A new financial services requirement calling for two-factor authentication should make online banking secure, but one researcher says it's actually making things worse. At this year's DefCon gathering in Las Vegas, security researcher Brendan O'Connor outlined several scenarios in which online banking has gotten worse, rather than better. Under Federal Financial Institutions Examination Council (FFIEC) guidelines that went into effect at the end of last year, banks are required to provide some form of multifactor authentication of their customers. That typically means asking the user to provide something you know (a password), something you have (an ATM card), or something you are (a fingerprint scan). However, O'Connor, who last year showed Black Hat attendees that networked Xerox printers were vulnerable to attack, found that the new authentication implementations were no better than the traditional user-name and password that were required prior to last year. O'Connor also shared some insight into why, with all these new protections in place, so many phishing sites are still operational today.

FFIEC--what?
Nearly two years ago, the Federal Financial Institutions Examination Council (FFIEC) recommended guidance on authentication for online banking. According to their Web site "The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), and to make recommendations to promote uniformity in the supervision of financial institutions." O'Connor, who isn't an expert on compliance, said that failure to pass an FFEIC audit could make it hard for banks to acquire smaller banks or institutions.

"The guidance specifically says that transaction fraud and identity theft are a problem, and it places the blame squarely on authentication," said O'Connor. "I disagree with that entire premise." He pointed to the "three strikes--you're out" rule with most Web applications. Guess the wrong password and you're locked out until you get on the phone to someone. "Attackers aren't getting in by guessing, they're getting in by stealing the credentials or tricking the end-user into giving away the credentials." So adding more credentials won't make sites more secure.

	The [FFIEC] guidance specifically says that transaction fraud and identity theft are a problem, and it places the blame squarely on authentication," said O'Connor. "I disagree with that entire premise.

The trouble with credentials
Choosing the answer to a security question isn't two-factor authentication; it's one factor--it's choosing something that only you know. But is it? O'Connor said it depends on the question. If it's public record data, then an attacker might also know the value of your mortgage or the year you graduated from college. If it's personal information, then pick a good question to answer. O'Connor mentioned Paris Hilton's choice of "What is the name of your pet?" Everyone knows that.

Then there are the oblivious choices, such as "What's your favorite city?" "If your user ID is CubsFan123," said O'Connor, "it's probably Chicago." Likewise, he said if your user ID is NYCgal576 then the answer to "Where did you go to high school?" is probably New York City.

Secure images are no better
Some banking sites use security images to verify users. He said sites are saying that if you see this image, you can be assured that you're on the real site or you can be certain that you are on the real site and not a phishing site. "The language they are using is so strong and the system is so simple to bypass, I was just amazed when I saw it." O'Connor said several very large banking sites are currently using one commercial image file system. They're disguising the actual user request to get a particular image, which is good, but they're also leaving the HTML Alt-tag in plain text, which is bad.

Computers are not beautiful and unique snowflakes--every one is not different," said O'Connor. "Every Dell or HP or IBM that comes off the line comes with the OS preload and the software preconfigured; every one has the same fingerprint.

"I looked at about a dozen different institutions. In every one I looked at, the Alt-tag for one image had a 100 percent correlation across all intuitions that it was the same picture. So Nature & Animals picture #123 on Bank A was the same as Nature & Animals picture #123 on Bank B, C, D, E, and F." O'Connor said as a phisher, "I can not only impersonate the bank, now I know that this user ID uses this image, so there's obvious ways for misuse there."

Device fingerprinting
O'Connor said you won't necessarily see these added challenge questions or images if you use the same machine for your online banking sessions. Using something called device fingerprinting, the bank site will look for unique information about your machine. O'Connor scoffed. "I think that entire concept is totally flawed in its logic. Computers are not beautiful and unique snowflakes--every one is not different. Every Dell, or HP, or IBM that comes off the line comes with the OS preload and the software preconfigured; every one has the same fingerprint."

Again, pretending to be the operator of a phishing site, O'Connor said he was able to capture the so-called unique information from one of his machines and simply paste that into the Javascript request on another machine. By combining either the challenge question or the security image associated with a given user and the device fingerprint, O'Connor said he, as the operator of a phishing site, could then request from the bank a persistent cookie. That means, at any time in the future, he could return to the stolen account and make any transaction he wanted. Once you're authenticated, you have access to every account that banking intuition associates with that one user ID--including, say, 401Ks, stocks, equity loans.

"Not working"
O'Connor said "An analogy I like to use is [that] a store doesn't just put security guards at the front door to see who's going in. They not only want to see who's going in, but they have guards in the store, and they have cameras in the store, and they have cameras over high-risk areas like cash registers. And for some reason, the bank industry isn't making that analog between the physical world and the virtual world. We're just trying to put more security guards up front. Hopefully I prove in my talk, it's not working."

For you and me, O'Connor recommends paying close attention to the SSL certification. Look at the address: does it say HTTPS (added security) or is it simply HTTP (no added security)? He said many phishing sites simply use HTTP, so that should be your first warning that something is wrong. Second, he said, banks are increasingly using e-mail, which is bad. "We've tried to bake that into the end user's head not to trust e-mail, and now we're forcing them to trust it, to use it for security and password purposes, and to log them into the site." I suggest not signing up for e-mail from banking services, so you'll be more vigilant for phishing attacks in the future.

You can hear much more of my interview with Brendan O'Connor in this week's Security Bites podcast.

Do you use online banking? Do you feel your bank is secure online? TalkBack to me.