Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Banks 'wasting millions' on two-factor authentication
John Leyden, The Register 2005-03-15

Banks are spending millions on two-factor authentication for their customers but the approach no longer provides adequate protection against fraud or identity theft, according to Bruce Schneier, the encryption guru.

Comments Mode:
I'd hardly call even a temporary drop in fraud "wasting millions" 2005-03-15
Bruce K. Marshall (3 replies)
Yes, we must be concerned with the other avenues of attack on Web transactions. But Mr. Schneier shouldn't pretend that beefing up authentication is without merit. We have decent countermeasures to MITM and trojan attacks now. It is called SSL and anti-virus/spyware software.

What we don't hav...

[ more ]  [ reply ]
I'd hardly call even a temporary drop in fraud "wasting millions" 2005-03-15
bwatson_at_nettracers.com
I disagree with a previous reply that there are solutions to MITM attacks. There are not!

Joe User has no idea how to authenticate the site that he is connecting to. Joe Geek does, and can use the available tools, but until you can have a computer independent method to authenticate the site t...

[ more ]  [ reply ]
SSL 2005-03-16
Rory Alsop
Sadly SSL is not a cure for MITM attacks. There are easy to use tools available on the Internet which allow the hijacking of SSL sessions, spoofing to redirect communications, and the easiest option - exploitation of the end user's PC (by Trojan or similar): compromise of the end point removes almo...

[ more ]  [ reply ]
I'd hardly call even a temporary drop in fraud "wasting millions" 2005-03-16
Anonymous
yea stick it to the man...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-15
Anonymous
Security in business is a delicate balance between mitigating risk in a cost effective way. He might as well be saying that putting locks on doors is a "waste of millions" because locks can be picked or brute forced. Two-factor authentication is a huge step forward in internet security - and mitig...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-15
Comic Book Guy
So...two-factor is a waste of money because it does not defend against attack vectors it was not intended to defend against? What is the solution oh Great Bruce?should our banks pay for the under-educated\under-protected users to secure their home PCs against malware?

Best Quote Ever ?Two-factor ...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-15
Anonymous
Schneier is talking apples and oranges. He's saying that you shouldn't replace your doors' cheap locks with deadbolts because your windows are still vulnerable. The answer is to upgrade the locks and also try to better secure the windows....

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-15
Lavid Detterman
The Top Ten Attacks Two-Factor Authentication does not protect against

10. Armed Robbery

9. Grand Theft Auto

8. The atomic elbow drop

7. Wedgies

6. Atomic Wedgies

5. GI Joe?s Kung-Fu Grip

4. Sunday Drivers

3. SPAM

2. Forum Trolls

?and the number one Attack Two-Factor Authentication does...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-15
Anonymous
This is not a rational position. It would be irrational to claim that multi-factor authentication is a panacea. If that is what the banks deploying two-factor authentication are claiming, they are going to face civil suits in the future.

But to say the money is wasted is nonsense. When the first ...

[ more ]  [ reply ]
Don't we all have one of these guys at work? 2005-03-15
Anonymous
No matter what they did he'd be on them for not doing enough/doing the wrong thing. We should applaud banks for taking a significant (and expensive) measure to mitigate some of their more glaring vulnerabilities.

Couldn't we say that Schneier is wasting space since we could easily fit millions in...

[ more ]  [ reply ]
There is no solution though 2005-03-15
Anonymous
The problem is that identity standards enforcement is easy to bypass.

For example, I could spoof an SSL website for a bank and even with an SSL security warning, probably 75% of people accessing the site would ignore the warning and continue anyway. How do you prevent that?

The average Jane...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-15
Anonymous
Don't forget Schneier said two-factor authentication mitigated risk and it wasn't useless. I think the point he was trying to make was that you shouldn't start implementing old technology for new threats and expect that to fix the problem. We need new solutions....

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymous
Does SSL VPN compensate the risks mentioned by the author? ...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Marcus Augustus
Well, mr. Schneier is ofcourse correct on the methods he quotes to defeat two-factor authentication. But money spend on two-factor authentication clearly isn't wasted, since for day-to-day use its clearly more secure then passwords.

Weak point about the article; mr. Schneier doesn't propose any (be...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
LiquidBrain
Actually, i think that what was written is true. Instead of involving new autencification methods, they should educate their users. Because, users use same password for all services they use. So you can put two-factor autentification, but users will still use same and probably known password, so the...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymos
I have great respect for Mr. Schneier. However, I fear, his remarks as quoted in this article disappointingly lacks in mindfulness.

Should we not use any security for any data then? That'll save a googol of money for the corporations!

The customers still have some rights to privacy, and the ...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymos
Mr. Schneier's comments as quoted seems limited.

Two-factor authentication only addresses one technical aspect of/benefit to information security.

There is still a pressing need for corporations to step up their business controls alongside upgrades to their use of various information security ...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymous
Why don't banks develop and distribute an application to their customers for making the connection?

Avoid IE altogether

Avoid http altogether

Enforce client server identification through whatever method they choose

Enforce encryption through whatever method they choose

Could it be they want...

[ more ]  [ reply ]
so called "expert" 2005-03-16
Anonymous (1 replies)
Where do they get these so called experts? The criteria for being an "encryption guru" must not be very difficult....

[ more ]  [ reply ]
Re: so called "expert" 2005-11-18
twofish
http://en.wikipedia.org/wiki/Bruce_Schneier

don't you research before you post?...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymous
Bruce didn't mention issues with two-factor authentication... he only mentioned other vulnerabilities that can be used to compromise the process. I don't understand how he fell into the old mindset that we've all fought against at some point:

"Of course we're secure... we have a firewall."

Wh...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymous
So, basically what you're saying is: hackers will always get us, so we should just sit around and do nothing about it. That is just ignorant....

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Scott, posted by Fred
It sounds like Bruce is saying that due diligence (such as hard tokens) is not worth the expense or effort simply because it will not keep out a determined intruder? Why do we bother putting fences around secured buildings - it will most certainly not stop a determined intruder, he will simply clim...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymous
And since the doors are the most obvious entrance to your home, it is logical to start there and work on the windows next....

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymous
The name of the game is 'keep playing'. This attacker and defender game has been going on eversince man is man, and it will go on forever. Safe builders, safe crackers. We have to keep going....

[ more ]  [ reply ]
It's too late.... 2005-03-16
en0k
He's right, this should have been done 10 years ago when it was relevent. What's the use of adding a deadbolt lock to your front door when there's nothing stoping me from coming in the back door? This won't make much of a difference to criminal hackers. The tactics that are used today would already ...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication - Holy Grail 2005-03-16
Anymouse


Oh Bruce Almighty, how the mighty have fallen. I guess there really is a Holy Grail out there:

Turn off the Internet and we wont have to worry about it!

Oh wait, there are still bank robbers physically entering the banks and highwaymen attacking "users" at ATMS and in parking lots. I guess we ...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-16
Anonymous
Is it a coincidence that Counterpane, the company founded by Bruce Schneier, offers a managed security service and security consulting to banks, which would be far less attractive for a bank which has implemented two factor authentication?

Mr. Schneier has also personally designed a password stor...

[ more ]  [ reply ]
Banks 'wasting millions' on two-factor authentication 2005-03-17
lovebug.org
I would tend to have to agree with some of the previous posts. I really do not see why two-factor authentication is useless when this article is about people who simply supply a username and password. There is no two-factor authentication occuring.

However, even with two-factor authentication i...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus