I'm sure everyone (in security) has seen the article at Security Focus about the T-Mobile attack and probably some of the great commentary about it, especially here.

I only have one comment: Everyone write your bank, cellular company, credit card company, utility companies and tell them that you want strong authentication and you want it now.

OK, so that is very self-serving. ;)

How about this: If you have a Sidekick, would be be willing to test our J2ME client to see if it works?

ETrade announced that they would be offering RSA SecurID key fob tokens to account holders with more than $50,000 in assets.

In general, I look at this a good news for the industry. As RSA will tell you, only about 15% of all remote and mobile workers use two-factor authentication. If they number is correct and it grows on a normal curve, look out! It will be a big rising tide and should lift the WiKID boat as well. So anything that promotes two factor authentication in general is good. It is after all an absolutely huge market. And it is far, far more secure than using passwords. (I guess it is too expensive, though, for all ETrade customers ;).

However, I want to point out something that Adam Shostack pointed out to me: using two-factor alone doesn't stop phishing! . It would be trivial for a phisher to login to ETrade automatically within the 60 second passcode lifetime of SecurID. In fact, users might be lulled into a false sense of security by the use of the tokens and be more likely to succumb to a phishing scam.

At this point in time, WiKID is no better. However, we have thought about making our PC token launch the default browser to the correct SSL-certified page (perhaps even to the correct IP Address to avoid a poisoned DNS cache?). By making it easier for the user, they are less likely to go to a fake page. Thoughts?

A great analogy: strong authentication is like Penicillin for your network security

To qoute:
"Many, but not all, security problems will be solved if we can get away from reusable passwords. Here's a simple example: imagine if ATM machines didn't require an ATM card to dispense cash. Anyone who knew your account name and PIN could walk up, type them in, and empty your account. There is still ATM fraud today - cards can be counterfeited, PINs stolen or guessed, etc - but imagine the level of problems we would have if physical possession of the ATM card was part of ATM security."

I have often used the ATM analogy when explaining to non-IT people what WiKID does, but I have never used it this way. More impactful.

I certainly agree with many parts of the recent essay and the interview on Computer World by Bruce Schneier, but I think it misses on a few key points and borders on pandering for press.

There is more to strong authentication than two-factors

He seems to believe that SecurID and SMS systems tokens are the only form of two-factor authentication. Do a small bit of research and you may find some other solutions that offer a lot more than just two-factor. Bi-lateral authentication solves the man-in-the-middle attack. To say "See how two-factor authentication doesn't solve anything?" is just wrong.

In the interview: "as more and more financial institutions start implementing two-factor authentication, the banks will start seeing diminishing returns". This is econ 101. Everything moves toward diminishing returns, unless you have an inefficient market. Doesn't mean you shouldn't invest.

"Too Little, Too Late". Strikes me as pandering for a headline. You could say the same thing about anti-virus and patch management. As soon as zero-day exploits are a fact of everyday life, then there is no point in patching. Why bother?

"The problem isn't how to secure the user's computer or how to authenticate. The problem is fraudulent transactions. And the solution is to make the financial institutions liable for fraudulent transactions." They are all "problems". From an economic perspective, making the banks more liable (because they certainly have some liability now) may be the best way to regulate. Certainly better than requiring two-factor authentication. However, authentication and poor end-user security and fraudulent transactions are all problems and there are solutions for them.

The banking industry might prefer this as well. It makes a very level playing field and the big banks know that the returns will diminish and other banks will benefit from their pioneering. While the big banks invest in two-factor early and get better returns, they know that smaller players will 'follow fast' and get the same returns as costs drop.

I prefer the term strong authentication for what we do, because I see us moving beyond just two-factor and being able to react/combat ttacks that a simple token cannot.

There has been much discussion recently about session hijacking attacks. Briefly, a trojan sits on your machine and when you go to an online banking URL, the trojan kicks in and makes a fraudulent transaction inside your SSL-encrypted sesssion. Pretty strong strong stuff, seemingly.

Bruce Schneier points to this as evidence that strong authentication is "too little, too late". Unfortunately, Mr. Schneier is authenticating the wrong thing (or just not enough). If you used strong authentication for the transaction as well as the session, you have successfully thwarted the hijacker.

Picture it this way: you log in with your useraname and one-time password. You can see balances, etc. The trojans kicks in and writes out a check to a fraudulent account. However, before the transaction is completed, the online bank asks for another one-time password before it will process the transaction. The trojan can't provide it and it fail. In the meantime, the user selects some bills to pay, enters their one-time passcode and is done.

Forrester Research is urging banks to adopt additional security to fight phishing and other forms of fraud, including strong authentication.

"Two-fifths of the European internet users who don't use online banking say they are holding back because they worry about security, according to a survey of nearly 23,000 Europeans by Forrester Research." - from the article on silicon.com The research also indicates that some people have stopped doing online banking because of security concerns.

"Banks should look to educate net users about security precautions, not let usability fears compromise security, deploy or strengthen two-factor authentication urgently, and collaborate rather than compete on security," according to Forrester.

Looks like the report was finished before Bruce Schneier's , which I have already discussed more than once already ;) previously. To sum, he misses on a couple of poinsts: 1. You can strongly authenticate the transaction as well as the session to avoid sessions hijacking and 2. There are other forms of strong authentication besides brain-dead hardware tokens that can fight DNS Cache poisoning and other man-in-the-middle attacks. We'll see if Forrester picks a fight!

You can also find the article on Out-Law.com

"Pau said the suspect stole the money by infecting thousands of computers with a clever - and for a long time undetectable - trojan that transmitted their personal information, including internet banking account numbers and passwords, to him."

There have been a couple of arrests, at least that I have seen documented, but how many of these attackers get away?

The full article.

Dave Evans from Teros pointed out that the PWSteal.Bankash.D trojan includes two lists: one for sites that
have their keystrokes logged and one for sites that don't. The trojan
makes it easy to target VPN services or ecommerce sites. I should think
it would be easy to add the default domain of your ISP as well via a
simple script.

Eventually, one of these trojans will be fairly successful in gathering
passwords for corporate access and the attackers will target
corporations that don't use strong authentication for remote access.
Remember that what they are after is money. They may try to get it by
stealing your HR file for identities that can be stolen, they may try to
get it by blackmailing you - or perhaps both. They don't really care.

You can see the technical details over at Symantec.