Circle Bank plays with two-factor authentication

pat hache tercasa at prodigy.net.mx
Thu Sep 28 16:17:11 EDT 2006 

Here,(Mexico) BBVA / Bancomer uses 24 special three digits numbers on a 
  card you need  to have at hand to access your account after login and 
username... the system asks you one of those 24 numbers to allow each 
session - entry.
supposed to be effective. .... donno if there is a similar system 
elsewhere.

On 28 sept. 06, at 14:34, Ed Gerck wrote:

Circle Bank is using a coordinate matrix to let
users pick three letters according to a grid, to be
entered together with their username and password.

The matrix is sent by email, with the user's account
sign on ID in plaintext.

Worse, the matrix is pretty useless for the majority of users,
with less usability than anything else I saw in a long time.
This is what the email says:

   The following is your Two Factor code for Online Banking for
   username (sign on ID changed here for privacy reasons).  You will be
   required to enter the grid values associated with the three
   Two Factor boxes presented with each sign-on to Online Banking.
   Please save and store this Matrix in a safe yet accessible place.
   The required entries will be different each time you sign-on.


                 Two Factor Matrix

     A    B    C    D    E    F    G    H
     _    _    _    _    _    _    _    _

1    0    8    4    2    1    1    7    5

2    7    4    9    9    2    4    2    0

3    3    6    0    6    9    9    0    6

4    6    4    5    1    4    6    8    4

5    1    7    6    8    6    5    9    2


These are the additional instructions in the site:

   Check your e-mail for receipt of the Two Factor Matrix which should
   be delivered within 2-3 minutes of activation. You can save the
   e-mail to your desktop for easy access or print the matrix.
   However, do not write your sign on ID and password on this matrix –
   treat it securely as you do with a Debit or ATM card.

   Go back to the online banking sign on page and type in your sign
   on ID, password, and the three coordinates from your Two Factor
   Matrix. These three coordinates are randomly selected each time
   you sign on, so remember to keep your matrix secure and easily
   accessible.

Well, the bank itself already compromised both the sign on ID
and the matrix by sending them in an email. All that's left
now is a password, which a nice phishing email giving the
correct sign on ID might easily get.

When questioned about this, the bank's response is that this
scheme was designed by the people that design their web site
and had passed their auditing.

Of course, a compromise now would be entirely the user's fault
-- another example of shifting the burden to the user while
reducing the user's capacity to prevent a compromise.

This illustrates that playing with two-factor authentication can
make the system less secure than just username/password, while
considerably reducing usability. A lose-lose for users.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to 
majordomo at metzdowd.com


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list