Monday 17 December 2007

New Moves in Authentication

I noticed that Barclays are starting to deploy a two factor \ one time password authentication mechanism for online banking called PINSentry. It's an interesting step that should make it pretty hard to launch brute force attacks against consumer banking accounts but it is no better at defeating man in the middle attacks than any of their previous mechanisms. I've made the point before and will make it again - without full mutual authentication using very strong authentication protocols the whole online banking and payment system remains fragile.

This is significantly better than Verified by Visa for example which still leaves me scratching my head as to its usefulness to me (as a card holder). When paying using VbV you first enter all of your card details onto the vendors website - they now can take as much out of your account as they please and if they are stupid ( like these people ) they will not protect those details so that criminals can steal them and use them to steal from you at a later date. After the vendor has been given all of the sensitive data that you might like to protect they then ask Visa to authorize payment and at that point Visa force you to go through an entirely unnecessary (for you) authentication mechanism. This authentication step protects the transaction between the Vendor and Visa so both of those parties benefit from getting you to do this but since you have already given the vendor all of your details you remain exposed to the risk of fraud. In fact as far as I can tell the only difference that VbV makes to a card holder is that it will be very difficult to challenge a payment that has been authorized through VbV - bear that in mind when you choose a password for it.

To be fair to Visa and Barclays though they are making some attempts to move forward and it is very,very hard to implement change in the area of consumer payment schemes.

All is not bleak however. A couple of us in Intel had a patent idea declined last year that was almost identical to this juicy bit of news. F-Secure's recent report from the Information Security Forum's 2007 conference in Cape Town discussed a demonstration by Jolyon Clulow from Deloitte of a new class of banking card that includes an embedded keypad so that the user authentication process can occur within the (user) controlled card's physical enclosure.


It's not clear yet whether this new card will be part of the foundation of a properly mutually authenticated system where individual transactions get the sort of unique authentication that I believe we need in order to make these systems sufficiently robust but it definitely takes one of the steps that must happen before we get there. If nothing else cards of this type can dramatically reduce the risk of card skimming type attacks, well they will provided certain back ward compatibility risks are managed effectively by the banks. It's no good implementing chip and pin here in Ireland if a skimmed copy of my cards magnetic strip or card number can be used by a thief in Bali without being challenged (for example).

The end state that I want to see will need card readers for this type of card present in all types of device where we wish to carry out online authorization's. This sort of thing is not limited to banking either but at least with banking there is a good commercial reason to do it now, once it's in place the banks can start to earn some less grubby revenue by selling trust services to consumers.

All of these things could deftly link into the OpenID, InfoCard or CardSpace structures that are being built out at the moment. OpenID's big gap is that it still relies on passwords in almost all its implementations. CardSpace's big problem is that it is locked into the core Windows OS architecture(s), although that does give it some significant anti-tampering strength, and the other InfoCards suffer because they are pure software only credential stores sitting on effectively untrustworthy hardware and operating systems. All of these systems could benefit hugely from being able to delegate interactive user authentication to a compact hardware token that is extremely hard to compromise.

No comments: