Topic: Discuss the usage of 2-Factor Authentication in the banking industry.

Contents:

1. What is Two-Factor Authentication.
2. Advantages Of 2FA.
3. Usage of 2FA in Asia Banks and Their Choices.
4. Failure of Two-factor Authentication
5. Treats Againist Two-factor Authentication system
6. Best practice of using Two-factor Authentication
7. Types of 2FA
8. Conclusion
9. Citation
   

1. What is Two-Factor Authentication?

Human authentication factors are generally classified into three cases:

• Something the user has (e.g., ID card, security token, software token, phone, or cell phone)
• Something the user knows (e.g., a password, pass phrase, or personal identification number (PIN))
• Something the user is or does (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature or voice recognition, unique bio-electric signals, or another biometric identifier)

Often a combination of methods is used, e.g., a bankcard and a PIN, in which case the term two-factor authentication (or multi-factor authentication) is used. In 2006, several scientists at RSA Laboratories published a paper exploring social networking as a fourth factor of human authentication.

• An authentication factor is a piece of information and process used to authenticate or verify a person's identity for security purposes.
• Two-factor authentication is a system wherein two different methods are used to authenticate. Using two factors as opposed to one delivers a higher level of authentication assurance.

2. Advantage of 2FA:

• Offering of strong authentication at low hardware cost

Implementation could be done through a USB card reader for smartcard authentication, a fingerprint scanner for biometric authentication, a user's personal phone for one time password authentication or a portable pseudo random generator the size of a keychain.

• Dynamism of the second pseudo randomly generated key

This acts as deterrence against key logging and dictionary attacks since the second random password would be much more difficult to guess compared to the first static password known by the user. Furthermore, since the second key is usually generated via a machine withheld by the user, this relieves the burden of remembering an extra set of key.

• Strengthen customer's confidence

2FA has boosted the banking customers' level of confidence in online banking.

• Reducing the Window of Opportunity Phishing attacks with the aim of collecting user credentials are viable today because the data collected from users can be used for an extended period of time. The window of opportunity is wide and open with static passwords. A second factor of authentication can narrow down this window of opportunity and render any collected data useless.
• Eliminating Passive Attacks Passive attacks are semi-automatic at best. The data may be automatically collected,but will be processed manually by a fraudster. Implementing a two-factor authentication method, which minimizes the window of opportunity, can eliminate passive attacks as the stolen credentials are only valid for a short period of time. Another benefit of two-factor authentication is that stolen data is only valid for single use and cannot be used for repeated access.
• Mitigating the Risk of Active Attacks Using the right two-factor authentication solution cannot only eliminate passive attacks, but it can also contain and limit the damage from an active attack. It is true that an attacker that compromises a user’s system or uses MIM can let the user pass the security checks and then exploit their account. However, two-factor authentication with signing capability can prevent the attacker from achieving any financial benefit, since the transaction amounts and destinations can be digitally signed and will be of no use to the attacker.
• Increasing the Cost to Implement Fraud Most criminals are in the business of maximizing gains while minimizing cost; increase their cost and minimize their gain and they will suddenly lose interest in your assets. Implementing two-factor authentication will make it harder for fraudsters as they will have to shift to more expensive active attacks. Two-factor also reduces their gain as it shrinks the window of opportunity.
  
  

The complexity of implementation is simple in most cases. A one time authentication is one of the ways which 2FA could be implemented. This solution is cheap since the random pass key is sent to the user's mobile via SMS. However, other methods such as generating keys using a pseudo random number generator, smartcards and biometrics might require higher level of cryptographic knowledge and technology to prevent tempering and middle man attacks.

3. Usage of 2FA in Asia Banks and their 2FA choices:

• DBS - Hardware token
• CitiBank - SMS or hardware token in Singapore; SMS only in Hong Kong
• OCBC Bank -The only Singapore bank to offer three types: SMS, mobile phone and hardware token. Only SMS and hardware token are offered in Malaysia.
• Standard Chartered - SMS is the bank's global 2FA solution
• UBS - Hardware token for private clients; digital certificates for institutional clients
• UOB - SMS and hardware token

4. Failure of Two-factor Authentication

Two-factor Authentication also got it limitation.It not going to secure online accounts from fraudulent transcatons. The problem with passwords is that they are too easy to control of, people able to give their password to other person. People write them down, and other people read them. They can also be easily guess. And once of any of this happen, the password no longer serve as an authentication token because you cannot be sure who is typing the password.

Furthermore,2FA could still be defeated by Trojan horses and phishing attacks, Bruce Schneier, a renowned cryptographer and the chief technology officer for network protection company Counterpane Internet Security.

