority of them. Problems were relatively rare and I'm not aware of any big heists. Billions of dollars in transactions continue to flow through this system every day, on behalf of tens of millions of customers.
Having been a long-time employee there, I never did banking business with other retail banks. It astonished me all to hell the kind of contortions those institutions were putting their customers through when I found out about them. Scratch-off tickets, DES timer fobs, challenge-response rigs, and so on. Nothing wrong with multifactor authentication, really, but it's a lot of work (collectively speaking) for only a little bit more security. We used multifactor authentication to access the bank's internal network from the Internet, but obviously the risk there is a hell of a lot higher than vulnerability of a single customer's account.
I'm now a customer of an institution that uses a couple of additional useless voodoo steps that seem to be intended for mutual authentication purposes, on top of an ID/PIN system. It throws a picture of my choosing and a passphrase of my choosing up on the authentication screen, and if they are correct I enter my PIN with pointing device only. All the extra mutual authentication steps are pretty silly to my mind, but then I actually know how to use an SSL client. I guess the pointing device thing is intended to defeat keystroke logging but really as far as I'm concerned the security of the client device really isn't (and shouldn't be) the bank's problem since it's just not a smart idea to perform financial transactions on untrusted hardware. Maybe that's because I come from the other side of the fence.
In any case, I'd be surprised if the cost of supporting multifactor authentication to retail banking customers were much lower than the cost of dealing with any security problems that arise out of using a simple ID/password combination. Most people are going to go to reasonable lengths to protect the tokens they use to do banking, regardless of how many of them there are. And of course, if the service is too much of a pain in the ass to use, the bank will lose customers to an institution that makes life easier. There's a cost associated with that, too.
Each institution is going to make its own call about the risks and how to mitigate them, and there's no objective measure of what's the right approach beyond simply what works from the business' and customers' perspectives.
(To be fair, the wholesale banking division of the company in question used multifactor authentication from the get-go, but the account sizes were larger by a factor of as much as 1,000,000 and the transaction size and volume was considerably higher as well. Once again it's back to the risk/effort ratio for authentication.)
posted by majick at 8:32 AM on June 6, 2008
It's called multi-factor authentication, and most banks get it completely hopelessly wrong. If you google multi-factor and banks you'll get lots of hits. Most of the time it's more of an annoyance than a decent security measure.
posted by blue_beetle at 8:34 AM on June 6, 2008
posted by blue_beetle at 8:34 AM on June 6, 2008
Incidentally, issues of whether it actually works aside, authentication is now legally required for all US online banking websites, although some of them implement it in a much more obnoxious way than others. (And some of them still haven't gotten around to it.) I've only seen one bank that actually required truly annoying login authentication (yeah, HSBC, I'm talking about you)--usually any really intrusive stuff like tokens is optional and only adopted by a small percentage of customers.
posted by phoenixy at 8:43 AM on June 6, 2008
posted by phoenixy at 8:43 AM on June 6, 2008
Er, that should be multifactor authentication is now legally required...
posted by phoenixy at 8:44 AM on June 6, 2008
posted by phoenixy at 8:44 AM on June 6, 2008
I asked a question about this once: Why a two-step login?
One important point is that a lot of it is to prevent phishing attacks from working when people inevitably click on the link.
posted by smackfu at 9:05 AM on June 6, 2008
One important point is that a lot of it is to prevent phishing attacks from working when people inevitably click on the link.
posted by smackfu at 9:05 AM on June 6, 2008
This thread is closed to new comments.
In the real world, aren't the biggest volume of data thefts done through lax internal security? People stealing ACH/backup tapes, banks keeping customer data on unsecured laptops, etc.
Seems to me that if someone can hack into your PC and steal one password, they can steal them all. Or if they are sniffing packets, any simple one-time security hash will render any password as good as the next. And if someone has the talent and firepower to break encryption, they would probably be setting their sights higher than stealing my $142 in my checking account. And if they ARE going after my $142, it would be easier to just phony up a fraudulent debit card transaction or simply forge a check.
posted by gjc at 7:42 AM on June 6, 2008