Community

Hi Max,

A good post from a security perspective, as all your points on vulnerabilities of weak 2FA implementation are all true, though I would challenge the PIN stronger than biometric piece on a number of levels.

But it was your title I wanted to pick up on from a legal perspective. As we all know, all organisations have to be able to identify and authenticate their customers under GDPR, where there is suspicion that a Subject Access Request not be from the genuine customer (not that GDPR provides any guidance on how to do this). Let's call that 'common practice'.

Then certain industry sectors covering Critical National Infrastructure (CNI) have additional security requirements added in (in EU) under the security of Network Information Systems Directive (NIS), which provides additional access control and ID/Auth requirements. Let's call that good practice.

But Financial services are exempt from NIS because they have stronger sector specific security standards, such as those defined under RTS SCA in PSD2. Now these requirements, coming into force in September this year provide a range of strictures which would outlaw OTP SMS, but don't provide much in the way of guidance as to what IS fit for purpose, and that's where the new British Standard comes into play, as PAS499 in Digital Identifciation & Authentication guides organisations through how they should implemnt a practical and secure solution. Let's call that Best Practice, so the Banks WILL be leading the way come September, not only from a regulatory perspective but in practical implementation.

Matt - interesting point on Access to Account, but your earlier comment on your Galaxy/Vodafone Passport on the Tube intrigues me - I've just tried again, and my Vodafone Wallet Smartpass is still telling me that paying through the phone isn't available without the new NFC SIM (which itself ruins the point of having an NFC device), and that these aren't available yet either! I trust you don't mean you've stuck the card on the back, so please do let me know how you've managed a work around!

Also, given the difficulty TfL have had managing refunds on bank cards and more recently on bpay 'non-cards', it'll be fun watching them track back on an Apple Pay uncompleted journey!

Ian - 'all fine for now' as you say until PSD2 comes out, but the kick off of EBA early adoption is 1st August!

On the original article as a whole, it will also be interesting to see how low that 27% falls when the inevitable avalanche of frauds hit here, as they have seen in the US.

Bjorn,

You're quite right, and ENISA guidance has had 'assumed compromise', typically though not necessarily through infection, in place since 2012. The problem is that banks aren't taking the mitigation steps far enough.

The forthcoming 'early adoption' of PSD2 through ECB/EBA SecuRe Pay strong authentication requirements may well go some way to address this from August, depending of course on how they are managed (if they are managed!)

My first reaction from the headline was 'only $7.7m for a regulatory breach - that's a bit tame nowadays'!!

But if you look at it as fining them 175 times the amount in question, or the expectation that full checks should be carried out on payments averaging just $90 a time, and it looks rather different!

Hari,

You are quite right to highlight the flaws in the use case - lack of P2P, inability to integrate with loyalty schemes, and the myriad different permutations for customer and sales staff (where present). The NFC aspect of the last of these may be more US centric (and we shall see how Samsung cope in a few weeks time), but from here in the UK NFC is now fairly well established.

But as you might note from my blog on the 9th, they are more worryingly introduncing additional security vulnerabilities that are quite unnecessary. Not only has the system failed to solve the above customer focussed aspects, it has singularly failed to address security in a meaningful way. As I put it on the 9th - Mere Tokenism.

A very good point Charmaine. But your example of a remote village in India is perhaps the point Visa are trying to get at through their campaign using these two UK soaps (Emmerdale/Coronation Street from Lu's prior blog, spawning this one).

India is a rapidly developing nation, but if Paywave works in 'The third world - Yorkshire' (that's Monty Python's view, not necessarily mine) then it really must be time to say it's universal!

Plenty of card fraud in movies - Mel Gibson's stolen cards in Payback, the young O'Connor's ATM attack in Terminator 2 etcetera.

Choice of programmes unfortunate though - I'd have preferred to see a London based soap/drama so they could go on about card-clash!

Btw Richard, trust you to associate with Arkwright! :)

I agree with your points on the SIM swap itself, which is an interesting area in its own right.

I assume you're referring to the furore around SIM replacement in last week's Trusteer report 'Mobile Banking bypassed by fiendish malware blag' (http://www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/** and others).

Trusteer's report also missed some more fundamental issues in this regard.

Point 1 is that there is no point capturing an out of band OTP on the device itself if the transaction authentication is then typed back into the PC (as typically for online banking), as the attacker is passed it anyway in any man in middle/browser etcetera attacks (in a poor implementation of out of band authentication).

Point 2, however, is that if the transaction authentication goes back over the out of band channel, as it must to avoid the primary channel intercept, then unless it's a simple 'Yes it's me', 'No it's not me' choice that's sent out (in which case the SIM replacement clearly does work, as the attacker sends back the response 'Yes it's me') then the attacker would need to either know the PIN the bank's expecting to authorise 'Yes it's me', or be able to spoof the biometric response expected, or whatever else is being used as the second factor (under a proper implementation of out of band authenticatinon).

So Trusteer have found a fairly time-consuming attack,which dramatically impacts the criminals risk/reward, as they need to be physically present themselves during the scam, in the jurisdiction the offence is being committed in - much higher risk, and lower reward due to the time involved, than purely cyber attacks.

And the scam only works against banks that didn't think through the implementation in the first place (oh, sorry - point taken - that's probably an awful of banks!)

NB ** the Register also incorrectly state that a trojan is used in both variants of the attack despite referring to the first one as using a phishing attack to obtain the static data. There's clearly no point phishing if you've a trojan on board!

Neil,

You're absolutely correct that the majority of card fraud is CNP, and also that VbV et al put off the customer more than the fraudster (as resetting the password is trivial anyway in the unlikely event they didn't phish it with the rest of the static data). 

But given Earthport's business area, I'm surprised you don't raise one of the other areas, both in terms of fraud and false rejection of genuine transactions, namely overseas card use. Gartner's Identity Assurance event last week was just the latest to highlight the continued irritation to all of us as genuine users when our cards are rejected overseas, no matter how many times one informs the bank in advance, or the fact that Heathrow was the transaction before, etcetera.  

This and cross-border payments are both areas I expect will get pulled up in the EU future payments consultation next month, though it's clearly not just an EU or developed market issue. Also interesting to see how changes in Data Protection regulations impact on some of the proposed mobile GPS solutions.

Andrew

Gerhard, 

You're absolutely correct that the SMS authentication systems are vulnerable to browser attacks (or real-time phishing), but largely by virtue of poor implementation.  After all there's no point using a mobile TAN if the user has to pass it straight back to the attacker. 

ENISA covered these 'out of band' systems in it's November report (link available at https://www.finextra.com/news/fullstory.aspx?newsitemid=20797) and whilst there are a few peculiar non sequitur conclusions therein, if properly implemented with specific transaction authentication both ways over the out of band channel then that addresses most issues.

Though Phil, whilst I too use 'there's an app for that' as a metaphor for mobile, to be pedantic it doesn't need to be an app on a smartphone, as SMS or voice work too!

I also like your idea on league tables, though in the UK I'm not sure we'd ever persuade them to drop the anonymity of reporting aggregated losses through APACS - maybe the FSA could take action for negligence (as the customers can't sue (£0 loss as it's usually refunded) and the shareholders won't (no point suing yourself))!    

Andrew