Dubious, philosophically speaking
"We want to identify people for who they are, not what they remember"
riiiiiiiiight
Mastercard and Visa are removing the need for users to enter their passwords for identity confirmation as part of a revamp of the existing (oft-criticised) 3-D Secure scheme. The arrival of 3D Secure 2.0 next year will see the credit card giants moving away from the existing system of secondary static passwords to authorise …
The most recent one that I have seen captures your DNA and Blood, sends a sample to a local Vogon spaceship, anaylses the results for any traces of Pan-Galactic Gargle Blaster, calls up Zaphod directly, asks he was drinking with you lately and if not zaps you into oblivion.
Why the importance of this diatribs, simples, it's great to have highly advanced techniques but they MUST BE AVAILABLE before anyone can use them and this takes bloody years......
meanwhile as I reach for a bottle of good Ol' Janx Spirit.... ------>>> Yes it's Friday
Covered by a very early Mythbusters episode. Also of note - the manufacturer offered some kind of guarantee that it couldn't be beaten. So that's two lessons in one ;)
Mine's the one with the hands in the pockets to stop someone cutting them off and using the fingerprints.
I've seen fingerprint authentication fooled for the cost of a camera and an inkject printer.
Or for the cost of a piece of sellotape (to lift a fingerprint), a small piece of photo-resist-coated PCB material, standard etchant, and a blob of silicone rubber. Which method has the advantage that it does not need any connivance from its victim. It's just a slight modification of the long-known method for putting a random fingerprint on an incriminating object. (Pray you have a good alibi if it's your print they lift )
Or for no cost at all. A brutal criminal will just cut off your finger(s) and leave you tied up while he empties your bank account. Mercedes used to sell cars that used the owners finger instead of a key. Until South African carjackers started cutting drivers' fingers off. Mind you, that was better than being shot dead and then having your fingers hacked off. Or vice versa. No way I'd drive any car except a rust-bucket in a country like that. Safer still to not go there at all.
No way am I ever going to carry a financial instrument that uses part of my body as a key.
Most people apparently do.
This morning I wondered if the woman in front of me was attempting to negotiate a hostile takeover of the bank via the ATM. LADY! YOU DON'T NEED TO QUERY YOUR BALANCE THREE TIMES IN A ROW! IT WON'T MAGICALLY HAVE MORE MONEY!
No way am I ever going to carry a financial instrument that uses part of my body as a key.
OH SO VERY AGREED. Anyone who has watched either The 6th Day or Demolition Man already knows exactly why biometrics for security are a very bad idea. Sure, high-end biometric scanners will usually check if the body part is still attached to its rightful owner, but the common criminals won't necessarily know this before hacking off your finger or plucking out your eye. And they might still do it out of spite anyway.
Stop this biometric madness. If you want better security, go down either 2FA, PKI, or some combination of these. Biometrics are going to be painful.
There is another issue to look at.
Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.
Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.
What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.
As such, it is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.
I don't understand the focus on 'biometrics'.
Given that it's not that difficult to fake a fingerprint, this means we will all have to wear gloves? Because otherwise anyone could swipe my fingerprints, and have my "secret" code (ie. my fingerprint).
Even if through some technological breakthrough somehow a brand new 'biometric' system will spring to life, it's not at all inconceivable someone will find a way to fake this in such a way that will fool the detectors.
This is a problem with *all* biometric authorisation (iris scans, etc.) ...
Passwords, on the other hand, are something only *I* know, and reading my thoughts is not only impossible today, it's quite possibly not even physically possible.
There are also more practical concerns, how will this work? Will I need a fingerprint reader? Will that work with my BSD system? Or do I need a smartphone? What if I don't have a smartphone? Will this system even be secure? History has thought us that these sort of systems often contain flaws (sometimes quite serious ones). At least the current systems are well understood (flaws and all).
The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox.
In any case, I don't see how 'biometric authorisation' will make matters better, especially if this means it *replaces* passwords (rather than supplement them).
