Circle Bank plays with two-factor authentication

Steven M. Bellovin smb at cs.columbia.edu
Thu Sep 28 23:21:08 EDT 2006 

On Thu, 28 Sep 2006 12:34:24 -0700, Ed Gerck <edgerck at nma.com> wrote:

> Circle Bank is using a coordinate matrix to let
> users pick three letters according to a grid, to be
> entered together with their username and password.
> 
> The matrix is sent by email, with the user's account
> sign on ID in plaintext.
> 
> Worse, the matrix is pretty useless for the majority of users,
> with less usability than anything else I saw in a long time.
> This is what the email says:
> 
...
> This illustrates that playing with two-factor authentication can
> make the system less secure than just username/password, while
> considerably reducing usability. A lose-lose for users.

I'd like to hear why you think the scheme isn't that usable.  I disagree
with you about its security.

The question is what the threat model is.  We all know that email can be
intercepted over the wire.  We also know that that's not very common or
very easy, except for wireless hotspots.  I assert that *most* email does
not flow over such links, and that the probability of a successful
interception by someone who's staked out a hotspot is quite low.
Residential wireless?  Sure, there's a lot of it, mostly unencrypted.  If
you're a bad guy, is there any reason you should be watching for that
particular piece of email?  You don't even know who the customers of that
bank are.  (Sure, there can be targeted attacks aimed at a given
individual.  Unless you're a member of the HP board of directors or a
prominent technology journalist, that risk is low, too....)

Again -- the scheme isn't foolproof, but it's probably *good enough*.  

What is their threat?  There are two obvious answers: phishing and
keystroke loggers.  It works very well against the first, and tolerably
well against the second, at least until the scheme catches on.  A phisher
has no knowledge of what challenges will appear, so that won't do much.
(OTOH, an active attacker -- one who waits for you to connect to the site,
then connects to the real bank and echoes the real challenge -- will
succeed, but an active attacker will succeed against any scheme that
doesn't involve bilateral authentication.)

As for keystroke loggers -- the bad guy would have to capture enough table
entries that they'd have a reasonable probability of seeing challenges
they'd already received.  The bad guy's strategy might be to try a lot of
logins, until the hit a lucky set, but the bank's obvious defense is to
lock people out after too many failed attempts.  Yes, that's denial of
service, but that's not the bad guy's goal here.

In short -- I think that the scheme is well-matched to the threat.  The
one thing they should have done differently is not put the username in the
same email -- you're told to safeguard the matrix, so you don't want to
send the two in the same message, where someone who has compromised the
file will get both.  I agree that a matrix you need to look at is harder
to use than, say, a password, but most two-factor schemes are going to be
somewhat difficult.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list