5. Treats againist Two-factor Authentication system

As today the threats are more active compare to the last two decades where threats are all passive for example eavesdropping and offline password guessing. Below are the two new active attacks we are starting to see:-

• Man-in-the-Middle attack:

An attacker puts up a fake bank website and entices to that website. Users types in his password, and the attacker in turn uses it to access to the bank’s real website. If it done correctly, the users will never realize that he is not at the bank’s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.

• Trojan attack:

Attacker get a Trojan installed on user’s computer. When users logs into his bank’s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transactions he wants.

• Passive attacks

the class of attacks where stolen credentials are stored and processed at a later time. Passive attacks can be offline or online.

Offline attacks are selective and targeted thefts of credentials by fraudsters who have direct access to a user’s assets. An individual with access to the victim’s computer can easily install a key logger or a malware application to collect data from the unsuspecting user.
Offline attacks have a limited scope and are low-yield.
Offline attacks are the simplest form of credential theft. They do not require any technical expertise nor do they incur any cost.Users can fall victim to such an attack simply because they write down their passwords or store them unencrypted in some conspicuously named file on a local hard disk. Recent study suggests that in 50% of identify theft cases where the perpetrator is known, the fraud is committed by someone close to the victim . In other words, a large portion of fraud is committed by people with
direct access to their victims’ assets.

Online attacks are random theft of credentials. The attacker targets a large number of users over the Internet, in the hope of exploiting vulnerable systems or taking advantage of naïve users, to steal credentials.
This type of attack is comparatively high-yield; returns of up to 3% have been reported. The most common type of an online attack is phishing.
There is a cost associated with staging an online attack for acquiring email lists, personal data, list of vulnerable computers for hosting counterfeit sites and even custom development of crimeware4.
Depending on sophistication of an online attack, the fraudster requires medium to high technical expertise.

Phishing, a method commonly used by fraudsters in recent years, is an example of a passive attack. The combination ‘ph’ is a common substitute for ‘f’ in hacking circles. The term phishing comes from the analogy that hackers fish for user credentials on the Internet by putting bait in front of users to lure them into a trap. The bait is usually an innocent looking email with a cover story to convince users to visit a counterfeit website, to divulge credentials and personal information. To date, phishing scams have been passive, largely due to the fact that harvested data can be used at a later time. This may change in the future as two-factor authentication becomes more prevalent and the window of opportunity for exploiting harvested data
shrinks.

6. Best practice of using Two-factor Authentication.

The best practice of using Two-factor Authentication is using One-time password(OTP). There are two strategies ways for successfully and securely implementing OTP tokens: architecture of the token implementation and physical security of the tokens themselves.

In terms of architecture, the first consideration is placement of the token in your system. The most secure use of OTP tokens is for logging in to workstations locally or for accessing an internal network behind a firewall. In an internal network, where all servers are monitored (unlike the open Internet) an MITM attack isn't as likely. But that isn't much help for putting an OTP on a customer-facing Web site, which is the point of the FFIEC guidance. Therefore, a good approach for Web sites is to use Secure Sockets Layer (SSL) for the login page where the OTP value is entered instead of only for the following transaction pages. This encrypts all credentials – both the user ID and password, and the OTP's PIN – from the beginning. Login pages of some Web sites that use plain HTTP may pass credentials openly unencrypted over the Internet, where they can be sniffed.

But SSL itself can't stop a man-in-the-middle attack. SSL with mutual authentication enabled can provide some protection since both the server and client exchange certificates, preventing the type of server spoofing needed for MITM attacks. Design your site with the latest version of SSL that has mutual authentication.

Tokens are also vulnerable to theft, which is why their physical security is equally important for secure implementation. If tokens are stolen en route to customers along with the user's other login credentials, they're as good as compromised. The following are some tips for physically securing one-time password tokens:-

• Don't put any identifying marks either on the tokens or on the packaging used to send them to customers. Although attractive as a low-cost small marketing tool, they're also a road sign to thieves, hackers and other malicious users. Company logos and names should be kept on other marketing materials, not on tokens.

• Carefully inventory all token shipments and provide central warehousing for each locality. Keep records of all tokens shipped from the manufacturer with complete lists of all serial numbers. Any missing ranges of serial numbers should be reported to the manufacturer and deactivated.

• Choose the appropriate token for the level of risk of the transaction. Vasco, one of the major token providers, has tokens for different types of transactions, going beyond the simple key fob that generates PINs. They have models resembling pocket calculators with key pads that require a code to be entered just to unlock the display with the PIN.

