Community

Kenneth: Absolutely the definition needs tightening. Some have bastardised "Two Factor" authentication by counting multiple secret questions as additional factors.  The most important thing is we need a physical factor (something you have) that is easily noticed when lost, and which is also difficult to replicate or intercept & replay.  A big problem with biometrics when deployed without a physical token [like in the idea of a cardless ATM where you just stare into an iris scanner] is that you cannot tell when your authenticator has been stolen. It's important that we use more sophisticated criteria for matching applications to security technologies.

Martin, it's not the number of factors so much as the nature of the technology. The one time password generator is subject to MITM attack. A code that lasts a couple of seconds still affords a mechanised attack computer plenty of time to intercept and replay. 

The "bees knees" in my opinion is the smartcard. OTPs are a toy. With built-in readers increasingly commonplace (and with NFC allowing new ways to interface cards to laptops, tablets and phones) we could be replicating the universal ATM/POS experience for all Internet transactions.  Cards are far easier to use than OTP, and technically have all manner of advantages as noted previously, including resistance to MITM and mutual authentication.

How come my comment from last week disappeared?

There's Two Factor Authentication, and there's Two Factor Authentication.  Sadly, the term and the acronym "2FA" have come to mean just one specific branch of the authentication family tree, a bunch of related one time and/or out-of-band password approaches (including SMS codes, OTP key fobs, and EMV CAP).

The more fundamental idea is still vital.  Two Factor Authentication should mean access involving a physical device.  When that device is a smart device, like a chip card or a phone, then possibilities open up for machine-to-machine challenge response, digital signing, mutual authentication and so on, which eliminate the sorts of MITM attack that plague the OTP and out-of-band password solutions.

I simply point out that the difference between what IS the case with KYC rules, and what you think OUGHT to be the case, is much greater than what you portray.  You started out lampooning those who don't get the social media craze, as if trepidation is the only thing stopping using Facebook to log on to a bank. Actually the real problem in all federated identity programs is that sharing identity is harder than it looks. I'm not anti-innovation; I am pro-rigor.  Ask yourself why banks haven't managed to federate amongst themselves, and then ask whether Facebook's business model is going to make it federation any less complex.

Please see my detailed critique of federated identity at http://lockstep.com.au/library/identity_authentication/an-ecological-theory-of-digit.html

You say casually that social identity is warrantable, but the fact is today it is not, and I don't think any banks' lawyers have even started to work out serious protocols for how to do so.  I say this pretty emphatically, based on experience of the Australian Trust Centre and another well funded Aussie authentication hub project.  I was involved in developing pro forma legal agreements by which a participating bank's OTP would be brokered by the hub and used to authenticate customers to online retailers.  When we took these template agreements to banks' lawyers, they said "Hmmm, very interesting but we've never seen any contract like this before -- we'll get back to you."  They never did. 

Banks are not used to operating outside their silos.  I wouldn't underestimate the challenge of joining them to the wild and whacky world of social identity.

Brett wrote "Right now today I can tell you that details from social networks on an individual customer are far more valuable to a bank than a fax number or utility bill ..."

Is there any empirical evidence for this?  As of now, details on social networks are unvalidated and unwarranted.  We can talk casually about value and social graphs and the way that people express their "identity" but when push comes to shove, a bank needs an identity provider to warrant any personal details that the bank then relies upon.  We're surely a very long way from that point, no matter how rich the social identity appears to be.  I come back to the enormous difficulty that inter-bank identity federation has experienced.  Federating between a social network and a bank is much harder again.

" ... but we're ignoring those because we're threatened by the exposure in the medium."

No, we're "ignoring" social identity because it is not sanctioned by KYC rules.  In Australia, the utility bill technically does have value to a bank, because the Financial Transaction Reports Act sanctions such documents as evidence of identity. 

Brett,

I reckon it's a bit rough hectoring conservative users and stakeholders into adopting social ID for banking. I think you know that deep down, what you're suggesting is that banks up-end the way they relate to customers.  And why?  Because Facebook's CRM is cool?

