Just Like an Ogre, Online Banking Has Layers
When I logged into my online banking Website last week, the login screen was different than what I was used to.My first reaction was that I had been hacked and the site was a spoof(a consequence of working in this field). Once I realized that it wasin fact the genuine login screen, I proceeded to enroll in the bank’snewly enhanced sign-in security.
The concept is pretty easy; banks realize that card numbers and PINsare not enough to verify someone’s identity so they have added extralayers of security. To set up the enhanced login process, users areasked to pick an image and to type in a phrase. For example, a usercould select the image of a green apple and the phrase “The fox is inthe hen house.” These will be displayed to the user whenever they entertheir bank card number so that they can verify the legitimacy of thesite. Users are then asked to select three pre-determined questions andenter the answers. If the user logs into their online banking from acomputer that is not their usual one (determined by a cookie) they mustanswer the three questions before proceeding to the password screen.It’s not unlike trying to cross the Bridge of Death, except in this case you know the answers.
This is a form of layered security since the authentication methodonly requires something the user knows (in the case of online banking,the card number is considered public and hence not a level ofsecurity). For enhanced security with online banking, the FederalFinancial Institutions Examination Council (FFIEC)required banks in the United States to upgrade to a multifactorauthentication (MFA) security system by December 2006 (although only50% had a MFA solution in place by that time). Although not bound byany requirement to upgrade, the FFIEC projects that 67% of Canadianbanks will have a MFA solution in place by the end of 2007. MFArequires authentication that depends on two or more of the followingfactors for a users: something they have (bank card, RSA token, smartcard), something they know (password, PIN), and something they are(retinal scan, fingerprint). For example, online banking is asingle-factor authentication while banking at an ATM is multi-factor.
In addition to online banking, credit card companies are beginningto use MFA to enhance the security of online purchases. Shoppers arerequired to enter their credit card number, expiry date, the securitycode on the back to the card, as well as a password to finalize thepurchase. By adding extra levels of security, these companies canprevent fraudulent purchases from stolen credit cards and it helps toboost their reputations as a secure shopping site. In Symantec's Internet Security Threat Report Vol. XII,credit cards were the most advertised item in underground economyservers, accounting for 22% of the market and selling for a little as$2 USD.
On another note, these enhancements in security policies could besomething an attacker could take advantage of to gain access tosensitive information. An attacker posing as the bank could email anunsuspecting person with information about a new security loginprocess. Thinking that this is authentic, because news reports aretalking about the upgrade, the user could click on the embedded linkand be directed to a login screen that the attacker has spoofed. Onceat the spoofed site, the user unwittingly exposes their personalinformation, such as credit card number and password.
So, be skeptical of changes in any login sites that you use and, ifnecessary, contact your bank to determine if what you see in front ofyou is really from the bank. That five minute conversation could saveyou a lot of money and hassle.