Ten years ago, when we thought about where to keep our money, it was either in long standing, trusted banks, or under long standing, trusted mattresses. But recently, this space has exploded (and continues to explode) with myriad of startup mobile banks and cryptocurrencies. Right along side these new fintechs has come incident after incident involving money being stolen; thefts, the likes of which would neatly overshadow many of the largest bank robberies in history.

As with the internet, this new way of keeping our money “safe” has moved far faster than sufficient security can be implemented, or maybe, not as fast as cyber criminals can adapt. Whichever it is, we’re at a stage where billions are being stolen annually, and we don’t have photos of masked men walking into a bank vault, or the number plates of a rented van leaving the scene. Within hours of cyber-attacks that result in millions being stolen, there’s a very worrying sentiment coming from companies of, “well that’s that. At least we’re insured”. And if you’re an individual who’s been robbed, it seems you need to start looking for the nearest service provider to sue.

It’s not fair to just focus on the new kids on the block, because the incumbents are falling foul to the same mistakes. Before online banking, if you wanted to rob a bank, you had to do it in person, and risk your life or freedom to do so. Now… sure, have a go. If it doesn’t work, you’ll be grand. I kid, but online banking, cryptocurrencies, and mobile banking have taken away boarders and the need for physical contact, which is great for the consumer, but equally great for the attacker.

So, we look to strong customer authentication, which is certainly on the up and up, especially in Europe. There’s a wide variety of options, like PIN calculators, physical or app-based, or one-time passwords (OTPs) via SMS or app. These options are on a spectrum of security and convenience, which must be balanced in order to retain customers as well as their money. But do financial institutions focus more on protecting their customer’s money or retaining their business?

A recent incident that sparked this question was the Binance crypto exchange hack that resulted in $41M being stolen (would come in at no. 6 if it were a bank). I’m not sure which 2FA they had in place, but alongside passwords, they do use Google Authenticator and OTPs via SMS. Whatever it was, it failed; the hack involving phishing, malware, and most worryingly: stolen private keys and 2FA codes. As I mentioned above, there are varying degrees of security associated with 2FA solutions, and in my opinion, OTPs via SMS is among the weakest of the weak, with Google Authenticator maybe somewhere in the middle. Google Authenticator is suitable for keeping a social media account secure, or maybe even your email, but it’s more kin to keeping your money under that mattress than in a vault.

In this attack, no physical access to the victims was necessary; it was all remote. Low risk. Prior to interacting with our money online, there was always a possession-based factor required to take it out of the bank, an ATM, or spend it electronically, i.e. our bank card. That physical possession meant we were in control. Only we could act on our behalf because the key to all this was tucked away in our pocket. Yes, card skimming and more came along, but technology has advanced, and what’s worth noting is that the physicality of the token has remained.

If we really want to keep something safe online, our 2FA solution should involve a possession-based factor. More specifically, physical possession of private keys. I specify private keys here because there are those that would have us believe that being in possession of your SIM card means you are using a possession-based factor when using OTPs via SMS, or with basic authenticator apps, that because you are in possession of that particular phone, it means you are the only one with the keys to the kingdom. This really isn’t the case in either instance due to the fact SMSs can be intercepted or redirected, meaning you are not in soul control, and the code held on your authenticator app exists elsewhere for comparison, so again, you are not the soul owner. While these solutions are far more secure than passwords, I would not trust them to protect my money.

For truly secure authentication, private keys must be in the warm, clammy hands of their owner, just as they are with smart cards, USB keys, and other physical authentication tokens which live at the upper end of the 2FA security spectrum. When it comes to convenience though, physical tokens might not cut it, so we look to the user-friendly, yet strong, cryptographic mobile-based solutions. Even then, these live along a spectrum too, as it’s not only the cryptography that must be solid, but the app itself. There must be peer review of the cryptography, but also pen testing, third party evaluation, and secure app development to truly put our trust (and money) into the app that acts as gate keeper.

This tech is not common because it is not simple to create, but it’s far from simple to beat.

@MaxCvdP