"Why does everyone automatically jump to fingerprints as soon as anyone mentions biometrics. Of the entire set of things that you could use on the human body (non-invasively) for biometric checks, the fingerprint is just a fairly small subset."
It's just the simplest representation to present in an argument, but the argument can be made for any and every biometric. Quite simply, just about anything man can create, man can either re-create or subvert. How do biometrics stop a Man in the Middle, for example, like a tampered entry point, which is physically proven to be impossible to completely secure simply because anyone can find and subvert a point outside a chain of trust and disguise it as a trusted point beyond the point of everyday detectability?
Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..
During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)
During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.
The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.
That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.
In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.
"The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox."
Then someone breaks your master password. Or your memory's so bad you can't even remember that password. And the moment someone says, "Tough!", that someone loses at least one customer. So what are you going to do? Customers are demanding turnkey solutions that don't rely on memory and won't take no for an answer.
I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).
My UK bank account is particularly unusable since it prevents me from using a password manager by asking for random characters from my password.
Having said which - the visa and mastercard verification MITM popups are the most half-assed and broken web abortions I have ever seen. They look exactly like a phishing MITM attack, they fail to work on some browsers, etc etc. Glad to see them go.
"I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."
Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).
I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).
See, sometimes forcible regulation brings good things. All Mexican banks offer 2FA, because they are mandated by law to do so. Pretty much every bank implemented some form of 2FA since 2007, and the last one that still used the corny "card number matrix" switched to physical real tokens sometime around 2011.
Meanwhile in the US, 2FA is nowhere to be found.
Some of my UK bank accounts have two factor authentication.
RBS/Natwest, Barclays and Nationwide have a card reader, so I have to put my card in it, enter a PIN and get a code which I enter into the website.
HSBC has a code generator which gives me a number to enter into the website.
Halifax and Santander send a code by SMS to my phone which I have to enter into the website.
> The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords
Even without a password manager. I have about two dozen passwords or so, and remember them all (most of the time!). It's not that I have great memory or anything
What was I saying?
Ah yes, not great memory, but I just learn to associate the passwords with the object/site/system I am trying to access, so that for example The Register becomes "8fLpow35" or whatever. Compared to the number of nouns one regularly uses in everyday language, a couple dozen passwords do not seem much. Of course it does require a little intellectual effort--not something I ever see as a bad thing, mind.
Not advocating this system, just presenting another possible approach to the too many passwords problem.
First time I encountered VbyV (many years ago) I called the card issuer and said "What is this?".
The call centre replied with, "We've never heard of it, so we've locked your card".
Frankly, its been downhill ever since.
Can't remember your password?
Re-set immediately just by using the details on the card and the date of birth.
Its not like my DOB is very secret.
I don't think I've ever, once, entered my a password on the entirely pointless and annoying Verified by Visa "service". Every time, it's "forgotten password", followed by a few basic details that I can remember and yet another relatively random slew of numbers and letters for the new password.
Are there any details on how the delusional, control-freak muppets are planning the next ludicrous "security theatre" of authentication?
The usual way IME is apart from the usual DOB and "memorable question", my bank asks questions regarding recent and/or regular transactions. "Which supermarkets do you usually shop at?" "When did you last withdraw cash from an ATM?" "Have you bought a lottery ticket online over the past week?" etc. Of course it is possible that the fraudster has a copy of my bank statement that is less than a week old, but far less likely than knowing my DOB or family details.
Not just that but from a retailer point of view it was a pain.
If you have an ecommerce site and spend a lot of effort with UX on your payment funnel then you capture the customer (who wishes to purchase), great!, however that pass over to 3DSecure and bam, forget their password, or the bank decides to reject the payment, etc.
Not so bad to have extra security when you are delivering physical goods to a new customer, but if you aren't then a third party is deciding whether a customer can shop with you or not and there is absolutely no way of finding out why they couldn't complete. There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.
> There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.
