Tuesday, March 07, 2006

Is dongle still just a silly word?

.. or is two factor authentication the coming saviour for security in online banking?

Alliance and Leicester is set to roll out two-factor authentication to its internet banking customers.Two-factor authentication usually couples a password with some kind of device that generates a second passphrase. The isdea is that this makes it harder for fraudsters to steal both passwords and is therefore more secure than traditional methods of internet banking.

Bruce Schneier disagrees.

"The problem with passwords is that they're too easy to lose control of. People give them to other people. People write them down, and other people read them. ...
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

These tokens have been around for at least two decades, but it's only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it. It seems that corporations are finally waking up to the fact that passwords don't provide adequate security, and are hoping that two-factor authentication will fix their problems.

Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses."

So as Schneier says, imagine a customer is duped by a phishing email and website. He types in his password and he plugs in his dongle to generate a one time authentication code. As now, the site harvest both and logs in as him at the real site. How are we any further on? For a short while phishers may switch their attention to the old password-only sites as easier to crack, but that's just a blip till everyone has gone two-factor authenticated. the same problem arises if a Trojan is sitting on your hard disc harvesting everything you type in or send to a log in on a site.

back to the dongle board, folks..

1 comment:

Andrew Ducker said...

He's being facile. Yes, they have your login _at that moment_. But taking control of your machine and transferring money when you're actively staring at it would be bloody obvious. And they can't use your account 5 minutes later, when you aren't staring at it, because your password will have changed.

So yes, there are undoubtably avenues of attack, but the whole thing's made much harder by two-factor authentication.