US standards lab says SMS is no good for authentication America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication. That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future …
The BBC's investigative department has run a number of articles about criminals hijacking a phone number to get through a victim's SMS authentication. Fairly recently they persuaded one of the main banks (I forget which) to drop it after several verified cases.
That's why we have better technologies, going back as far as PGP, and forward to Milagro for the next quantum leap.
So, I use my credit card and have to get the details right. Then I get an SMS from my bank with a secret code. So the criminals would have to know my number to persuade my mobile provider to forward them the SMS or persuade my bank to send the SMS to a different number or hack the SMS-C...... or get access to my unlocked phone (or unlock it). I don't think my bank will be easily persuaded.
If this is replaced by an "app" on my phone then I suspect it'll be easier for a criminal to get into the phone than to subvert the SMS process, given how secure phones are!
I quite liked one bank I used where I had to go through their system to generate a one off set of card details for each transaction (phone or internet). They've stopped doing it now though.
Because users have a NEED (not a WANT, a NEED) to bank on the go, such as to quickly transfer funds because their bank card is low and it's close to closing time and so on. And given that many people are willing to go without their WALLET but not without their PHONES, and you've got a real issue here because they're going to use it will ne, nil ye. You better find a way to make those apps tight, then.
As for two-factor, there's also the problem that, if you can't use the phone as a second factor, most people DON'T HAVE a second factor at all. Which means two-factor authentication is no longer possible.
In order to bank at all you have to have some sort of network connection, so you can do the second factor over the network.
Personally I'd like to see Apple introduce support in the secure element for RSA type token authentication, with third parties allowed to hook in with their own certificates and seeds. Yeah, some people will object and say it isn't "two factor" if you are using a bank app on your phone and using your phone as a secure ID token, but if someone has physical possession of your phone and the password to your bank and whatever PIN/password is required for a token then you have allowed yourself to be totally p0wned and should go back to banking with a teller in person.
Obviously Android phones could add similar support, but since they lack consistent hardware it would be more hit or miss how secure the provision of a token would be.
"In order to bank at all you have to have some sort of network connection, so you can do the second factor over the network."
The problem is if the NETWORK is compromised. Which is why the second factor MUST be out of band. Otherwise, it's all the eggs in one basket, so to speak.
As for fobs and tokens and so on, wasn't RSA hacked and the algorithm leaked so that the keys could be cloned?
"...and should go back to banking with a teller in person."
And if your bank has NO tellers?
How does a compromised network affect you, if you are using properly encrypted data in a way that isn't susceptible to MITM attacks? You should ALWAYS assume your network is compromised! You have no way to prove that it is not, so I don't see why knowing that it is should change anything.
Because with a significantly-resourced enemy like a State, there is no such thing as "properly encrypted data". Insiders who can purloin data outside the envelope, state control of networks which can block, usurp, maybe even (with insider knowledge of the keys by hook or crook) perfectly impersonate one or the other party. Remember, we're pretty close to a DTA world as it is.
I would recommend not worrying about it. If your government wants access to your account information, they'll get it from your bank. If they want access to your money, they'll freeze your assets. There's nothing you can do about it. They aren't going to hack your account over the internet to get at it, so controls on your end don't matter.
As for insiders, you can't prevent them from taking your money for similar reasons because they can also bypass all those external controls, but you will (though maybe not right away) be able to get it back. Banks have very good internal controls and are able to detect rogue insiders, if not the minute they try something, eventually. For those who fail to detect them until it is too late and the insider has fled to somewhere without an extradition treaty, well that's why banks have insurance...
I'll be glad if this happens, as it will remove one the perpetual annoyances I have nearly every day.
We currently use SMS 2FA to allow people to log in to a secure site which we provide to a client.
We are forever getting rung up with complaints that they haven't received their SMS to let them log in, and no amount of explaining how SMS works makes any difference, they expect us to somehow make it work instantaneously.
SMS is a best effort service, exactly like email, and can be delayed for all sorts of reasons, and is therefore not a good fit for secure 2FA.
I assume you are in the UK where SMS is indeed very unreliable. Here in Norway it is rare for me to have to wait more than ten seconds for the text to arrive from my bank.
The mobile phone system in the UK is astonishingly bad. I visited Selby in Yorkshire a few weeks ago and had a really hard time making calls in the villages nearby. And it wasn't just one network that was bad either, family members with UK subscriptions on different networks were just as poorly served.
