Monday, July 09, 2007
Security through more-fucking-work-for-the-user
Bank of America and TD Canada Trust have recently started using security questions to authenticate users in online sessions.
If you're not familiar with these, they go along the lines of this:
"Warning. We have detected you are trying to access your bank account. Please enter the name of your best man."
or
"Warning. We have detected you are trying to withdraw money. Please enter the city you were married in."
These questions are not only poorly chosen (thanks, BoA - lots of diversity with the wedding questions), they are often fairly weak as well (what university did you attend?).
When it comes down to it, they're still shared secrets.
And let's face it - this is a security measure meant to save us after a nefarious person has commandeered the following pieces of information:
1) the name of your bank
2) your username at the bank
3) your password for that account
The most likely way this person got my information was a keylogger they've quietly installed on my machine. If they can install software on my machine, they can just redirect me to a man-in-the-middle attack, and presto, my cocoon of security is gone.
But, "wait!" you cry, "it's not so bad! An MITM attack would show up as a phishy URL".
Unless they poisoned my DNS -- they have software running on my box, remember?
"But they couldn't spoof the SSL!"
Sure they could. They have software running on my box. They'll just whip up a key and shove it in the trusted store. They can even add a new Thawte certificate to sign it, while they're at it.
"But wait! You'd notice that they were asking you for your security question again! Since security questions are only used to verify suspicious activity, surely this would tip you off!"
Are you kidding me? In today's click-through world, no one thinks twice before replying to a prompt. And if you bothered to question it, you'd notice this little gem: "Notice: In response to a recent security analysis, we have flushed our cache of authentication and credential information. You may be prompted to enter your security question again. If you have any concerns, please call Bank of America at 1-(800)-EVIL-GUY."
The average user's eyes would glaze over, and they'd mindlessly tap in all their secrets.
I really, really can't wait until CardSpace becomes more accepted. In the meantime, I'd rather not have the hassle of extra hoops that provide a very thin veneer of security.
If you're not familiar with these, they go along the lines of this:
"Warning. We have detected you are trying to access your bank account. Please enter the name of your best man."
or
"Warning. We have detected you are trying to withdraw money. Please enter the city you were married in."
These questions are not only poorly chosen (thanks, BoA - lots of diversity with the wedding questions), they are often fairly weak as well (what university did you attend?).
When it comes down to it, they're still shared secrets.
And let's face it - this is a security measure meant to save us after a nefarious person has commandeered the following pieces of information:
1) the name of your bank
2) your username at the bank
3) your password for that account
The most likely way this person got my information was a keylogger they've quietly installed on my machine. If they can install software on my machine, they can just redirect me to a man-in-the-middle attack, and presto, my cocoon of security is gone.
But, "wait!" you cry, "it's not so bad! An MITM attack would show up as a phishy URL".
Unless they poisoned my DNS -- they have software running on my box, remember?
"But they couldn't spoof the SSL!"
Sure they could. They have software running on my box. They'll just whip up a key and shove it in the trusted store. They can even add a new Thawte certificate to sign it, while they're at it.
"But wait! You'd notice that they were asking you for your security question again! Since security questions are only used to verify suspicious activity, surely this would tip you off!"
Are you kidding me? In today's click-through world, no one thinks twice before replying to a prompt. And if you bothered to question it, you'd notice this little gem: "Notice: In response to a recent security analysis, we have flushed our cache of authentication and credential information. You may be prompted to enter your security question again. If you have any concerns, please call Bank of America at 1-(800)-EVIL-GUY."
The average user's eyes would glaze over, and they'd mindlessly tap in all their secrets.
I really, really can't wait until CardSpace becomes more accepted. In the meantime, I'd rather not have the hassle of extra hoops that provide a very thin veneer of security.
