Lately I have read a lot of interesting blogs and comments about identity theft. This is obviously a hot topic, Hackers have never been so active and banks have had a hard time keeping up.
Prologue: Authentication Basics
What is the basic principle of authentication? What are we trying to achieve?
Let's take the example of a user who wants to check his bank account online. The goal here is to make sure that the user is really the user, and that the bank is really the bank.
Explained like this, it sounds quite simple.
Chapter I: One Way Authentication
Hackers, these computer wizards, have quickly found ways to get your credentials in order to impersonate you.
The answer of the industry was relatively quick and it continues to evolve in the same direction.
For a long time it's been a race between Financial Industry, Security Companies & Hackers.
At the begining of the race, we have created Logins/Passwords. Quite rapidly, Hackers have found ways to get those static passwords. Then, security companies created many tools to strengthen authentication and they have done a good job! All these technologies
are brilliant: USB Tokens, Smart Cards, Biometrics, Bingo cards...
But Hackers have stopped trying to attack the front door...
Chapter II: Hackers Evolution
It is very important to understand how a hacker thinks in order to be able to 'stop' him. A hacker will always try to get the low hanging fruits.
One way authentication has been focusing on strengthening the security at your door, when hackers have found a way to go inside via the windows.
A General principle in security is:
"A system is as secure as its weakest entry point."
Instead of trying to fight the security tools created to strengthen the authentication of the users, Hackers have changed their strategy and started attacking the overall Authentication Scheme/Process.
They have created the new generation of hacking attacks: MITM, MITB...
They let the user strongly authenticate himself to them (pretending they are the bank), while they re-use those precious "strong credentials" with the real bank’s website (in turn pretending they are the legitimate user).
Chapter III: What is the Solution?
It is now time to secure all access points. We can't go further and ask the users to enter their credentials, remember a picture, enter a One Time Password, put their thumb on a reader and ask their grand-mother to speak in the mic to authenticate themselves
or to make transactions.
Even after all these painful procedures, they are still not guaranteed that a hacker cannot get access to their financial accounts !!!
How can you be sure that someone is really who he pretends to be? Let's take a simple example.
Asking a user to do a One Way Authentication is like asking him to enter a room full of people to meet someone, unknown to him. We ask him to go to the "most probable person", to show his ID and some additional information and to hope that the person in front
is really the right one.
Did you ever go to a business meeting where people you are meeting do not introduce themselves??? That would certainly be a strange situation.
The real answer to the problem is
STRONG MUTUAL AUTHENTICATION
Everyone has to be authenticated! The users, the banks, the online merchants... Anyone who wants to engage in a mutual connection or transaction.
By ensuring such strongly authenticated connections on all sides and applying the same principles during transactions validations, Banks would actually be able to PREVENT fraud instead of simply "DETECTing and trying to deal with the problems after"...
Chapter IV: Who benefits from strong mutual authentication?
The users obviously benefit from it.
They will no longer be scared (http://www.finextra.com/fullstory.asp?id=19933)
They will eventually regain confidence in the financial industry, leave more money in their bank accounts, make more transactions.
The good news about this kind of authentication scheme (STRONG MUTUAL AUTHENTICATION) is that it's fully compatible with all the work done so far by all the security companies that are doing One Way Authentication. It actually bolster any of these 1-way
Banks would also benefit from it. No more fraud, minimize charge back processing, increase potential business by accepting more legitimate transactions...
Everybody would benefit except the fraudsters...