[SecurityRatty] tag: ffiec

End user security psychology, part II: Can knowledge-based authentication be effective?

Wed, 02 Apr 2008 07:11:25 +0000

Another post on Finextra discusses some recent research out of New Zealand that determined that the longer an authentication process drags on -- the more gantlets a user needs to run before being let in a site's front door -- the less secure those users perceive the site is.

Implementations of knowledge-based authentication (KBA) -- asking "secret", out-of-wallet questions that presumably only the end user knows the answers to -- on the Web have been on the rise in the past few years, particularly in online financial services, as part of efforts to fulfill FFIEC guidelines for additional risk mitigation measures that address the inadequacies of single-factor authentication. The concept of layered authentication -- the riskier the transaction, the more stringent the authentication measures -- is related to this, and KBA can be readily (and simplistically) adapted to layered authentication by simply increasing the number of secret questions that the system asks.

Of course, as a standalone method of authenticating users at login, asking out-of-wallet questions in addition to username and password doesn't rise to the level of strong (two-factor) authentication, since they're all variations on "what you know". So from a security standpoint it's difficult for KBA to really provide identity assurance. But isn't ease of use and peace of mind for end users that's driving financial institutions to implement KBA? (Let's put aside for a moment any cynicism about KBA being a cheap alternative for the FI.)

Apparently, though, there's a point at which users' confidence that the bank is protecting their assets tips over into suspicion that the bank's security isn't up to snuff or even that a fraudster is pumping them for personal information. And then there's the annoyance factor: the inconvenience in terms of the time and effort to remember all of the PINs, passwords, and answers and jump through those hoops. It's as if the typical Internet banking customer is a tender orchid needing just the right conditions to flourish.

The only problem is that in most cases this isn't true. Buck up and spend the cash on a real two-factor authentication system, mandate its use, and customers will adapt -- even thrive. There are enough different methods of two-factor our there that the difficult decision should not be whether to implement two-factor, but which form factor to choose.

The Case For Information Security

Fri, 21 Mar 2008 11:08:00 +0000

While working as a security consultant, every MDAC attack, every cross-site scripting attack, every SQL injection attack, every custom application vulnerability that was exploited, was treated with such zeal that it made me think the companies that we assessed should be eternally grateful to us for having found those vulnerabilities and saved them millions and millions of dollars.

Now that I'm on the other side of the fence, I see why they didn't care so much. The companies don't care. Okay, so there is a SQL injection. a few dozen SQL injections. what does it mean to me the CFO or me the CEO ? the loss of a few card numbers ? we already are monitoring fraud losses - and have money set aside too. Can this be translated into a mass compromise of card data ? Hmm - now, you probably caught my attention. Loss of reputation - temporary. But try convincing me this could mean something critical to the bottom line - that is downright hilarious. Because the truth is - Wall St doesn't care about a company being hacked. Don't believe me ? Check out TJX. 46 million card numbers. Biggest ever breach so far. The current stock price ? An all-time high right now.

The same with AT&T. 19000 Card numbers stolen.

Choicepoint shareholders punished the company for a while - and then forgave and forgot.

So what does this mean for you and me ? Should we just ignore the fact that our personal data can be compromised and sold on the internet because the loss of our information is something 'they' have already accounted for ? Thats brutal. A weak glimmer of hope could be PCI. PCI SSC has been making an effort to fix this scenario - and we could begin to see changes. But these standards are currently so vague and can be interpreted in so many different ways - it is pathetic. Unless there are strict regulations (FFIEC/FDIC begin requiring Application Security integrated into the SDLC of a company and quarterly validation by different independent 3rd parties would be nice :) )and stricter enforcement - with real hefty fines - Wall St. may just continue to look the other way ..and we all know that Wall St is what matters.

Links for 2008-01-21 [del.icio.us]

Mon, 21 Jan 2008 21:00:00 +0000

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: E-crime and Socioeconomic Factors
High Tower Software Announces Cinxi SOA @ SOA WORLD MAGAZINE
http://geer.tinho.net/geer.housetestimony.070423.txt
re: Hearing, Wednesday 25 April 07, entitled Addressing the Nation's Cybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action
People Over Process » What One MSP Needs - barcampESM session
FFIEC InfoSec Handbook on Security Monitoring and Logging

Speaking of Security Podcast #71

Sun, 05 Aug 2007 20:00:00 +0000

Click here to listen/download (06:06).

Listen to how Bank of the West, the second largest bank based in California, has met the FFIEC guidance for providing multi-factor authentication to help further protect bank customers, their funds and personal information when banking online. The combination of deploying behind-the-scenes protection as well as visible site-to-user authentication is designed to provide strong security that involves bank customers in a user-friendly way, reassures them and boosts their confidence online, while not hindering their banking experience. Paul Joyal talks to CIO Donald Duggan about this initiative.