Alex Papadimoulis runs what boils down to a humor site for computer geeks. He addresses this security phenomenon, and its worst failings, in Wish-It-Was Two-Factor
It all started way back in the year 2005, when the Federal Financial Institutions Examination Council issued a guideline entitled Authentication in an Internet Banking Environment. Its a rather exhilarating read if I do say so myself, especially if youre a fan of government banking regulations. And, really: who isnt? In a nutshell, the FFIEC mandated that internet banks utilize a Two-Factor approach to authentication by year-end 2006.
Two Factor Authentication requires the use of factors from two of three categories:
- Something the user knows
- Something the user has (RSA SecurID pin generator or similar)
- Something the user is (fingerprint, iris scan, etc)
The second two categories are hard. They cost money or inconvenience customers (they will just go to a bank with less hassle if we do that). So, they invented security verification questions. Presto! Another factor. That makes Two!
This is my favorite degenerate example, from Bruce Schneiers security blog:
Bank Botches Two-Factor Authentication
From their press release:
The computer was protected by two layers of security, a unique user-identifier and a multiple-character, alpha-numeric password.
Um, hello? Having a username and a password — even if they’re both secret — does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.
I wouldn’t trust the New Horizons Community Credit Union with my money.
Alex continues in Wish-It-Was Two-Factor
Worse still, the Online Banking industry is perceived to be one of the most secure. Surely, if anyone knows how to do online security, its the online banks, right? And if you want your web application to be extra secure, it should be modeled off of an online bank, right?
Since the banks must know what they are doing, everyone else is copying them to get Bank Level security.
Unfortunately, these security questions may actually decrease the level of security. These questions are generally things most of your friends and coworkers already know or can easily find out. If youre famous, the answers are probably on the internet.
Case in point: Sarah Palins Yahoo mail account was hacked via her secret questions and Yahoos password recovery system. (Via The Mouses Cord):
Thus, our attacker was able to break into Palins account using nothing but the password recovery feature and a little bit of research. And again, just to reiterate, even if you dont believe this is what happened to Palin, this procedure actually does work.
The good news for most of us is that were not Sarah Palin, so the details of our lives arent plastered all over a Wikipedia article. Regardless, the kinds of security questions usually asked are not all that hard to get answers to even for the average person. Some of the answers, like birthdays and your mothers maiden name, are all part of the public record and you can get those things for anyone without much hassle. For those more personal details like where you met your spouse, most of us wouldnt think twice about answering the question in casual conversation. In all, finding answers to these questions might be slightly out of range of a faceless hacker from Anonymous, but it should be well within the grasp of a less than ethical coworker with an axe to grind or a spouse who suspects some infidelity.
Read more about why secret questions are bad in Schneiers Secret Questions Blow a Hole in Security. Go ahead, its short.
What about site authentication images?
Another scheme employed by a few banks requires you to choose an image. Phishers imitating the banks site are not supposed to be able to show you the image you chose, and you are supposed to be wise enough to catch the bad guys and punish them by not entering your password.
Unfortunately, it doesnt work.
In this study, Harvard and M.I.T researchers brought 67 Bank of America customers into a controlled environment and asked them to log on to their accounts. Since the security images had secretly been removed, the subjects should have balked. However, 58 of the 60 subjects who made it far enough to log in did enter their passwords. And it gets better the security images were replaced by a site maintenance message with conspicuous grammatical errors. Less than 10% of the subjects even noticed the pictures were gone. I can understand that. I have dozens of accounts and only two have pictures. I suspect that most web sites are designed with the assumption that this is the only one you use.
The last paragraph of the article sums up the situation succinctly (my italics):
She [Rachna Dhamija] said that the study demonstrated that site-authentication images are fundamentally flawed and, worse, might actually detract from security by giving users a false sense of confidence.
RSA Security, the company that bought PassMark last year, has a lot of great data on how SiteKey instills trust and confidence and good feelings in their customers, Ms. Dhamija said. Ultimately that might be why they adopted it. Sometimes the appearance of security is more important than security itself.
I need to add one more reference to cap it all off. Bruce Schneier makes a pretty good case that all of this song-and-dance security theater is not really effective even when it is done right. The bad guys have moved on to new methods that skirt the need to authenticate at all:
Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses. Two new active attacks we’re starting to see include:
Man-in-the-Middle Attack. An attacker puts up a fake bank Web site and entices a user to that Web site. The user types in his password, and the attacker in turn uses it to access the bank’s real Web site. Done correctly, the user will never realize that he isn’t at the bank’s Web site. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.
Trojan Attack. An attacker gets the Trojan installed on a user’s computer. When the user logs into his bank’s Web site, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.
See how two-factor authentication doesn’t solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.
So, why does my bank require me to answer a security verification question?
Because they think it adds security.
Because they think we think it adds security.
Because they think they have to do something to be two factor
And by the way, the make and model of my first car (which Im still driving) is The Muppet Show.