Sunday, June 14, 2009

Multi-Factor Authentication FTW!

Two-factor authentication is old-school now, it has served its purpose in the past. Bank institutions that offers on-line banking to its customers should think beyond two-factor, why not make a multi-factor authentication?

The current safeguard, standards, policies and other techniques to mitigate on-line banking fraud cannot keep up to the meteoric rise of tools to commit fraud. A simple kid struck by the hacking curiosity phenomenon (thanks to Hollywood of course) can easily just search Google for keywords "hacking tools download" and voila, links and links where to download and how to use them. In the past, one needs to understand how to write codes and navigate the command line interface, today, its the age of point and click cracking. Thank goodness for that rich, easy to use graphical user interface.

As Security Expert Bruce Schneier recommended, Bank institutions should focus on authenticating the transaction itself and not the identity of the individual. Identity information theft is so easy to accomplish nowadays. Crackers owe MySpace, Friendster, FaceBook, LinkedIn a lot. No need to do some serious underground data mining work, almost all personal and private information are tucked inside social networking website user profiles. You will be amazed on the high number of people setting their profile to public, exposing all their family pictures and personal information to the world wide weird.

Focusing on authenticating the actual on-line bank transaction is indeed a better way of controlling fraud.

Below is a sample Multi-Factor Authentication Process that Bank institutions can utilize:

1. Bank provides a secure login page for customer username, account number and password input.
2. Bank Server checks on the source public IP address and computer OS and/or MAC address of the transaction, which I am calling as "on-line transaction signature" logs the transaction attempt, and checked against that account owners database of logins if this IP address and other transaction signature has been used already in the past.
3. If public IP address is not listed, computer OS signature and/or MAC address does not match or not on the database for that account owner, this will trigger an alert to the Bank Customer Support Anti-Fraud Agents and they will call the customer on his listed telephone numbers for transaction verification.
4. If customer cannot be reached, the transaction is denied by default.
5. If Bank Agent was able to contact the customer, the Bank Customer Support Anti-Fraud Agent then asks a series of challenge questions to the customer to verify the identity of the customer.
5. As the customer answers the challenge questions, a voice recognition software runs on the background of the Bank Agent's telephone and analyzes the voice signature of the customer. The voice recognition signature software is the safeguard for impersonation attempts.
6. If customer was able to provide correct answers to the challenge questions and passes the voice signature match, customer is authenticated and authorized and transaction is allowed.
7. All transaction logs, denied or authenticated are stored on a secure server, and mirrored on a hot-site server.

Although possible, It will be very difficult even for the smartest social engineer to go through this multi-step authentication. It will make them think twice because of the tedious process. I know many of you will react that this will make on-line banking tedious which basically defeats the purpose of on-line banking, but id rather spend a couple of extra minutes doing secure on-line banking than opting for the fast method but opens the process to a lot of back doors for evil doers to come in.

Bank institutions should go above and beyond in protecting the investments of their depositors. They should invest serious money on research and development of the latest technology in transport layer security, cryptography and other safeguard mechanisms as well as improving standard policies and procedures. They should be liable for every on-line transaction fraud that involves one of their accounts, not the depositors because they should have complete control of a transaction that involves their network. All money matters should be taken seriously, no matter how small the amount is. This multi-factor authentication is one serious approach to curb the rise of on-line bank transactions.

No comments:

Post a Comment

A playground for network security enthusiasts, innovators and early adoptors

Welcome to my blog, this is me thinking out loud about Voice over IP security (VoIP), managing and optimizing converged networks, Metasploit Framework, Cloud Computing, general security and privacy concerns, grappling adventures, and tuning my MKIV VW Jetta.

All inputs, feedbacks and violent reactions are welcome.

Packet Boy Perseus
Helping spread a positive image why we hack things.

About Me

I am an InfoSec Innovator, a Blue Ocean Seafarer and a Paul Graham Pupil.