The following article was submitted to OUT-LAW by Richard
Baker.
Every day for the past 700 years, a password ritual has been
enacted at the Tower of London. At seven minutes to 10 o'clock
every night, the Tower is locked down by the Chief Warder who is
then challenged by a sentry to provide the right password. The
dialogue runs:
Sentry: "Who goes
there?"
Chief Warder: "The Keys"
Sentry: "Whose Keys?"
Chief Warder: "Queen Elizabeth's Keys"
Sentry: "Pass Queen Elizabeth's Keys. All's
well."
But all is far from well in the modern world. Passwords have
become a currency amongst criminals who attack banks, businesses
and individuals to steal cash and other assets.
In our digital world, the majority of electronic transactions and
security procedures are 'protected' by user name and password
authentication.
Many people use the same password for everything while others
use a different password for each system. Both approaches have
serious weaknesses. The first enables a hacker who has successfully
captured a password to tamper with not just one but all of a
victim's electronic accounts. The second requires people to
remember dozens of different passwords and change them regularly.
Understandably, people often forget their passwords, write them
down or simply enter the wrong one, increasing the burden on
helpdesks.
Beyond passwords, there are approaches to authentication that
have previously been considered a 'Gold Standard'. In reality,
though, nothing is foolproof and there always has to be a trade-off
between security, usability and cost. There’s no point, for
example, in a bank spending a fortune on a system that is too
cumbersome for its customers to use – such a system might drive
customers away.
An appropriate level of investment, however, is essential to
manage the risks involved in a rapidly evolving threat landscape.
Fraud, money laundering and the financing of terrorists are
activities carried out by 'professionals' who work to a business
case just like any legitimate organisation. Fighting them involves
working to a business case that has the opposite objectives and
ensuring you are sufficiently fleet of foot to outwit the bad
guys.
Challenging the password
Authentication systems revolve around one or more of three
things:
- something you know, such as a password or PIN;
- something you have, like a smart card or an electronic token
usually in the style of a key-fob; and
- something you are – for example, individual biometrics relating
to fingerprints, voice patterns and iris scans.
Until now, passwords have ruled the roost because they are cheap
to implement. But
Bill Gates thinks we’ve reached the limits of this simple
technology and is advocating stronger measures based on new
technologies.
Like many other companies – BT included – Microsoft believes in
a 'multi-layered' approach to security in which it becomes harder
and harder to penetrate systems as the potential for damage to the
organisation or its customers increases.
The software giant, however, tends to focus on measures that can
be installed on the desktop or back-office server or literally put
into a person's hand. The latter could be an electronic token or a
hand-held card reader for use in the home in a similar way to the
devices that read credit cards in shops.
This isn’t the only way to address the security challenge.
First, though, what are the pros and cons of the approach Microsoft
is recommending?
Two-factor technology
While the majority of US banks still employ a simple approach to
authentication based on user names and passwords, many
organisations around the world now use 'two-factor' techniques.
Typically, these involve tokens that generate a unique number
that becomes useless after a time window of 30 seconds or so, or is
limited to a one-off transaction. In the case of electronic tokens,
the user enters this number as well as his/her user name and
password. If a card reader is used, the number is read and
submitted automatically.
The result is an enhanced level of security, but the technique
isn’t without its limitations. Citibank, for example, uses a
two-factor system in the US, but it was successfully
attacked by fraudsters in summer 2006. They used a particularly
sophisticated form of 'phishing' – a scam in which emails are sent
asking people to visit websites to update details such as user
names and passwords. The problem is that the websites are fakes.
Customers who thought they were logging in to the real website at
the bank’s request were actually giving their login details to
criminals.
Such scams are increasingly commonplace and have made it urgent
for organisations to find a way to convince the public that the
websites they are accessing are genuine.
Evolving risk
One of the challenges is to find a way of doing this that
delivers acceptable security, is easy to use and is of acceptable
cost to the organisation and its customers.
Achieving all three can be a challenge. In Holland, for example,
people are prepared to buy hand-held card readers to access their
bank account but research shows that people in the UK wouldn’t be
willing to pay for enhanced security.
Even if answers can be found, they may only be effective for a
limited period of time. The banks, amongst others, are beginning to
realise this. They face a number of challenges:
- Securing their own websites and call centres
- Confirming transactions made on other commercial websites
- Checking that customers really are who they claim to be
- Encouraging people to use online services rather than going to
the bank.
The picture is constantly changing. The arrival of chip and PIN
authentication has seen a shift in fraud patterns from
straightforward over-the-counter credit card fraud to Cardholder
Not Present (CNP) fraud – either online or over the telephone.
The regulations banks must meet are changing too. To prevent
money laundering, for example, both the Financial Services
Authority in the UK and the Federal Financial Institutions
Examination Council in the US now require banks and other financial
services organisations to validate every new customer’s
identity.
The FFIEC considers single-factor authentication including
passwords and PINs to be inadequate for high-risk transactions but
recommends a 'reasonable' approach to risk. A recent
report (14-page / 167KB PDF) says: "The method of
authentication used in a specific Internet application should be
appropriate and reasonable, from a business perspective, in light
of the reasonably foreseeable risks in that application."
Crucially, it requires financial institutions to develop an
ongoing process to align the extent of authentication with the
level of risk involved in a class of transaction and ensure the
most appropriate authentication technologies are used in each
case.
A network approach
So if ‘two factor’ techniques are already showing signs of
weakness, are there any alternatives?
One that’s been in use for some years is based on the analysis
of people’s behaviour patterns. Some credit card companies, for
example, do more than check that the correct PIN is entered when a
purchase is being made. They also look at the amount being charged
and the store’s location to be sure these details fit with what’s
normal. If they aren’t, additional checks are made.
Phone companies – BT among them – apply similar checks to
customers’ calls. Have they suddenly started making more calls, or
started calling premium-rate numbers for long periods? Anything
suspicious prompts a call to the customer to make sure all is
well.
BT plans to build on such multi-layered approaches as it deploys
its new £10bn 21st Century Network (see panel). The network will
include an evolving set of services that allow both BT and other
organisations to create multi-layered defences against criminal
activity based on perceived risk.
Still in development, the idea is to capture and use for
security purposes the sorts of data that people disclose as they
access online services – where they are connected to the network,
which computer and web browser they are using and so on. This will
create a pattern of normal behaviour for each user that can be used
to increase the confidence that a user is who he/she claims to
be.
The information will allow BT to assign a risk rating to each
user session. If the user is connecting from his/her home address,
the risk will be low but, if he/she suddenly starts connecting from
a country where fraud is endemic, it will be high. It will be up to
the organisation that uses BT’s service to decide how it wants to
respond to each level of risk. At which level will it begin to
limit what users can do, for example, and at which will it prevent
access completely?
Like other security measures, it won’t be perfect. Someone will
eventually find a loophole that will have to be closed. However,
like existing checks on credit card transactions, it doesn’t
require users to do, have or buy anything special.
In many ways, users and customers are the strongest weapon
against hackers and fraudsters. You need to do everything you can
to keep them on your side – alert to the threat and helping you
defeat it. The clearer and more straightforward security checks are
to complete, the more likely your users or customers will want to
work with you.
