22 December 2014

IT and Market Finance

Cedric Pariente - Racine Alpha

23Posts 123,428Views 45Comments

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.

Online Banking, Hacker's Mind and Mutual Authentication

24 April 2009  |  10623 views  |  1

Lately I have read a lot of interesting blogs and comments about identity theft. This is obviously a hot topic, Hackers have never been so active and banks have had a hard time keeping up.

Prologue: Authentication Basics

What is the basic principle of authentication? What are we trying to achieve?
Let's take the example of a user who wants to check his bank account online.  The goal here is to make sure that the user is really the user, and that the bank is really the bank.

Explained like this, it sounds quite simple.

Chapter I: One Way Authentication

Hackers, these computer wizards, have quickly found ways to get your credentials in order to impersonate you.

The answer of the industry was relatively quick and it continues to evolve in the same direction.

For a long time it's been a race between Financial Industry, Security Companies & Hackers.

At the begining of the race, we have created Logins/Passwords. Quite rapidly, Hackers have found ways to get those static passwords. Then, security companies created many tools to strengthen authentication and they have done a good job! All these technologies are brilliant: USB Tokens, Smart Cards, Biometrics, Bingo cards...

But Hackers have stopped trying to attack the front door...

Chapter II: Hackers Evolution

It is very important to understand how a hacker thinks in order to be able to 'stop' him. A hacker will always try to get the low hanging fruits.

One way authentication has been focusing on strengthening the security at your door, when hackers have found a way to go inside via the windows.

A General principle in security is:

          "A system is as secure as its weakest entry point."


Instead of trying to fight the security tools created to strengthen the authentication of the users, Hackers have changed their strategy and started attacking the overall Authentication Scheme/Process.

They have created the new generation of hacking attacks: MITM, MITB...

They let the user strongly authenticate himself to them (pretending they are the bank), while they re-use those precious "strong credentials" with the real bank’s website (in turn pretending they are the legitimate user).

Chapter III: What is the Solution?

It is now time to secure all access points. We can't go further and ask the users to enter their credentials, remember a picture, enter a One Time Password, put their thumb on a reader and ask their grand-mother to speak in the mic to authenticate themselves or to make transactions.
Even after all these painful procedures, they are still not guaranteed that a hacker cannot get access to their financial accounts !!!

How can you be sure that someone is really who he pretends to be? Let's take a simple example.

Asking a user to do a One Way Authentication is like asking him to enter a room full of people to meet someone, unknown to him. We ask him to go to the "most probable person", to show his ID and some additional information and to hope that the person in front is really the right one.

Did you ever go to a business meeting where people you are meeting do not introduce themselves??? That would certainly be a strange situation.

The real answer to the problem is

          STRONG MUTUAL AUTHENTICATION

Everyone has to be authenticated! The users, the banks, the online merchants... Anyone who wants to engage in a mutual connection or transaction.

By ensuring such strongly authenticated connections on all sides and applying the same principles during transactions validations, Banks would actually be able to PREVENT fraud instead of simply "DETECTing and trying to deal with the problems after"...

Chapter IV: Who benefits from strong mutual authentication?

EVERYONE.

The users obviously benefit from it.
They will no longer be scared (http://www.finextra.com/fullstory.asp?id=19933)
They will eventually regain confidence in the financial industry, leave more money in their bank accounts, make more transactions.

The good news about this kind of authentication scheme (STRONG MUTUAL AUTHENTICATION) is that it's fully compatible with all the work done so far by all the security companies that are doing One Way Authentication. It actually bolster any of these 1-way authentication methods.

Banks would also benefit from it. No more fraud, minimize charge back processing, increase potential business by accepting more legitimate transactions...

Everybody would benefit except the fraudsters...

TagsSecurityOnline banking

Comments: (1)

Dean Procter - Transinteract - Sydney | 25 April, 2009, 02:28

You are definitely preaching to the converted here.

At this point we would be tempted to say any authentication is better than none, however it is apparent that pretty well everything (except my thing) fails.

Whilst STRONG is a word, an adjective I believe, it is something else in the execution.

There are difficulties with dreams of strength.

I would really like to illuminate everyone but there seems to be a buck to be made here.

Imagine if you had the perfect solution. What would it be?

What if it worked for pretty well everything we do and more importantly empowered a lot of things we would like to be able to do? Really cool and real time and worry saving things?

What if it just made internet banking completely irrelevant?

Imagine, - no need to log on to your bank site - ever?

No virus software required, no hassle, no bills in the mail for ID thieves, no internet bank account period. No internet logons.

GREEN - paperless, with all that information available at your fingertips? 

Plastic-less. NO CARD. No wallet.

Convenience like we have only dreamed of - in a totally natural way. Forget about learning new software, forget about all that bullshit security.

Just jump to the 21st century, or even the 25th century - it will be done the same way in 10,000 years, there's no going back and there's nowhere further to take other than mind-reading.

Would you waste it on the first bank that came along trying to lead that old horse to water and then force it to drink?

Or would you think big?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Cedric

Home Equity Loan and Home Equity Line Of Credit

12 February 2010  |  3746 views  |  0  |  Recommends 0 TagsOnline bankingRisk & regulationGroupOnline Banking

How to Crack WiFi Network - Video Tutorial

30 January 2010  |  8176 views  |  0  |  Recommends 0 TagsSecurityOnline bankingGroupOnline Banking

Credit Without a Purpose is Dangerous!

26 January 2010  |  4577 views  |  1  |  Recommends 0 TagsCardsOnline bankingGroupOnline Banking

Social Suicide 2.0

05 January 2010  |  4163 views  |  1  |  Recommends 0 TagsSecurityOnline bankingGroupOnline Banking

MC2009

25 December 2009  |  5319 views  |  0  |  Recommends 0 TagsCardsOnline bankingGroupOnline Banking

Cedric's profile

job title Stanford Certified Project Manager
location Paris
member since 2009
Summary profile See full profile »
I'm Cedric Pariente, a Stanford Certified Project Manager, working in both IT and Market Finance.

Cedric's expertise

What Cedric reads
Think Tank
Cedric's blog archive
2010 (4)2009 (19)

Who is commenting on Cedric's posts