Scams

by Mike Masnick




Can Technology Stop Social Engineering Tricks -- Or Does It Make It Worse?

from the questions-questions-questions dept

There's been a lot of talk in the past few weeks about new guidelines from federal officials designed to help prevent online banking fraud by requiring some form of two-factor authentication, such as a security token that changes the code every sixty seconds. At a first pass, this may sound like a good idea. It helps get past the single username/password setup that is so easy to break (especially if you can get someone to cough up their password for the simplest of trinkets, or just by asking them for the password). However, some are suggesting that this new plan for two-factor authentication isn't such a good one. First of all, it will be expensive to implement. Banks will need to send customers the tokens or scratch off cards or whatever other system they use. They'll have to upgrade their own systems to handle that. Then, it makes life more difficult for users. Customers have to figure out how the token/card works, always carry it around with them and try not to lose it. Then, if the banks don't agree on a standard system, customers may be required to carry around a bunch of tokens with them at all time -- which won't be much fun. However, the worst of it is that the scammers will adjust so that such methods may not help very much at all. The problem is that most bank fraud is really done by social engineering: tricking people into giving up the info necessary to get into their account. So, now, all the scammers need to do is to trick them into giving up the token/scratch card info as well, or just using a standard man in the middle attack. Yes, it may be more time-limited, but that might not matter. In fact, the article notes that customers of a Scandinavian bank using two-factor authentication have already been scammed. What it comes down to is that most banking scams are done by social engineering -- and that's pretty difficult to stop by technology means.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Loraan, 1 Nov 2005 @ 2:59pm

    No Subject Given

    The best two-factor banking authentication system that I've heard of involved sending a passcode to your mobile phone or email in response to an attempted bank login. This doesn't require the user to carry anything that they don't carry alread. The system is relatively secure as long as the phone is in the user's posession. In the case where the code is sent to an email account, the hacker still has to crack two passwords instead of one (unless stupid user reuses them).

    reply to this | link to this | view in chronology ]

    • identicon
      zcat, 1 Nov 2005 @ 6:13pm

      Re: No Subject Given

      Except that SMS costs money, and I guarantee that the banks will pass that cost to the customer (at the usual retail price, not what they pay for it, and probably with an extra 50% for no better reason than because the customer has NO CHOICE anyhow)

      Which means that my internet banking is going to end up costing me even more.

      I think the long-term solution to the problem is that the banks should do ABSOLUTELY NOTHING AT ALL about fraud.

      If you're stupid enough to follow an email link and not notice any of the generally HUGE giveaways that suggest a scam (wrong URL, bad spelling, broken links, wrong URL, no encryption, wrong URL, you've been told a million times to NEVER follow banking links in email, etc.) then you should accept the resulting fleecing as a fine for your stupidity and a painful reminder to pay more attention in future.

      If the banks want to do anything else I suggest they send their own customers a 'please verify your account' email of their own. Anyone who falls for this email should have their internet banking dissabled until they attend a mandatory lecture on basic security.

      reply to this | link to this | view in chronology ]

      • identicon
        jmud, 3 Nov 2005 @ 5:04am

        Re: No Subject Given

        In South Africa, where banking is quite expensive as it is, and fraud is almost common place, an SMS is sent to the account holder after every single transaction above a certain amount. If you go to a store and make a purchase above that amount you immediatly get an SMS informing you that a transaction has taken place, where and for how much.
        But then in South Africa you have to pay to withdraw cash, you pay for the bank to hold your money - basically you pay for everything.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Nov 2005 @ 7:43pm

      Re: No Subject Given

      "The best two-factor banking authentication system that I've heard of involved sending a passcode to your mobile phone or email in response to an attempted bank login"

      Of course, that assumes that you are in a place with cell phone access. There are a TON of american's who have poor access to cell phone services of any kind.

