A recent banking scam, which highlighted how insecure SMS one-time passwords are, has raised questions about what banks can do to better secure their customers.
Costin Raiu, chief security expert, Kaspersky Lab EEMEA Global Research and Analysis Team, says it is extremely important for financial institutions to understand that attacks like the SMS authentication breach are not exceptions. He says these are not isolated incidents which happen only once, but rather like the tip of the iceberg, indicating the first ripples of cyber crime waves spreading around the globe.
Industry experts have cited e-tokens or biometrics as possible solutions for stronger authentication.
“I believe that proactive thinking is key here,” says Raiu. “If banks have already researched these new technologies, as they should have, then it should be possible to deploy an e-token-based authentication system, for example, in no more than one to two months.”
In theory, says Raiu, the banks should constantly research security threats and prepare technologies to protect their customers to be ready for immediate deployment in case of emergency. “This is a good way of checking if the banks did their homework or not - if they were prepared, then you will see e-tokens in a few months. If not, it might take as much as one year for them to be deployed.”
Raiu says in the short term, it is possible that some financial institutions might consider these devices cost prohibitive. He adds, however, that in the long run the financial losses which need to be covered in reimbursing victims are going to be much, much higher, making security devices the most cost-effective solution.
Safety in numbers
Given today's technologies, e-tokens are probably the most efficient solution, says Raiu, adding that more complex and expensive alternatives are also available. “The main issue here is establishing a secure connection with the bank on a device which cannot be compromised. The compromised part is the tricky part, as PCs can easily get infected; they are not the most secure option, even if the most affordable.”
He suggests small, PDA-like computing devices, which can be connected to the PC and used for online banking, or dedicated PCs which run nothing but the banking software, as possible alternatives.
Raiu says it is also important to look at the quality of the e-token itself. “There are literally hundreds of e-token models and types available and it is important to note that not all provide the same level of security. For instance, some e-tokens will display a random-looking number, which changes every minute or so. To login to the online banking Web site one has but to type in the number from the e-token. Unfortunately, such solutions provide little security against man-in-the-middle attacks.
“Quality e-token solutions will provide different algorithms for the login and transaction approval steps, making their duplication much harder. Additionally, quality e-tokens will take a number provided by the bank, sign it with an internal algorithm and provide a reply - this is called a challenge-response type of device,” says Raiu.
“Let's hope that the recent incidents are a strong argument for banks to reconsider their security systems and begin the deployment of more secure authentication mechanisms to the customers.” Raiu also believes the state has an important role in this process: “There are countries, for instance, where a bank can only offer online services if they provide the customers with e-tokens. Simple username and password combinations are banned by law.”
User education
Gordon Love, regional director for Africa at Symantec, believes that while e-tokens would increase user comfort, they would not increase security. “It is still a two-component authentication with something of what I know (PIN) and something that I have (e-token).”
Love says there is a constant balancing act between keeping data and transactions secure and at the same time making an efficient service available to customers. What is notable in the recent SMS scam case, says Love, is that there were two key points of failure which technology alone cannot remedy. Firstly, the social engineering techniques used in the beginning to lure users into providing confidential information, and secondly, the staff member at the service provider who seemingly arranged to divert SMSes containing PIN numbers to the phone of the perpetrator.
He says Symantec's annual Internet Security Threat Reports consistently show that human error or malicious activity account for more than 50% of security breaches. “The banks can consider eliminating SMSes and provide customers with a PIN-generating device which has to be used in conjunction with a debit card that has to be in their possession. In that way the transmission of PINs via SMS is eliminated - a big vulnerability that the perpetrators in this case took advantage of.”
Both Raiu and Love agree that ultimately, an educated user is a safer user, and having good security in place is vital. “Customers need to keep their login information private and avoid disclosing it to anybody. An up-to-date operating system will help a lot in staying malware-free and this is one of the ABCs of keeping safe from cyber crime.
“Of course, an up-to-date operating system needs to be complemented with a security solution which includes an anti-virus, anti-spyware, firewall and vulnerability scanner,” says Raiu.
Love adds, “Phishing is still one of the most successful vehicles for harvesting confidential information because users often do not exercise sufficient caution when going online. There are signs of a fake Web site which should warn users that the site is not safe. If a user is in any doubt, they should call the bank's customer service help line.”
Related stories:
ATM malware could hit SA
Banking scammers up their game
Scam exposes SMS password danger
Share