ONLINE BANKING STAYS IN THE DARK AGE

Wed, Oct 6 2010 02:40 | mobile, internet security, password, one time password, security | Permalink

A large ( big 4 ) UK bank recently sent its corporate customers a letter advising them of their ‘new’ security solution.

Here is an extract from the letter :

" Online banking fraud and identity theft is increasing across the UK - in 2009 fraud across all UK banks exceeded £59m. Fraudsters are becoming ever more sophisticated in their efforts to obtain personal information and gain access to accounts.
We're committed to keeping your Internet Banking service safe, so we're introducing a more secure way to bank online using a card reader. A card reader is a small handheld device which you will need every time you bank online. We'll send one to every registered user within your business. "

Talk about being underwhelmed. If I was a customer I would be seriously unhappy. But most customers probably will not. That is because they (probably) don’t realize that :

1) THEY are going to be paying (in their bank charges) for the £10 + charge that the bank will be paying the provider for each device plus an additional admin charge per user over and above that plus the costs of packaging, postage, the carbon footprint, the landfill disposal ( once finished) ; OR

2) that the device itself is not secure. The ‘ million dollar device’ generates a PIN that is then entered into the browser, which is actually what you are trying to secure, before having done so. The hackers love the browser and have dreamt up many ways of intercepting credentials through Man in the Middle attacks and Man in the Browser attacks; OR

3) that when they lose ( or misplace ) their device, or it gets lost in the post or when the battery runs out – then they wont be able to do online banking until they have jumped through numerous hoops that will drive them crazy - wishing they had never gone for online banking in the first place !!

This is an extract from a website dedicated to unhappy customers moaning about these devices (this from another bank – but same device.)

I HATE THE STUPID THING!!!! I have just spent another 15 minutes trying not to scream at the chap in Mumbai because the device did not accept that I had entered the correct details 4 times. I also have had to resort to phoning the helpdesk on the last 3 occasions that I used online banking. I have now made 3 official complaints (don't suppose they will do any good) and will now be looking to move my bank accounts to another bank so that I can continue to do my banking speedily online without the need for lengthy phonecalls each time.

There are other solutions out there. If only the banks woke up and smelled the roses and realized that they weren’t beholden to the large incumbents. There is a lot of innovation going on out there and the solutions are cool, affordable and most importantly effective !!

Can you guess which bank this is ?

Ross

Comments (1)

What the Analyst said ....Why LiveEnsure and SiteKey/SitePass are not the same.

Mon, Sep 27 2010 03:53 | mobile, internet security, password, one time password, security | Permalink

So there I was on the phone to an Analyst today explaining (at a fairly high level ) some of the basic features of LiveEnsure^TM when he says – “ ahh – I get it – this is identical to Bank of America’s SiteKey/Site Pass system.” Not having the details of said banks system at my fingertips – I was unable to correct the Analyst on his incorrect conclusion with any hard science. We were also running out of time, it was a bad line and…all I could say was – it is not the same – there is much, much more going on under the hood with LiveEnsure^TM.

So why is BofA’s SiteKey^TM / Site Pass^TM authentication system NOT identical to LiveEnsure^TM?

^·Device ID. Although both ostensibly have a ‘hardware device recognition’ component – the BofA solution relies upon the re-referencing of a cookie (downloaded at registration – a simple subset of browser-aware attributes) by the Banks’ site to determine the ‘identity’ of the device. This cookie resides on the users device and hence is stateful and hackable. Even if hardware recognition fails, users are pushed through to a pass phrase - which essentially renders the hardware step useless if so easily by-passed. LiveEnsure^TM device recognition algorithm relies upon a patent pending approach of recognizing the digital fingerprint of the device through its unique “ accoustic “ signature. The device is ‘challenged’ uniquely every-time an authentication takes place. Nothing is seeded onto the device that could be re-referenced. The applet recognizes the Device’s fingerprint and if the correct one – it then renders a pop-up on the screen outside of the browsers control when the user is then asked a challenge question.

Credentials are presented serially ( in sequence ) in the BofA solution. This means that a hacker can brute force hack – (through “ trial and error’ ) the users’ credentials. In LiveEnsure^TM if authentication fails there is no opportunity to re-try. The user has to go back to the beginning – the user does not know what credentials were wrong. (LE features a random rotation of challenges - not the same “phrase” each time). Also the visual Passmark is easy to shoulder surf; and all of the credentials are passed through the browser (web channel – even if SSL ) – which makes it vulnerable to MiTM and MiTB attacks. The LiveEnsure^TM solution does not allow any literal information to be trafficked over the secondary (Smart^TM ) channel let alone over the browser. The fundamental problem with this and all traditional 2FA solutions is that the second password/challenge question/OTP is entered into the browser – in sequence. Before the browser has even been confirmed to be secure. Doesn’t make sense does it ?

Article from CafeID “The SiteKey^TM system fails, according to IT Security Architect Doug Ross (http://directorblue.blogspot.com/2005/06/making-phishers- solve-captcha-problem.html), to address the fundamental problem of phishing because it leaves the customer susceptible to the classic "Man in the Middle" false- storefront attack. Since there's no way to distinguish the customer's virgin computer from a phisher-person's "malicious, zombie PC", according to Ross, "the zombie PC could present a false BofA store-front to the victim and proxy login in- formation from the user to the bank and any resulting pages and images from the bank to the victim." …” also the SiteKey approach still relies on the storage of images and so on in your personal records on the merchant's database. Compromise of this data would leave you just as vulnerable as you'd be if your login and password were obtained.”

Trevor Bauknight, (http://www.hillsorient.com/articles/2005/07/372.html

Ross

Comments

One swallow does not a summer make

Fri, Sep 17 2010 10:00 | data privacy, mobile, online security, internet security, password, palmtree technology, digital footprint, social media, #liveensure, one time password, security, authentication | Permalink

Experts from Gartner have said that the recent 'froth' of M&A activity in the security space does not constitute a 'trend'. While 'one swallow does not a summer make' I would contend that this is in fact a trend and that it set to hold for at least another year.

Why?

Well first of all the 'froth' was in fact more like a large set of Atlantic rollers breaking on the Cape coast!!!
Consider the number of deals that have taken place in the last 6 months ( see previous blog) crowned by the recent announcement by HP of its acquisition of Arcsight for $1.5bn.

" Hewlett-Packard has agreed to buy high-end technology security company ArcSight for $1.5bn to profit from its customers’ increasing concerns about protecting their data from hackers.

The cash offer of $43.50 a share for Silicon Valley neighbour ArcSight was more than 50 per cent above where the company was trading before reports last month that it was courting buyers. It values the equity at $1.5bn, or six times projected annual revenue."

(http://www.ft.com/cms/s/2/e7ace394-bec1-11df-a755-00144feab49a.html)

Secondly see this article also in the FT on how ;

" More companies expect to increase spending on technological defenses against security breaches than had forecast such a boost in any of the previous five years, a global survey of more than 12,000 executives shows."

(http://www.ft.com/cms/s/2/6c0aa96e-bf76-11df-965a-00144feab49a.html)

When considered alongside the news today that :

ORLANDO, Fla., Sept. 9 /PRNewswire/ -- PandaLabs, Panda Security's
anti-malware laboratory, has discovered that hackers are creating 57,000
new websites each week that exploit approximately 375 high-profile brand
names worldwide at any time. These findings are based on a three-month long
study conducted by PandaLabs of its global malware database. Notably, eBay
and Western Union-related URLs comprise 44 percent of all malicious sites,
with Visa, Amazon, Bank of America and PayPal also heavily targeted by
cybercriminals.

You have to say that security is a growth industry and why would the 'Trend' not continue ???

Have a great weekend.

Ross

Comments

SECURITY M&A GONE A BIT CRAZY ....

Mon, Sep 13 2010 03:39 | mobile, internet security, password, one time password, security | Permalink

The tech sector and in particular the security sector within has been extremely active during the past 6 months. There have been numerous acquisitions that indicate an increased appetite for quality security assets.

Perhaps the most high profile of these was the recent acquisition of MacAfee by Intel ( a $7.8bn transaction ) representing a premium of over 50% to the then prevailing market price. A PE multiple of about 48 and 3.8 x Revenue. This was Intel’s largest ever acquisition.

Symantec acquired Verisign’s Authentication business for $1.28bn - approximately 4 x revenues. (Second quarter revenues from this Unit was about $100m ) ( May ) ;

CA has announced it will acquire Arcot systems for $200m in Q4 2010. Arcot provides Identity Access Management and Authentication products (www.ca.com/www.arcot.com) ;

VMWare has announced it will acquire Integrien and TriCipher. (Sep)

HP has just announced it will acquire ArcSight for $1.5bn ( Sep)

Other deals over the period :

Gemalto Acquires Israeli Start-up Trivnet for $40 mln ( Sep );
Google bought Slide for $182m ( July );
St Bernard Software acquired Red Condor ( July )
MacAfee acquired Trust Digital ( June );
IBM acquired Storwize ( June );
Webroot acquired White Cloud ( June );
GFI Software acquired Sunbelt Software ( June ) ;
IBM acquired Big Fix ( Speculation $400m - June ) ;
TrustWave acquired Breach Security ( June ) ;
MacAfee acquired tenCube technologies ( July ) ;
Symantec acquired Guardian Edge for $70m ( April);
Symantec acquired PGP corp for $300m ( April) ;
Cisco acquired Rohati Systems ( Feb ) ;
HP bought 3Par for $2.4bn after a bidding war with Dell (Sep). The price paid was nearly 12 x revenue. ( It has revenues of $200m but no profit !)
Dell acquired Ocarina networks ( June );
Apax bought a majority stake in Sophos ( Valuing the business at $830m) ( May)

What does this all mean ?
Clearly there is a lot of cash around;
there is a shortage of good quality assets to be had (hence the bidding wars) ;
the big guys are not innovating ( a repeated pattern? )
an opportunity for disruptive players to get out there - make their mark and dress up!!
Last but not least - the growth in the Internet and social networking in particular demands new elegant security solutions !!

Thanks for reading. Happy hunting.

Ross

Comments (1)

SMB/E's underestimate the cost of cyber security breaches

Tue, Aug 17 2010 08:04 | mobile, internet security, password, one time password, security | Permalink

I found this article at www.smallbusinesscomputing.com and I am repeating it here verbatim because I believe that it captures the essence of the challenges that lie ahead and the need for education and the provision of simple but effective authentication solutions.

What SMBs Don't Know About Security Can Hurt You

April 23, 2010

Small and midsized businesses might be the lifeblood of the U.S. economy, but according to the latest Internet security survey from Panda Security, their generally lackadaisical efforts to protect consumer data is also making them a prime target for cyber thieves.

More disturbing, particularly for customers swiping their credit cards or purchasing products and services online, the survey reveals that the vast majority of SMBs claim they don't know how to effectively prevent identity theft, lack the resources to install the technology that could thwart the majority of cyber attacks and, worse, seem to believe that it's really not their problem.

Panda Security's survey of 300 executives and financial professionals at SMBs (defined as companies with between 1 and 500 employees) spread across 38 different industries, found that 63 percent of companies acknowledge being worried about cybercrime but say they lack the knowledge to protect their businesses.

This apparent institutional ignorance is especially acute when it comes to banker Trojans, a particularly virulent form of malware that tricks people into divulging usernames and passwords for their online banking accounts.

Fifty-two percent of the survey respondents said they had "little or no familiarity" with banking Trojans, even though the mainstream media has provided extensive coverage of high-profile identity theft scams such as the infamous T.J. Maxx hacker attack that resulted in the theft of more than 40 million credit and debit card numbers, the largest identity theft case ever prosecuted by the U.S. Justice Department.

SMBs are even more clueless when it comes to how they think these thefts will be resolved once they've occurred.

The survey found that a staggering 63 percent of companies either "strongly or somewhat" believed that their banks would return all of the funds stolen in these attacks, a sign that most SMBs aren't particularly motivated, or capable, of implementing at least a modicum of security technology and processes to prevent themselves from being swindled.

But in the Panda's survey, only about 37 percent of victims said they recovered their stolen funds, while 28 percent reported "most" of their stolen funds were reimbursed.

"While online banking security is a general concern among most SMBs, most of them have little knowledge about the specific threats targeting organizations of their size," Panda Security's Sean-Paul Correll, said in the report.

It's precisely this false sense of deserved recovery that has prompted three states to recently pass legislation allowing banks to recover costs and damages from retailers that endure data breaches after failing to comply with Payment Card Industry standards.

"U.S. law puts the burden on business owners for keeping funds secure, rather than the banks," Correll said. "The majority of SMBs surveyed weren’t aware of this fact, which means they are operating with a false sense of security."

Lacking IT resources

They're also operating with less resources and general technology acumen than large companies.

"SMBs typically have fewer in-house resources and budgets for IT security, placing them at greater risk of attack," the report concluded.

While 64 percent of those surveyed said they have protective and procedural methods in place to detect or prevent online banking fraud, 15 percent admitted they had not updated security software on all of their online transaction systems and were "unsure" of their security software altogether.

Finally, 58 percent said they don't even have insurance to protect their business from banking fraud or identity theft.

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Ross

Comments

See Older Posts...