      Personally, the banks responsability is to make sure that security is tight so that usernames and passwords aren't given up to hackers. However, if you are dumb enough to give your username and password out, if somebody gets into your account, and takes your money - then the bank should have no liability.

      reply to this | link to this | view in chronology ]

  • identicon
    Gaurang Khetan, 1 Nov 2005 @ 3:15pm

    Shouldnt be that bad

    I havent read the linked articles, but I guess having a token to be carried does sound like a good idea to me. Many tech corporations already use this technique. I usually attach the token to my car key, and it stays in my pocket at all times along with the key.
    Ofcourse this cannot be foolproof, but hardly anything we ever develop will be foolproof. The key is only to get better at avoiding identity theft.

    I dont think this is much inconvenient as well.

    reply to this | link to this | view in chronology ]

  • identicon
    Adam, 2 Nov 2005 @ 5:46am

    Better ideas

    Dear Banks,
    How about first letting me choose a user name that's not my SSN or account number, or letting me use a password that's longer than 8-characters and includes characters other than letters and numbers?

    reply to this | link to this | view in chronology ]

  • identicon
    Reader, 2 Nov 2005 @ 9:03am

    Stop the FUD

    The regulators never said banks have to adopt two factor authentication. They said banks have to assess risk and, if necessary, adopt "multifactor authentication, layered security, or other controls..."

    Banks have options that go way beyond tokens.

    Please stop the FUD.

    reply to this | link to this | view in chronology ]

  • identicon
    Bill, 2 Nov 2005 @ 10:24am

    Smart Chip

    How about a 6 digit pin and a smart card (or cell phone) and use public/private key encryption.

    Then you could use the same ID everywhere. If that bugs you, you could carry multiple cards, or have multiple chips for your phone.

    reply to this | link to this | view in chronology ]

    • identicon
      Nick Owen, 3 Nov 2005 @ 5:23am

      Re: Smart Chip

      Bill:
      This is what we have done with WiKID. We use asymmetric encryption and a PIN, which gives you the ability to work across multiple servers. It also makes token distribution simple because the keys are generated on the device and then key pairs are swapped.
      We have also extended the PC client to validate the SSL certificate of the site for the user, which will help prevent man-in-the-middle attacks. You can test this on the open source version which is on sf.net:
      http://sourceforge.net/projects/wikid-twofactor/
      Nick

      reply to this | link to this | view in chronology ]

  • identicon
    Common Sense, 2 Nov 2005 @ 12:57pm

    No Subject Given

    The only way to reduce fraud is to make the finacial institutions hold the bill. By putting liability on the financial institution for losses attributed to inadequately identifying the account holder (not just authentication) solutions will be found. Until then nothing useful will be done and the costs will be off-loaded to the customer and/or taxpayer.

    reply to this | link to this | view in chronology ]

  • identicon
    Bilbo, 3 Nov 2005 @ 8:31am

    Biometrics, surely?

    Biometrics has to be the way forward. A keyboard with in an in-built fingerporint reader is a viable solution, no longer that costly, and the banks could even sell them as a branded, stand-alone unit for added security.

    Or even a keyboard with a chip reader. These technologies already exist, it's up to the banks to speak to the technology providers to get around this problem.

    Why aren't hardware providers champing at the bit to provide banks with their own solution. I would certainly shift accounts to the first bank that offered security over and above the password/account number scenario.

    Meanwhile, I can't even log onto my HSBC account using Firefox on an iMac at work. The ultimate in security........?????

    reply to this | link to this | view in chronology ]

  • identicon
    tim, 9 Jun 2006 @ 1:51am

    social engineering

    from tim
    RE Social engineering
    TXT: The professor snatched the idea by
    social skilss. See also:
    den Haag-manga, multi mga nga mpd
    Mulkti and the computer-room
    multi and robbery of your money
    multi and sex
    MIT and the very Rich Keys.
    postmaster save deliver print 2006-06-09

    reply to this | link to this | view in chronology ]

  • identicon
    tim, 9 Jun 2006 @ 1:55am

    social engineering

    add: Stasi training and social engineering ?
    Stasi behind the banking crisis.
    Perhaps the stasi right now is listening or
    reading this. tim

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.