Comments on: From the 10 Years Ago Today Department http://www.veracode.com/blog/2009/10/from-the-10-years-ago-today-department/ Application security testing, analysis, and metrics Mon, 01 Mar 2010 15:54:23 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Matthew Hackling http://www.veracode.com/blog/2009/10/from-the-10-years-ago-today-department/comment-page-1/#comment-3088 Matthew Hackling Fri, 02 Oct 2009 22:58:13 +0000 http://www.veracode.com/blog/?p=947#comment-3088 Hi, I'd politely disagree, things have progressed in the world of internet banking security in ten years. I believe some european banks issue OTPs for performing transactions http://en.wikipedia.org/wiki/Transaction_authentication_number which is quite secure but does not provide protection against simple phishing attacks, which would ask the user for their username, password and next TAN. A few of my customers here in Australia are using two factor authentication with hard tokens to authenticate to internet banking or authenticate the transfer of funds to 3rd parties for consumer internet banking. Swiss banks have been using two factor for many many years. Two factor authentication is even required by government in Singapore I believe. Some are even using SMS to a mobile phone as out of channel confirmation of a 3rd party transfer. Other institutions globally are even starting to check the security of the endpoint and determine what transactions can be processed on that endpoint from that check. The even smarter ones delay 3rd party transactions and have sophisticated monitoring in place to identify suspicious transactions, resulting in no increased complexity for the customer, yet managing their losses (as banks have to wear the losses and reimburse customers for fraud) Have you seen solutions similar to www.emue.com that are starting to enable signing of transactions from a two factor device? Rather than authenticating access to the banking website, or authenticating executing the 3rd party transfer transaction, they are authenticating the content of the transaction. By signing the transaction from a secure offline device (i.e. providing a hash of source account reference destination account number and value to funds to transfer to with the seed in the token) if there is a phishing attack, man in the middle, credentials compromised etc. you will have a very strong security control. This may even provide enough security for you to use an insecure communications channel to perform a banking transaction (e.g. twitter). The challenge is making a device and transaction signing method that is easy to use by the consumer that is cost effective. Hi,

I’d politely disagree, things have progressed in the world of internet banking security in ten years.

I believe some european banks issue OTPs for performing transactions http://en.wikipedia.org/wiki/Transaction_authentication_number which is quite secure but does not provide protection against simple phishing attacks, which would ask the user for their username, password and next TAN.

A few of my customers here in Australia are using two factor authentication with hard tokens to authenticate to internet banking or authenticate the transfer of funds to 3rd parties for consumer internet banking. Swiss banks have been using two factor for many many years. Two factor authentication is even required by government in Singapore I believe.

Some are even using SMS to a mobile phone as out of channel confirmation of a 3rd party transfer. Other institutions globally are even starting to check the security of the endpoint and determine what transactions can be processed on that endpoint from that check.

The even smarter ones delay 3rd party transactions and have sophisticated monitoring in place to identify suspicious transactions, resulting in no increased complexity for the customer, yet managing their losses (as banks have to wear the losses and reimburse customers for fraud)

Have you seen solutions similar to http://www.emue.com that are starting to enable signing of transactions from a two factor device? Rather than authenticating access to the banking website, or authenticating executing the 3rd party transfer transaction, they are authenticating the content of the transaction.

By signing the transaction from a secure offline device (i.e. providing a hash of source account reference destination account number and value to funds to transfer to with the seed in the token) if there is a phishing attack, man in the middle, credentials compromised etc. you will have a very strong security control.

This may even provide enough security for you to use an insecure communications channel to perform a banking transaction (e.g. twitter).

The challenge is making a device and transaction signing method that is easy to use by the consumer that is cost effective.

]]> By: Rob Fuller (mubix) http://www.veracode.com/blog/2009/10/from-the-10-years-ago-today-department/comment-page-1/#comment-3087 Rob Fuller (mubix) Fri, 02 Oct 2009 17:44:49 +0000 http://www.veracode.com/blog/?p=947#comment-3087 What I think is even more amazing is that the attack performed in that video is STILL how compromise happens to this day, a simple email. It's just moved from attachments to links. What I think is even more amazing is that the attack performed in that video is STILL how compromise happens to this day, a simple email. It’s just moved from attachments to links.

]]>