Banks: Give me two passwords

Tags: 

Passwords are in the news thanks to Gawker media, who had their database of userids, emails and passwords hacked and published on the web. A big part of the fault is Gawker's, who was saving user passwords (so it could email them) and thus was vulnerable. As I have written before, you should be very critical of any site that is able to email you your password if you forget it.

Some of the advice in the wake of this to users has been to not use the same password on multiple sites, and that's not at all practical in today's world. I have passwords for many hundreds of sites. Most of them are like gawker -- accounts I was forced to create just to leave a comment on a message board. I use the same password for these "junk accounts." It's just not a big issue if somebody is able to leave a comment on a blog with my name, since my name was never verified in the first place. A different password for each site just isn't something people can manage. There are password managers that try to solve this, creating different passwords for each site and remembering them, but these systems often have problems when roaming from computer to computer, or trying out new web browsers, or when sites change their login pages.

The long term solution is not passwords at all, it's digital signature (though that has all the problems listed above) and it's not to even have logins at all, but instead use authenticated actions so we are neither creating accounts to do simple actions nor using a federated identity monopoly (like Facebook Connect). This is better than OpenID too.

However, for now we are stuck with passwords, and we are going to be using the same one over multiple sites. The big exception will be sites where your account has real powers, such as at your bank. I use a different password for each site that can spend my money or do other powerful actions. There are only a few that can spend money but a growing number that can do other things (like buy items with pre-stored credit cards and get them shipped to thieves houses.) While you aren't liable for such credit card charges, it's a lot of work to fight them and you would rather avoid it.

The "high security" sites take various steps to try to increase security. Some of them deliberately screw up the login procedure, blocking the saving of your password by password managers. In doing so they screw up two things. First, by blocking password managers they encourage people to use the same password as they use elsewhere, and secondly, it turns out that the filling in of the password by password mangers (including the one built into most browsers) is a good anti-phish technique. If I go to a site and it doesn't auto-fill the password, that is a sign I should check if I am really at the site I think I am at, since the password manager is very hard to fool with a phish.

The second thing they do is timeout your sessions, forcing you to login again if you wait too long to take an action on the site. This is quite annoying when at your own private computer at home, even though it might make sense if you are crazy enough to log in to your bank at an internet cafe.

In a similar effort, they will sometimes ask you to re-enter your password when doing certain actions. This makes more sense than a timeout, and can defend against session hijacking tools like Firesheep -- though the best defence there is just to use an SSL/TLS session at all times, and all sites should be doing this. (Note: If we are on an SSL session and I just logged in 30 seconds ago, it is not necessary to ask twice.)

I propose something even stronger. The bank should indeed ask for a password again when doing something "big" like a money transfer to a stranger's account. But this should be, optionally, a different password than the main login password. That's because I am much more worried about somebody transferring out my money than I am about them seeing my bank balance. (Not that I want them to see my bank balance or other data, but simply that I want even more security on the money transfers.)

A better example might be my frequent flyer account. No, I don't want people to be able to see my FF balance and the log of trips that earned miles which you can see if you get into that account, perhaps by coming up to my computer while I am away. But I really don't want them spending my miles, and that should require the second level of security.

The idea of two levels makes sense for password managers or digital signature authentication systems. With most password managers run on other than very private machines, you need to enter a master password to get at all the passwords. Typically you enter it once at the start of a browser session, and perhaps once a day after that. The password manager should understand the concept of deeper levels of security, and require another master password (or passwords) for access to those.

That becomes important because while I log on to the airline site frequently, I only book a trip with miles quite rarely, perhaps once a year or less. I won't remember a password I use that infrequently, especially if it's different for every such site.

In the long run, I believe that we need to move to a hardware token for authentication. This token would probably be your mobile phone (or rather a secured and walled-off segment of your mobile phone) combined with a small thumb-sized USB device that you always carry with you.

Comments

My bank uses TUPAS, that has three passwords. one is a constant one, that i have memorised. For others the banks sends you a list, with 80 one use passwords for login, and 18 confirmation passwords that are randomly assigned. I'm happy with using it. I managed to identify myself with it and take back my university e-mail address when someone had hijacked it.

It's an old system already, but for banks every security measure has to be long term, because customers have enormous inertia.

My credit union already has a double authentication scheme. When I log on from an unknown IP address, I am prompted to answer a security question. I have the option to turn this feature for all logons, regardless of my IP. I like the extra layer of security, but I an not convinced that it is much better than using a single strong password. As an alternative I would like to have the bank issue me a preprinted card with a grid of random characters (a first step toward a hardware token). The system would ask you the character found in position X-Y of the grid. The bank could replace the card based on frequency of use. It could even be printed right on your ATM card. Now I have to prove that I know something, my userid/password, and that I have something, my ATM card. Further, the system could ask you to append this card code to your password, making that a little stronger, making your password different each time you logon. I know these systems exist, but I suspect companies are reluctant to implement them due to cost, and the added complexity.

Most of the implementations of "security questions" actually weaken security, of course, though it doesn't weaken to ask for both the password and the security questions. All the sites that will tell you the password if you know the security questions make things worse -- you can get in knowing either, and the security questions are often things that are easy to get or even public like mother's maiden names or SSNs. (It's not that hard for people to get your SSN.)

My point though is to make it easy for me to get on and do the low end stuff, and ask for extra security when I'm doing something important, like moving money or points, changing an address or name to which money is sent and so on.

If you make it too much of a pain to login for the ordinary stuff, people won't login, or they will write down all the information on a piece of paper in their desk. There is a risk with the 2nd password that they will also write it down, and in fact it makes sense to write it down, but not somewhere people would easily think to look. However, when you say "This is the password that can drain your bank account" people will take more care with it, I would hope.

My bank already can automatically email upon each significant transaction. (What is "significant" is simply a dollar-amount I can set.) This seems to happen after the transaction, so I am not sure what would happen if my account had been hijacked. But at least I would become aware of it, and shut down any further misuse.

My credit card company will have a person phone me if its computers notice any odd transactions.

I'd like a cross between these things. I would register a cell phone number with my bank. Whenever a significantly large transaction has been ordered from my bank account, they call my number, verify it is me, and allow a transaction only after I have verbally OKed it.

Reusable passwords are a loss in all ways. "Certificate" systems based on public key cryptography need a secure store for private keys, and PCs can be assumed to be 0wned by hackers, and the site needing authentication can't distinguish an honest Linux system or Mac from a lying Windows PC. Nobody really wants to carry around a keyring with dozens of OATH tokens hanging from it. The problem with card codes is that they're patented, and license terms are apparently expensive, so they're not often used despite their convenience and low actual cost. The US Treasury uses them for "Treasury Direct" bond purchases, though. But cards can be lost, and you won't notice if you don't use the account frequently.

The best system I've encountered so far is used by my bank, which sends a one-time-use PIN to my phone via text message. Leverages existing infrastructure, zero investment in user-carried stuff, easily revocable and reasignable, can't be lost or stolen without the user noticing; what's not to like?

Yes, I say that's the likely long term situation. Of course GSM is not hard to crack, and once we do use our phones for this, you can bet that attackers will move their resources into pwning phones, which gets easier the more we want the phones to do. But having yet another token is not a great answer.

CitiBank does something very similar to what Brad suggested - if you wan t to do a wire transfer (a very hight fraud potential activity) you need to enter your additional info - the question varies (it's not a password but it does provide a second level of protection). CitiBusiness uses one time tokens but they won't let me assign a token to my personal account (lame).

Add new comment