Can Technology Stop Social Engineering Tricks — Or Does It Make It Worse?

from the questions-questions-questions dept

There’s been a lot of talk in the past few weeks about new guidelines from federal officials designed to help prevent online banking fraud by requiring some form of two-factor authentication, such as a security token that changes the code every sixty seconds. At a first pass, this may sound like a good idea. It helps get past the single username/password setup that is so easy to break (especially if you can get someone to cough up their password for the simplest of trinkets, or just by asking them for the password). However, some are suggesting that this new plan for two-factor authentication isn’t such a good one. First of all, it will be expensive to implement. Banks will need to send customers the tokens or scratch off cards or whatever other system they use. They’ll have to upgrade their own systems to handle that. Then, it makes life more difficult for users. Customers have to figure out how the token/card works, always carry it around with them and try not to lose it. Then, if the banks don’t agree on a standard system, customers may be required to carry around a bunch of tokens with them at all time — which won’t be much fun. However, the worst of it is that the scammers will adjust so that such methods may not help very much at all. The problem is that most bank fraud is really done by social engineering: tricking people into giving up the info necessary to get into their account. So, now, all the scammers need to do is to trick them into giving up the token/scratch card info as well, or just using a standard man in the middle attack. Yes, it may be more time-limited, but that might not matter. In fact, the article notes that customers of a Scandinavian bank using two-factor authentication have already been scammed. What it comes down to is that most banking scams are done by social engineering — and that’s pretty difficult to stop by technology means.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Can Technology Stop Social Engineering Tricks — Or Does It Make It Worse?”

Subscribe: RSS Leave a comment
Loraan says:

No Subject Given

The best two-factor banking authentication system that I’ve heard of involved sending a passcode to your mobile phone or email in response to an attempted bank login. This doesn’t require the user to carry anything that they don’t carry alread. The system is relatively secure as long as the phone is in the user’s posession. In the case where the code is sent to an email account, the hacker still has to crack two passwords instead of one (unless stupid user reuses them).

zcat (user link) says:

Re: No Subject Given

Except that SMS costs money, and I guarantee that the banks will pass that cost to the customer (at the usual retail price, not what they pay for it, and probably with an extra 50% for no better reason than because the customer has NO CHOICE anyhow)

Which means that my internet banking is going to end up costing me even more.

I think the long-term solution to the problem is that the banks should do ABSOLUTELY NOTHING AT ALL about fraud.

If you’re stupid enough to follow an email link and not notice any of the generally HUGE giveaways that suggest a scam (wrong URL, bad spelling, broken links, wrong URL, no encryption, wrong URL, you’ve been told a million times to NEVER follow banking links in email, etc.) then you should accept the resulting fleecing as a fine for your stupidity and a painful reminder to pay more attention in future.

If the banks want to do anything else I suggest they send their own customers a ‘please verify your account’ email of their own. Anyone who falls for this email should have their internet banking dissabled until they attend a mandatory lecture on basic security.

jmud says:

Re: Re: No Subject Given

In South Africa, where banking is quite expensive as it is, and fraud is almost common place, an SMS is sent to the account holder after every single transaction above a certain amount. If you go to a store and make a purchase above that amount you immediatly get an SMS informing you that a transaction has taken place, where and for how much.
But then in South Africa you have to pay to withdraw cash, you pay for the bank to hold your money – basically you pay for everything.

Anonymous Coward says:

Re: No Subject Given

“The best two-factor banking authentication system that I’ve heard of involved sending a passcode to your mobile phone or email in response to an attempted bank login”

Of course, that assumes that you are in a place with cell phone access. There are a TON of american’s who have poor access to cell phone services of any kind.

Personally, the banks responsability is to make sure that security is tight so that usernames and passwords aren’t given up to hackers. However, if you are dumb enough to give your username and password out, if somebody gets into your account, and takes your money – then the bank should have no liability.

Gaurang Khetan (user link) says:

Shouldnt be that bad

I havent read the linked articles, but I guess having a token to be carried does sound like a good idea to me. Many tech corporations already use this technique. I usually attach the token to my car key, and it stays in my pocket at all times along with the key.
Ofcourse this cannot be foolproof, but hardly anything we ever develop will be foolproof. The key is only to get better at avoiding identity theft.

I dont think this is much inconvenient as well.

Nick Owen (user link) says:

Re: Smart Chip

This is what we have done with WiKID. We use asymmetric encryption and a PIN, which gives you the ability to work across multiple servers. It also makes token distribution simple because the keys are generated on the device and then key pairs are swapped.
We have also extended the PC client to validate the SSL certificate of the site for the user, which will help prevent man-in-the-middle attacks. You can test this on the open source version which is on

Common Sense says:

No Subject Given

The only way to reduce fraud is to make the finacial institutions hold the bill. By putting liability on the financial institution for losses attributed to inadequately identifying the account holder (not just authentication) solutions will be found. Until then nothing useful will be done and the costs will be off-loaded to the customer and/or taxpayer.

Bilbo says:

Biometrics, surely?

Biometrics has to be the way forward. A keyboard with in an in-built fingerporint reader is a viable solution, no longer that costly, and the banks could even sell them as a branded, stand-alone unit for added security.

Or even a keyboard with a chip reader. These technologies already exist, it’s up to the banks to speak to the technology providers to get around this problem.

Why aren’t hardware providers champing at the bit to provide banks with their own solution. I would certainly shift accounts to the first bank that offered security over and above the password/account number scenario.

Meanwhile, I can’t even log onto my HSBC account using Firefox on an iMac at work. The ultimate in security……..?????

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...