• Design your system to require a code that has to be appended to the PIN displayed on the OTP. The combined longer number is both unique and harder to crack than the OTP value by itself. Along the same lines, configure longer OTP values, in general. An eight-digit PIN is harder to crack than a six-digit one.

• Keep the time window for displaying the PIN as short as is conveniently possible for your customers. It's harder to steal a PIN in 30 seconds than 60.

• Tokens should only be activated once they're in the hands of an existing customer already registered with your Web site. For even tighter physical control – though a bit extreme – only allow customers to pick up tokens in person at the bank, or a branch. Provide either an online help system, or a customer service number, for customers to call with issues or to deactivate suspicious tokens.

7. Types of 2FA:

• Smartcards

Smartcard based systems use a credit-card sized card with an onboard microprocessor. The card is inserted into a reader and a password or PIN entered to gain access to data on the card, which is transmitted to the authentication server to confirm that the card is physically present.

• USB tokens

USB tokens are plastic capsules around 7cm long, which are normally designed to be carried on a keyring. The token is plugged into a USB port on the access device, and operates in the same way as a smartcard.

• Electronic “authenticators”

Authenticators normally take the form of “keyfob” tokens around 60mm x 35mm in size. Typically an LCD window displays a 6-digit number which either changes automatically every 60 seconds or is manually switched to provide a “one-time-password”, which is combined with the user’s static PIN to enable two-factor authentication. Authenticators are also available in “credit card” and USB token implementations working on the same principle.

• Pre-issued Two-Factor Authentication

This category includes Transaction Authorisation Numbers (TANs) and “security grids”. They operate by requiring the user to provide a unique number, either from a presupplied list or by derivation from an alphanumeric grid.

• Biometrics

Biometric systems look at something you know and something you are – using fingerprints, iris scans or other biometric measurements to provide the second factor.

• Phone-based systems

Phone-based authentication systems fall into two main categories: one-time password based and call signalling data based.

• Digital certificates

Digital certificates identify access devices rather than users. They are frequently complex to administer and use, and are inflexible in that they restrict use to the machine that they are installed on.

8. Conclusion

• Passwords provide trivial protection against determined hackers and fraudsters.

• Two factor authentication is currently the only viable means of safeguarding users and network administrators from ever more sophisticated forms of online identity theft.

• There are many different ways of achieving two factor authentication. All increase security by magnitudes compared to simple password protection.

• Smartcard, token-based and biometric authentication systems all carry relatively high costs for equipment purchase and implementation, and have significant ongoing administration and maintenance overheads.

• Phone-based systems reduce or eliminate the cost of client hardware provision and solve the “token necklace” problem. However, “one-time-password” systems have unpredictable running costs for SMS or voice messaging.

• Users normally have to carry a separate token, smartcard or authenticator for every protected application that they use.

9. Citation
Bruce. S. (2005, March 15) The failure of Two-factor authentication. Retrieved January 10, 2008 from http://www.schneier.com/blog/archives/2005/03/the_failure_of.html


Chan, I. (2007, June 18). Better authentication allays online banking fears. Retrieve January 12, 2008 from http://www.zdnetasia.com/insight/specialreports/fsi/

Curmi, J. (n.d.). Electronic Banking and the Case for Strong Two-Factor
Authentication .Retrieved December 20, 2007, from Quest Software Website: http://www.passgo.com/news/ElectronicBanking.shtml

Joel. D. (2006, September 18) One-time password tokens: Best practices for two-factor authentication. Retrieved from January 10, 2008 from http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1216485,00.html

John, H. (2005, July 18). Moving towards two-factor authentication. Retrieve January 12, 2008 from http://www.scmagazineus.com/Moving-towards-two-factor-authentication/article/32343/

Gpayment. (2006). Two-Factor Authentication: An essential guide in the fight against Internet fraud. Retrieved December 28, 2007, form Website: http://www.gpayments.com/pdfs/WHITEPAPER_2FA-Fighting_Internet_Fraud.pdf

OCBC Bank(n.d.) OCBC internet & mobile banking, 2-factor authentication. Retrieved January 19, 2008 from World Wide Web: http://www.ocbc.com/personal-banking/2FA/index.shtml

Masabi (2007, September 20) Two factor authentication (2FA) – Opportunity and Pitfalls Retrieved from January 20, 2008 from World Wide Web: http://blog.masabi.com/2007/09/two-factor-authentication-2fa.html

ActivIdentity (n.d.)What is 2 factor authentication? Retrieved from January 20, 2008 from World Wide Web: http://www.actividentity.com/support/kbase/cms/display_article.php?kbid=642