Which is probably the reason why they're scratching it (i.e., sod all to do with the customer's convenience or security).
Indeed, at one time one of my cards had that stupid system. There were some very unfortunate merchants in France who had this system forced upon them by their bank (providing the checkout). Much as I liked them, I had no choice but to forego their services until, a few months latter, they wrote to tell me they were now accepting AMEX for those of us who could not / would not use that piece of shit of a "verification" system. I felt sorry for them since AMEX's merchant fees are double everyone else's, but...
At the same time, my bank was claiming that this was enforced from the receiving end and there was nothing they could do. I closed my accounts on that bank so I don't know what the latest status is, but none of the banks that I do business with nowadays seem to implement that sorry thing, thankfully.
Apparently the credit card companies charge retailers considerably more if they don't use 3Dsecure. On the other hand, the customer is more likely to avoid a retailer who does put the customer through the nuisance value of those bizarre credit card "security" setups. I still think that a pass number being sent by SMS each transaction is a far better way of doing things.
How is a free PAYG sim from Three a 'rip-off'?
Moreover how are calls charges of 3p a minute, texts at 2p and data at 1p/MB a rip-off either? Assuming you ever use the thing? I put £10 on mine months ago and despite periodically checking my emails via 4G and making the odd call I've still got over £7 on there.
Forgive me, but if you're in $FOREIGN_COUNTRY you're not going to be shopping online much are you? Services are a bit different, but it still seems like you're being a bit pedantic.
I'm not really in favour of using phones for 2FA either, but the original posters comment about a PAYG sim being a 'rip off' just seems like complete rubbish. It's only expensive if you use it a lot, but the original poster clearly wouldn't use it very much since they manage to get by without a phone at all.
AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection. And seeing as three and other networks are currently rolling out in-package calls for more and more roaming countries, that gets less of a deal.
When I go abroad to visit family I go for a while.
When in country I expect to be able to shop on line even when I have popped a PAYG SIM in my phone.
I could be booking hotels, motels, camp sites, ferries, flights using the new SIM either directfly on my phone or tethered to laptop or tablet.
I may even want to click and collect at stores.
For this to work in the age of the global traveller you would need to be able to switch phone numbers quickly, easily, and repeatedly from abroad.
Given that proviso it doesn't seem quite as secure.
"AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection."
Even in the US, it's pretty easy to pick a plan that has generous texting allowances if not unlimited texting, meaning even if they charge for receiving, it becomes just a drop in the ocean.
>Could you expand on that please?
What needs to be explained? How many people shop on-line while abroad as much as they do at home? How many people do it at all? Hands up please.
First off it's assumed $FOREIGN_COUNTRY is the country in which you do not live for most of the year, because then it's no longer foreign. $FOREIGN_COUNTRY is somewhere you are visiting for a business trip or holiday, not the house you own in France and live in for months each summer.
Many stores won't ship to a different street address than the one which appears on your bank statement, almost none will ship when the country is different, it's an anti-fraud measure. So immediately shopping on-line when abroad becomes more difficult.
Then there's the cost of shipping abroad, assuming you're buying from the country in which you normally reside, this isn't something you'd make a habit unless it was vital - e.g. arrived at your destination and realised you've forgotten something that can't be purchased locally. In these circumstances why would you not also be prepared to turn your phone on (or swap sims) to receive a text message?
Well, for many, their mobile is the only second factor available to them, so if you want 2FA, it's mobile or bust. If you declare 2FA bust, then you now have to figure out how to build a security system that's tamper-proof, turnkey simple, and doesn't require a second factor? Last time I checked, that means the general public is not accepting anything less than the impossible.
Ac,
not necessarily, Google Authenticator (I think that is what it is called) on my android generates pseudo-random sequence to be entered into web pages etc, and does not to be connect to the interwebs at the time.
Works quite well, especially here in the countryside, where SMS 2fa is a pain in the derriere due to having ropey mobile reception...
J