Can Technology Stop Social Engineering Tricks -- Or Does It Make It Worse?
from the questions-questions-questions dept
There's been a lot of talk in the past few weeks about new guidelines from federal officials designed to help prevent online banking fraud by requiring some form of two-factor authentication, such as a security token that changes the code every sixty seconds. At a first pass, this may sound like a good idea. It helps get past the single username/password setup that is so easy to break (especially if you can get someone to cough up their password for the simplest of trinkets, or just by asking them for the password). However, some are suggesting that this new plan for two-factor authentication isn't such a good one. First of all, it will be expensive to implement. Banks will need to send customers the tokens or scratch off cards or whatever other system they use. They'll have to upgrade their own systems to handle that. Then, it makes life more difficult for users. Customers have to figure out how the token/card works, always carry it around with them and try not to lose it. Then, if the banks don't agree on a standard system, customers may be required to carry around a bunch of tokens with them at all time -- which won't be much fun. However, the worst of it is that the scammers will adjust so that such methods may not help very much at all. The problem is that most bank fraud is really done by social engineering: tricking people into giving up the info necessary to get into their account. So, now, all the scammers need to do is to trick them into giving up the token/scratch card info as well, or just using a standard man in the middle attack. Yes, it may be more time-limited, but that might not matter. In fact, the article notes that customers of a Scandinavian bank using two-factor authentication have already been scammed. What it comes down to is that most banking scams are done by social engineering -- and that's pretty difficult to stop by technology means.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
No Subject Given
[ link to this | view in chronology ]
Re: No Subject Given
Which means that my internet banking is going to end up costing me even more.
I think the long-term solution to the problem is that the banks should do ABSOLUTELY NOTHING AT ALL about fraud.
If you're stupid enough to follow an email link and not notice any of the generally HUGE giveaways that suggest a scam (wrong URL, bad spelling, broken links, wrong URL, no encryption, wrong URL, you've been told a million times to NEVER follow banking links in email, etc.) then you should accept the resulting fleecing as a fine for your stupidity and a painful reminder to pay more attention in future.
If the banks want to do anything else I suggest they send their own customers a 'please verify your account' email of their own. Anyone who falls for this email should have their internet banking dissabled until they attend a mandatory lecture on basic security.
[ link to this | view in chronology ]
Re: No Subject Given
But then in South Africa you have to pay to withdraw cash, you pay for the bank to hold your money - basically you pay for everything.
[ link to this | view in chronology ]
Re: No Subject Given
Of course, that assumes that you are in a place with cell phone access. There are a TON of american's who have poor access to cell phone services of any kind.
Personally, the banks responsability is to make sure that security is tight so that usernames and passwords aren't given up to hackers. However, if you are dumb enough to give your username and password out, if somebody gets into your account, and takes your money - then the bank should have no liability.
[ link to this | view in chronology ]
Shouldnt be that bad
Ofcourse this cannot be foolproof, but hardly anything we ever develop will be foolproof. The key is only to get better at avoiding identity theft.
I dont think this is much inconvenient as well.
[ link to this | view in chronology ]
Better ideas
How about first letting me choose a user name that's not my SSN or account number, or letting me use a password that's longer than 8-characters and includes characters other than letters and numbers?
[ link to this | view in chronology ]
Stop the FUD
Banks have options that go way beyond tokens.
Please stop the FUD.
[ link to this | view in chronology ]
Smart Chip
Then you could use the same ID everywhere. If that bugs you, you could carry multiple cards, or have multiple chips for your phone.
[ link to this | view in chronology ]
Re: Smart Chip
This is what we have done with WiKID. We use asymmetric encryption and a PIN, which gives you the ability to work across multiple servers. It also makes token distribution simple because the keys are generated on the device and then key pairs are swapped.
We have also extended the PC client to validate the SSL certificate of the site for the user, which will help prevent man-in-the-middle attacks. You can test this on the open source version which is on sf.net:
http://sourceforge.net/projects/wikid-twofactor/
Nick
[ link to this | view in chronology ]
No Subject Given
[ link to this | view in chronology ]
Biometrics, surely?
Or even a keyboard with a chip reader. These technologies already exist, it's up to the banks to speak to the technology providers to get around this problem.
Why aren't hardware providers champing at the bit to provide banks with their own solution. I would certainly shift accounts to the first bank that offered security over and above the password/account number scenario.
Meanwhile, I can't even log onto my HSBC account using Firefox on an iMac at work. The ultimate in security........?????
[ link to this | view in chronology ]
social engineering
RE Social engineering
TXT: The professor snatched the idea by
social skilss. See also:
den Haag-manga, multi mga nga mpd
Mulkti and the computer-room
multi and robbery of your money
multi and sex
MIT and the very Rich Keys.
postmaster save deliver print 2006-06-09
[ link to this | view in chronology ]
social engineering
Stasi behind the banking crisis.
Perhaps the stasi right now is listening or
reading this. tim
[ link to this | view in chronology ]