Social identities have literally spread like weeds but their sheer abundance doesn't mean they can just cross-bree­d with any native identity species in the banking ecosystem. The problem with logging on to a bank using Facebook isn't trepidatio­n; it's that nobody has yet figured out how to federate identities­ and a reasonable liability arrangement.

It's not for want of trying. The idea of Federated Identity is older than e-commerce but well heeled initiative­s like Liberty Alliance, Cardspace, and the Australian banks' Trust Centre all failed on the launch pad. Fundamenta­l barriers arise because business ecosystems comprise diverse niches that have evolved their own ways of managing risk. The naive efforts of technologi­sts to make IDs interopera­te across niches (usually referred to casually and cynically as "silos") overlook the innate conservati­sm of highly evolved businesses­. Identities such as bank accounts are crystal clear with regards to rights, responsibi­lities and liabilitie­s, but they're also brittle like crystals: they don't bend.

Banks struggle to federate identities even amongst themselves­, even when they all play by the same legislated rules!   It's instructive that the Australian banks recently abandoned their account portability project "Mambo".  The cost and complexity of changing legal and business arrangements to handle a universal account number turned out to trump the benefits.  The Mambo proposition was vastly simpler than changing the way customers are authenticated.

So what hope does Facebook have of breaking into the financial services ecosystem? What promises can Facebook make to a bank about the authentici­ty of its members? 

See also
http://loc­kstep.com.­au/blog/20­11/06/28/h­ow-do-i-kn­ow-thee.html
http://www­.bankingre­view.com.a­u/2011/10/­mambo-miss­es-the-point.html
http://loc­kstep.com.­au/blog/20­11/01/13/n­o-such-thi­ng-as-a-passport.htm­l

Stephen Wilson, Lockstep Consulting­, Australia. 

But seriously folks, I agree with MaryAnne Allison that the silence is remarkable. As I suggested at the outset, maybe nobody really cares anymore?

Now, disenchantment with PCI is a real story. 

The PCI regime is a hugely expensive exercise with uncertain impact on cybercrime.  Vast volumes of card numbers continue to be stolen.  And like so many audit regimes of the past, when certified organisations fail -- whether it be financial collapse, quality lapse, or security breach -- endless legal debates break out about the very meaning of audit. It's a bit late for this argument isn't it?

I've had numerous PCI QSAs tell me that their inspections only provide a snapshot, and it's not their fault that companies might be breached in between visits.  Seriously?! If PCI certification doesn't provide some confidence about security all the time, and not just when the QSA is looking, what good is it? Tick box auditing has sunk to new lows when QSAs can so quickly distance themselves from problems like this.

If PCI is supposed to be so important, then surely by now there would be definitive news about the status of Sony.  All we have is the company's own assertions that the card numbers were "encrypted" and that therefore they were PCI compliant.  No naming of an actual QSA.  No clear white lists from the card companies.  And no testing of this "encryption" claim. 

I had a laptop with encrypted HDD crash on me once, with total loss of the motherboard.  My IT guy took out the disk drive, plugged it into a another machine, and cracked the key in less than an hour.  All my data was retrieved.  If the PSN security designers couldn't even be bothered hashing the members' passwords, then I have little confidence that they knew what they were doing with encryption.

John Dring wrote "Sony ... shows me that the PCI standard is more of a best practices guideline than a policed standard".

Channelling Captain Jack Sparrow, Pirates of the Carribean, are we? ;-)

Keith,

We're getting warm. And yet we cannot be left assuming that Sony's cryptography is strong.  After all, one would have assumed they would hash their passwords. 

The question still is, was Sony certified as PCI compliant?

I tried Google News for "sony pci compliant" and funnily enough the third top hit was actually my blog post above!  Hits no. 1 and 2 concerns Sony's own claims to have met the PCI encryption requirement.

It's frankly amazing that the PCI status of such a huge merchant is still uncertain days and days after the breach.