It’s not as fun to read as Dr. Seuss, but in October 2005, the FDIC declared single-factor authentication inadequate for online banking authentication:

• Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services.
• The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
• Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.

IanG at Financial Cryptography recently noted and added valuable commentary to a WashingtonPost.com blog entry about how phishers have already adapted to this countermeasure WaPo sets it up:

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

But IanG adds the value:

More bad news for suppliers of 2-factor tokens and also US Banks which got a quasi-recommendation to implement something like this. I say, quasi-something, because the FDIC carefully did not recommend any specific technology, choosing instead to recommend that banks carefully review their _risk-based exposure_. The banks themselves may have assumed tokens or similar, for whatever reason.

(emphasis mine)

Of course, you would never know that the official guidance specified only that the bar had been raised (no more single-factor), not what it had been raised to (Buy two-factor authentication products!) unless you went and read the guidance document itself–not a difficult task since it’s only one page long and it’s the first result if you google for “fdic authentication”. (The Account Hijacking page is the second link, btw)

Also interesting, though, is that the FDIC did recommend two-factor authentication–in December 2004! If you look at “Putting an End to Account-Hijacking Identity Theft, an allegedly consumer-targeted page (but which talks a lot about things like log analysis and infrastructural analysis opportunities), they say:

Financial institutions and government should consider a number of steps to reduce online fraud, including:

1. Upgrading existing password-based single-factor customer authentication systems to two-factor authentication.

Of course, that report also speaks well of SenderID, so we would all be well-served to remember what become of that Silver Bullet.

Personally, I agree with IanG. It’s not the FDIC’s place to provide prescriptive guidance in this situation. It’s one thing to provide a common problem statement, “Single-factor authentication is not adequate.” Unfortunately, the people least likely to understand that there are many ways to provide a second authentication factor besides hard tokens are also the ones most likely to fall for the vendor pitch that some sort of hard token is the only second factor.

I will never know why the FDIC decided to pull back from “upgrade…to two-factor” to, “Risk assessments should provide the basis for determining an effective authentication strategy,” but I strongly believe it’s the appropriate approach to the problem. Banks do a lot of things, some visible and some not-so-visible, to reduce the risk of a successful breach (successful probably being defined as funds successfully transferred beyond recovery or large-scale enough to make the press). Since no two banks have the same set of risks and countermeasures (remembering that risk is the combination of asset value, threat & probability along with varying opinions of what is or is not an externality), no two banks should come to the same exact solution set, even if their risk position seems identical to an outsider.

Maybe someone pointed out that they guidance would remain and still be adhered to by the less-informed long after it had been overtaken by events. To reinforce that argument, on October 12th, 2005 (the same day that FIL-103-2005 was published), the Register had a story about phishers successfully compromsing a one-time/scratchpad system in Sweden. Perhaps a coincidence, but it would have been a bit ironic if the FFIEC had issued prescriptive guidance at the same time as that guidance (in the absence of other compensating controls) was shown to be inadequate.

John Quarterman at Perilocity has now picked up on this, as well.

Updated: Fixed the missing link, added a title and intro tie-in

Any countermeasure that the attacker can see and anticipate is doomed to fail at some level. Both banks and government want to reduce phishing based fraud, and needed to do something to increase consumer confidence.

Most large banks I’ve spoken with knew this was coming. For the most part, second factors you and I saw are “marketing” - designed to be as effective as a commercial, not as a security measure.

There’s a couple of things to remember:

1.) Phishing is sticky because the loss to the bank is *relatively* low. Especially when compared with the cost to nullify the attacks.

2.) There are other “authentication-like” controls that banks can use. Implementing the consumer-visible”second factor”cuts down on the ability of any two-bit spammer to carry out phishing, but it won’t stop this type of fraud all together. However, if you think about it in terms given by Jack Jones’ FAIR, what you’re essentially doing is reducing the Threat Event Frequency, and also deliberately increasing the Threat Capability you need to account for (I personally would be fascinated to find out how proportional that change is).

If you’ve read Freakanomics (trendy, I know, you’ll have to forgive me) you’ll recall the author talking about the number of children who die due to handgun accidents vs. swimming pool accidents. However we’ll still feel much more uneasy sending little Suzy over to the Johnson’s house because they have a gun collection than sending Suzy to the Phillips house with the in ground pool.

In much the same manner, phishing and identity theft is bad, but I think if you polled most banks and credit unions, you’ll find that there’s more fraud from trusted family memebers than Phishing attacks. More fraud from offline sources than online.

Threatwatch - 2-factor tokens attacked by phishers - another “must-have” security tool shown to be fighting the last war…

Lance James points out that Phishers have moved on to attacking 2-factor authentication tokens: The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the sit…

First, there’s nothing wrong with citing Freakonomics around here. I thoroughly enjoyed it, myself–more so than The Tipping Point. I also think it’s good to see accessible work coming from economists.

While I fundamentally agree with your initial point that any countermeasure the attcker can see ahead of time is due to fail, we still have to keep developing new countermeasures. The trick is to hopefully find the countermeasure which will most effectively reduce risk, both in magnitude and longevity.

Since Phishing attacks are social engineering attacks abetted by the Death of a Thousand Cuts that afflict all the different bits and pieces that go into SMTP mail, HTTP, DNS, Unicode and SSL, I don’t expect them to go away any time soon.

This means that the real countermeasures against it are user awareness and education. Of course, I also fall into the camp which says, “Make it idiot-proof and they’ll make a better idiot,” so I view the entire problem with a bit of resignation.

Personally, I prefer countermeasures which raise the bar for attackers without also raising consumers’ confidence level in the countermeasure. When that happens, all it does is cause a corresponding shift in risk compensation. Intrusively stronger authentication fails that test quite handily, leveraging the social engineering aspect of phishing even further, as this particular attack demonstrates.

Yes, improved authentication raises the bar for what is required for a successful attack. In this case, it’s input relaying between the phishers’ site and the bank in true Man-in-the-Middle fashion. This is both good (the barrier to attacker success is raised, as Alex noted, the stolen data’s value decays almost immediately–in a minute or less for hard tokens–and the bank can probably more easily identify impacted accounts in their back-end analysis*) and bad (the value of the countermeasure is eroded by a successful attack).

All-in-all, it’s still just one more round in the arms race with the authentication Vendors trying to convince us that this time, they really have found the Silver Bullet for phishing, the attackers proving them wrong yet again, and the rest of us cheering from the peanut gallery.

* Unless the attacker is relaying through a ‘botNet, but work with me here…

_While I fundamentally agree with your initial point that any countermeasure the attcker can see ahead of time is due to fail, we still have to keep developing new countermeasures. The trick is to hopefully find the countermeasure which will most effectively reduce risk, both in magnitude and longevity._

Don’t get me wrong, my point wasn’t that we should give up, but that we should be a little more sneaky about it. Behavioral analysis software is pretty cool in terms of identifying trouble spots, and if the bank in question had such a countermeasure deployed, it would have almost certainly been able to identify the attack, pinpoint it’s source, and eliminate the threat action, not just for this attack instance, but for additional ones as well.

_When that happens, all it does is cause a corresponding shift in risk compensation. Intrusively stronger authentication fails that test quite handily, leveraging the social engineering aspect of phishing even further, as this particular attack demonstrates._

This is a great point. I haven’t really thought this through fully, but I’m betting that in the end, this is a really bad thing - as it takes the “point of attack” away from something that Information Risk can control (packets) and puts it in the hands of something they cannot (human behavior - the end user and customer service).

As an aside, we’re currently researching control life span and trying to angle some real data on time for threats to enact counter-measure compensation. It’ll take a long time to draw any conclusions, but it’s a real interesting concept.

_I prefer countermeasures which raise the bar for attackers without also raising consumers’ confidence level in the countermeasure_…

_It’s still just one more round in the arms race with the authentication Vendors trying to convince us that this time, they really have found the Silver Bullet for phishing, the attackers proving them wrong yet again, and the rest of us cheering from the peanut gallery._…

It’s a bizarre love triangle, isn’t it? The vendor, the server, the client, attacker and (in this case) the government!

two factor authentication is the only way to go these days. Single factor is weak by today’s standards and level of internet crime. I too have heard that it is becoming a requirement for some businesses to use this type of security. I think that’s fantastic as it’s the best type of security out there.