Wednesday, November 14, 2007

MFA security controls and their adequacy to mitigate financial fraud and identity theft

The FFIEC compliance for authentication in the banking environment guideline, states that single factor authentication is not adequate to secure high risk banking transactions such as the ones involving the transfer of funds and dealing with customer sensitive information (e.g. PII, Account Numbers etc). To comply with this guidance (that was EOY 2006) most banks implemented custom based authentication solutions on top of typical credentials authentication (username and password) such as One Time Password (OTP) tokens (e.g. Secure IDs), challenge/responses questions based on shared secrets and risk based authentication solutions (e.g. Cyota). Unfortunately, the fact of the matter is that most of these MFA banking solutions have not being implemented with the real intent of the FFIEC mandate to banks that is perform a risk analysis, identify the financial transactions that are at high risk, evaluate how effective are the security controls to mitigate threats and implement a security solution that is not necessarily a MFA control but can also be multi-layered security mechanism.

There is evidence from publicly available research that most MFA solutions are still vulnerable to fraud via phishing and MiTM (Man In The Middle) attacks, a proof that in the trade-off between FFIEC compliance, usability and security, security did not become the main outcome of the implementation.

In the case of SiteKey (i.e. PassMark Security ® (now RSA ®, the security division of EMC ®)authentication technology used as MFA (Multi-Factor Authentication) for on-line banking sites such as Bank of America and other banks ( Vanguard and Pentagon Federal Credit Union) several fraud vulnerabilities have been indentified. In particular SiteKey is not a sufficient deterrent to phishing ot other online frauds: http://cr-labs.com/publications/SiteKey-20060718.pdf

On SiteKey Technology specifically, Christopher Soghoian and Prof. Markus Jakobsson, both with the Stop-Phishing Research Group at Indiana University presented a demonstration of a "man in the middle attack" against it: http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html

Back in July 2006, Ravi Ganesan CEO of TriCipher was interviewed by Martin McKeay on the MiTM web proxy attacks to MFA http://media.libsyn.com/media/mckeay/nsp-072506-ep36.mp3. In the podcast Ravi explains how easy was to replicate the attack and pointed out that all token based MFA solutions such as RSA tokens, cookies, challenge response/risk based authentication with device fingerprinting, IP address and geolocation, scratch pad OTPs. were vulnerable to this class of attacks. Especially in the case of MFA that use geolocations and device fingerprinting, Ravi made the clear point that such countermeasures are not effective to mitigate phishing attacks that use botnets in different locations and are re-routed from different proxies. Also, when using cookies for authenticating (recognizing) the machine the mechanism of registering the cookie based upon a user correct answer to a challenge question was also proved to be exposed to phishing: the phisher will send a message to the victim user to provide the answer to the challenge question because the machine could not be recognized.

The main problem is probably that these MFA solutions were implemented to buy a checkmark from a FFIEC auditors and quickly adopted in a rush to comply with the 2006 EOY FFIEC deadline. Now, two years later we wonder why these MFA controls are not actually mitigating the identity theft and financial fraud that were supposed to prevent.

Nowdays there is a need of a viable MFA control that provides a good compromise between (1) cost, (2) usability and least and but last (3) security. I would not be surprised if in light of the growing identity theft and fraud threats we saw in 2007 some and the high Total Cost of Ownership (TCO) to keep these vulnerable MFA technologies, some banks will implement cheaper and more threat mitigation effective MFA controls.

2 comments:

mangelinovich said...

“As for today, on my humble opinion, I do not think we have an optimal MFA solution that both mitigates identity theft and fraud threats and provides a good compromise between (1) compliance, (2) usability and least and but last (3) security.”

You may have been correct at the time you wrote this but it is Not True now. Check out SoundPass running at all Anheuser-Busch Employees' Credit Union branches nation wide.

"OHVA's SoundPass is a cutting edge solution. We feel it offers our members the highest level of security available."
- David Gray, Manager, Electronic Services, Anheuser-Busch Employees' Credit Union and Division

trustedconsultant said...

Indeed, I have corrected my post not to be so absolute: there may be optimal MFA solutions being implemented right now. In any case the judgment call I think should come from the threat analyst, the CSO and the end user of the MFA.