Every year, more security features are added to online banking sites. This is starting to impact usability, and unfortunately, the bad guys are keeping up with the technology.
So said Dr Frans Lategan, security consultant at Absa, in his presentation on Tuesday at the ITWeb Security Summit, being held at the Sandton Convention Centre.
“Whatever we do today to stop phishing has a lifespan of between six months and a year. Then the attackers move on, get smarter, and break whatever you have implemented. So you have to keep changing the game plan,” he explained.
To illustrate his point, Lategan cited a number of counter-measures online banking sites have implemented to defend against single threats. These include the introduction of the keypad in response to hardware key loggers at Internet cafes; second password in response to brute force attacks on weak PINs; and RVN in response the use of stolen credentials.
Lategan pointed to strategies employed by online banking sites to stop phishing. These strategies include the shutting down of phishing sites; the filtering of e-mail to prevent phishing spam; and educating users. This in turn leads to an increase in the number of passwords and channels, he noted.
“We are getting to the point where the average user cannot use online banking because there are so many checks and balances.” To this end, Lategan argued that the total cost of all the added security measures far outweigh the potential savings.
He argued there is no single clean sheet design to secure online banking. However, the focus must be on usability, security and effectiveness. Lategan pointed to the validity of Turing tests to achieve this.
Turing tests require the user to translate a message or answer certain questions to try and distinguish between a human and a computer. But Lategan said current attempts to authenticate the user were clumsy and spoof-able. Instead, he argued it's better to authenticate the transaction.
Online banking sites must attempt to reduce the surface of attack. Lategan questioned whether every user needs every function or whether every user should be allowed to log in from anywhere in the world 24/7. He noted the user is an intelligent human with amazing capabilities, and that security must be designed to use people's strengths and avoid their weaknesses.
Lategan warned delegates not to mistake lack of domain knowledge with lack of intelligence. He suggested that online banking sites build better 'mousetraps' if they are to retain their online clients.
Share