... are just attempts to make you give 'em your phone number as a unique ID to attach to your profile, banks aside (which already have lots of personal info about you).
I'm glad anyway my bank uses a token for authentication. It's less comfortable to remember to carry it when you need it, but I store it separately from the phone (less chances to lose both at the same time), my bank credentials are not stored in the phone (there are some critical credentials which are best stored in your brain memory only) thereby even the bank app is safe enough.
"I'm glad anyway my bank uses a token for authentication. It's less comfortable to remember to carry it when you need it, but I store it separately from the phone (less chances to lose both at the same time), my bank credentials are not stored in the phone (there are some critical credentials which are best stored in your brain memory only) thereby even the bank app is safe enough."
So what if you have a bad brain, a poor memory, and a tendency to lose things (including your wallet, IN the supermarket)?
SMS is an advantage over an authenticator app if you lose your phone. Getting a replacement phone and sim set up is pretty quick and straightforward, however contacting the customer services for each authenticated service to regain access is a pita.
I went through this recently when my phone broke and I no longer had access to the authenticator app, I've switched to SMS now where possible.
@Rimpel, there's no doubt that the scenario you describe is the reason that so many are thrilled to use SMS for 2FA. Simplicity of use is the tradeoff for the lack of genuine security that it provides.
As security conscious as I may be, it's really up to individuals to evaluate that risk for themselves. If this is what consumers want, then banks and others will offer it until an alternative comes along that isn't such a PITA.
In which case how's an honest soul supposed to tell whether it's a mobile or not?
Not that the land of GSM and beyond is much better off; a number can look like a mobile number and end up somewhere entirely different, courtesy of simple stuff like call forwarding and doubtless a variety of other mechanisms.
US numbers can be ported between carriers. My landline number was ported from Verizon landline to Comcast VOIP and is now on my AT&T mobile plan with their cell to POTS device. I see charges on my bill for texts but the device has no SMS capability, good thing they are zero charges on unlimited text plan.
I read this article and got the impression that their advocating an app, over a potentially out of band communication.
The only way that I could think that this would be safe is if the app is on a standalone device.
for example it uses wifi comms to transmit the data to the authenticating device, including amount, who the transaction is to etc, which is then displayed on the authenticator for approval, before being wrapped up and signed by the authenticator.
i.e. another device with all the foibles of a mobile phone, but is only allowed to run the one app.
I can't see that being popular.
When I briefly worked for RBS, every transaction I performed with online banking would generate me a code, for which I'd have to insert my card into a reader, enter my PIN and the code, and the reader would spit me back an auth code.
Bit of a pain in the arse if I want to use online banking and I've not brought my widget with me though.
Biometrics should not be activated where you need to be security-conscious.
It is known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4
The problem is that: from the way the phone networks are design, up to the device of the client, everything is vulnerable in so many ways!
Just having access to some Telecom Carrier in some country (like say, pay some one to install a backdoor) gives access to most Telecom Carriers around the world... and with that and the phone number you can get the code in your terminal from even people in the other side of the world without even getting close to their phones at all... so this system is flawed!
What then? What can banks, and everyone else do?
For normal authentication maybe people just need SQRL (Secure Quick Reliable Login), and for authentication of requests/ operations some digital signature. .. if SQRL can't perform that to.
The best is that this can be done in some Hardware Security Module (HSM) device... like say: the size of a credit card calculator, to fit a wallet or the pocket, but with privacy display, integrated keyboard, camera to recognize QR codes and just the ability to connect to reader devices physically (like say: ATM machines; Point of sales; readers for internet web sites;...). Of course people can have their own readers or readers can be integrated into new smartphone/ tablets/ laptops so that this would work almost seamless.
The device it self should display the action, where the user is trying to login/ authenticate something, what exactly is being requested from him/ her, give the choice tho choose from multiple private keys (so that every bank/ service can have their own key associated, if SQRL can't be used) and that is it.
To protect the device the sky is the limit, finger scanner plus some password (displayed randomly) would be a good solution (something you have plus something you know... something you have may be demanded/ removed from you (like say: by criminals), but something you know depends on your own will.
Of course exporting the private keys should be either impossible (the most secure option) or just using the device it self to create encrypted backups (no external way to request that)... isn't so secure but allows recovery if you loose/ destroy or someone steals the device.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
