A token nod at online security

They crept up on us almost unnoticed. Small, annoying, plastic pieces of mysterious technology easily lost at the back of a drawer or the bottom of a handbag that have become ubiquitous, tediously essential bits of kit for anyone who banks online, whether at home or on the move. They are also sometimes necessary to […]

They crept up on us almost unnoticed. Small, annoying, plastic pieces of mysterious technology easily lost at the back of a drawer or the bottom of a handbag that have become ubiquitous, tediously essential bits of kit for anyone who banks online, whether at home or on the move. They are also sometimes necessary to gain access to a secure, corporate VPN or virtual private network.

Among banks, for reasons best known to the industry, their precise nature varies according to location. In the Middle East, for instance, including the UAE, they are a simple “token”, a branded device that looks a little like a calculator and asks only for a PIN before issuing an apparently random number that allows access to online accounts.

Elsewhere in the world, including the US and Europe, they are card-readers – a slightly more sophisticated version of the token, into which bank cards must be inserted to generate a one-off number.

Either way, they do nothing to improve the consumer experience. At best they are a tiresome wrinkle in what has otherwise become the extremely smooth process of online banking. Lose them, and there’s no way you can set up new payments or carry out a range of other online banking acts.

Presented as “an extra layer of protection against online fraud”, the device is in fact nothing less than a tacit admission that the digital revolution is fatally flawed. Its very existence is evidence that, for all our digital ingenuity, we have yet to figure out a way of telling if people are who they say they are online.

Surely our usernames and passwords offer sufficient reassurance to the banks? Not any more, say the banks. We need the extra security, they say (although not in so many words), because large numbers of us are stupid and gullible and give away our login details to anyone who asks for them, and the banks are fed up picking up the bill for our collective naivete.

Card readers and tokens first surfaced in the early days of online banking, during the early 2000s, and spread like wildfire among banks. Today, they are everywhere, including in the Middle East – HSBC introduced its first token device in the UAE in June 2012.

The main reason for their introduction, says Ali Imanat, e-crime fraud lead for the UK-based industry organisation Financial Fraud Action, was “to move away from using static passwords for home banking customers, because those details can be easily phished or captured using malware”.

It isn’t obvious to the average customer – or fraudster, come to that – how “dynamic”, or “two-factor authentication”, as it is known in the trade, works. When you use the device, it generates an apparently random code that then has to be entered into the bank’s website before the user can proceed.

Despite appearances, it’s not magic. Although a “dumb” device, unconnected to the internet or your computer and hence immune to e-attack, the little piece of plastic is loaded with a basic algorithm, or pre-loaded set of instructions, designed to generate a different code each time you use it. The bank’s system recognises the code spat out by the token, because it is running the same algorithm and, by counting your online transactions or according to the date and time, knows exactly which number to expect next.

So far, so good. In the early 2000s, Mr Imanat says, “this was seen as the most effective way forward in terms of improving security for customers”. The banks “recognised it was an additional hardware device and not ideal for all customers, but they believed it would have a substantial impact on improving security, which it has”.

Up to a point. The FFA has, but does not release, fraud figures for individual banks, but insists that “when you look at individual bank losses, there is a clear correlation between the introduction of two-factor authentication in about 2004-2005, and a reduction in the fraud figures”.

It was, Mr Imanat says, clear which banks had introduced the new precaution and which had not – and it was to the latter that the fraudsters turned their attention.

Overall, however, fraud has pretty much held its ground. There was a spike in the key depression year of 2008 – financial hardship makes people more desperate, and so vulnerable to cruel scams – but in 2014 fraud was costing UK banks £479 million, £40m more than in 2004.

The problem, Mr Imanat says, is that “the fraudsters have worked out methods to circumvent the use of the devices and the security they provide”.

Which isn’t to say that the portable technology has been hacked. Well, it has been hacked, but as far as anyone can tell only in a university laboratory.

In 2009, a team from Cambridge University’s computer laboratory took a peek under the hood. They emerged with a warning that while “the basic principle behind [the system] – a trusted user interface and secure cryptographic microprocessor – is sound, the system has been optimised literally to death”.

They clarified the point by quoting the late Roger Needham, a Cambridge computer scientist and security protocols expert. Optimisation, Mr Needham once said, was “the process of taking something that works and replacing it with something that almost works, but is cheaper”.

