Two factor auth gets personal

03 February 2009

I’ve been sounding off against banks’ use of two factor authentication (2fa) for a while now, as anyone whom I’ve bored with it will attest. Until now my bank hasn’t jumped on the bandwagon. Their anti-phishing methods have thus far been as sophisticated as a drop-down to select your PIN to avoid keyloggers. However, they recently sent me an email alerting me to a change in their terms and conditions, adding card reader in a bunch of ominous places. For example:

Condition 11.3 For some internet and telephone banking instructions you may be asked to use your card and a Card Reader. If you do not use your card and Card Reader we will not be able to carry out your instructions.

This makes me think that a brown jiffy bag with a bulky piece of plastic will be landing on my doormat in the near future, and now I’m personally affected by this stupidity. They’re doing this in the face of obvious security flaws. Over two years ago MITM attacks against 2fa were in the wild and reported in the mainstream media. Sure, they limit the window of opportunity to the time period in which a token is valid, but who cares. There’s still a window of opportunity there and it’s not like it’s difficult to proxy a couple of requests in a timely fashion. Two years on and I imagine the attack is part of any reputable phisher’s toolbox by now.

Therefore it seems it’s just a big waste of money, a load of inconvenience to me and no doubt the card readers contain a load of unrecyclable plastic. Whilst banks are struggling to survive and paying me a pittance on my savings, they are throwing money away on ineffective solutions. I’m now likely going to be expected to carry this thing around with me if I want to carry out certain transactions with my bank. The updated terms even talked about needing it when I call them up! So much for online banking allowing me to control my finances from anywhere. Now I can only do it if I’ve weighed my pockets down with one of these silly devices.

A much better solution is one employed by some US banks I’ve been a customer of: two channel authentication. If I log on from a computer they don’t recognise or attempt to send some money to someone I’ve not before, the extra step kicks in. They send me an authorisation code over a pre-arranged channel, either email or SMS. When I receive that code I enter it back into the website. There is a small problem with their implementation, but it’s easily overcome (just include transaction details in the text message).

If these changes to the terms and conditions are indeed a precursor to Smile implementing 2fa then I need to start looking around for a new pl ace for my money. However, they’re the only UK bank offering a current account with an ethical policy so it looks like I need to decide which is more important to me.

The banner image is a cropped version of an image by Dave Bushe and used with permission.

blog comments powered by Disqus