And, technology aside, there were other issues, particularly with card readers. These, Dr Steven Murdoch and his two Cambridge colleagues pointed out in a paper presented to the 2009 Financial Cryptography and Data Security conference in Barbados, could easily be stolen by muggers, along with cards. Whereas previously “muggers marched a victim to an ATM to ensure he gave them the right PIN, now criminals have a portable device that will tell them if their victim is lying”, without the risk that they will be caught on CCTV while loitering by a cash machine.

It would, they concluded, have been “easy enough for the banks to design [the system] without revealing the result of the PIN verification, but they failed to foresee the risk. In our view, this was negligent [and] placed customers in harm’s way”.

Both card reader and token also offer thieves a low-tech way of figuring out a PIN for themselves. Used often enough, the print on the rubber keys can wear down, decreasing the odds of guessing a four-number PIN in three attempts from 1 in 3,333 to 1 in 8. If the customer has several cards with the same PIN, basic maths dictates that “the attacker has even better odds”.

All well and good, Mr Imanat says. The banking sector “is aware of the findings of that paper but it’s not something that the industry is massively concerned about”.

Yes, in a lab in Cambridge you probably can break in and do all sorts of funny things, but out in the real world “we haven’t seen it happen”. For the average fraudster, cracking tokens and card readers is simply too much like hard work and, because it would have to be done for each one, “simply isn’t a scaleable solution”.

As for the charge that the industry was relying on an “optimised” (read: “compromised”) device, “banks have to balance gains in security with convenience. We could provide a solution that is 99.9 per cent secure, but we know no consumer will ever use it because it’s going to be too cumbersome and inconvenient”.

What is “sometimes overlooked in these academic papers”, he says, is that “banks have to balance making it easy for customers to go online versus how many padlocks and chains are people prepared to open before they can get to their money”.

Besides, he says, the real reason that bank fraud figures continue to climb has nothing to do with technology.

Yes, fraudsters phishing for personal details “continues to be an issue for the industry”. Amazingly, it seems there are still people out there falling in large numbers for poorly worded email appeals to click on links, supposedly sent by banks or other organisations. (One pathetic example currently doing the rounds, purportedly emanating from iTunes: “Dear Client, As a part of our security plan, Please Finished your billing informations. This actionis very locked and private. Competed now.”

It’s enough to make one miss those charming email appeals for help from all those dispossessed African princes.

But such phishing, Mr Imanat says, is “not as significant as it used to be – the introduction of two-factor authentication means capturing static passwords is pretty much useless to the criminal now”.

Indeed, phishing as a problem is now dwarfed by the issue of malware, increasingly used by fraudsters as users grow more aware, and planted on home computers or smartphones by innocent-looking attachments or links in emails. (“Click here for latest Britney Spears video”, or “Hi, have you seen these HR salaries for 2016??”)

Such implanted software lies doggo on your hard drive, springing to life and hoovering up information or even taking over your computer and doing unspeakable things whenever you visit selected target sites, such as banks.

But nothing, Mr Imanat says, compares with the rise of what he calls “social engineering, this is the biggest area of concern for us, more so even than malware”.

And what this means is that in our high-tech digital age, it is the old-fashioned conman who has the banking system on the run: “Essentially it’s a fraudster using a very clever script to dupe the customer into making payments or giving away their credentials over the phone.”

It’s the same old problem that has plagued financial transactions ever since currency was invented: a fool and his money are easily parted. “When it comes to social engineering I’ve seen some very IT-savvy, security-minded individuals duped,” Mr Imanat says.

Malware sounds scary, he says, “And it is. But it is a technical problem and so there is a technical solution. Unfortunately it is very difficult to come up with a technical fix for customers’ naivete. We have education and awareness campaigns, but at the end of the day you can’t put a piece of code into people.”

But you can put it on their smartphone. If you haven’t already lost your token or card reader, or choked it with biscuit crumbs at the bottom of your bag, don’t get too attached to it. Having argued for the invulnerability of the devices because they are not linked to any other device connected to the internet, in the escalating arms race that is online security, banks are now poised to get rid of them.

“Security technology develops,” Mr Imanat says. “The banks realised that not every customer wants to have to carry around one of these cumbersome devices.”

The solution? “They are starting to move away from hardware devices to use software versions instead, apps that generate the same code, but as a bit of software, so the customers don’t have to carry a separate device and can do it all from their mobile device.”

Brilliant. What could possibly go wrong?


Source: uae news

Leave a Reply

Your email address will not be published. Required fields are marked *