Cause for worry: dual standards in remote transaction security

By | July 29, 2014

A comment by +Carmelyne Thompson triggered an interesting thought: remote banking holds security to dual standards. Actually, it isn't just banking, but also most business and most official transactions. And given that we live in an increasingly digital world, that is quite worrying.

Let me give you a simple, harmless example: You want to perform a remote transaction, say changing your address at a bank. You have three options:

(1) Online banking: it runs over an encrypted connection, with full mandatory activity logging, and is authenticated  with an online password, and authorized with the security measure of the bank (multiple passphrases, single-use hardware-generated transaction access number, etc).

(2) Telephone banking: it runs over an unencrypted connection, recording is optional, and it authenticated and authorized with a single 4-digit passcode.

(3) Fax banking: it runs over an unencrypted connection, and requires merely that the sender has a photocopy of your signature handy to affix to the correct location on a letter. Fax quality is so high, that even a photocopy or printout of a such letter with pixellized signature copy would suffice.

… The same applies for other official requests, often with even more lenient acceptance standards, such as submitting tax documents, or issuing business purchase orders.

Perhaps – if security is really a concern – it is time to put the axe to some of these alternate transaction methods, or at least to bring authorization and authentication up to par with digital standards?

(Photo source: https://www.flickr.com/photos/arabani/4297542257/sizes/m/in/photostream/ )

18 thoughts on “Cause for worry: dual standards in remote transaction security

  1. André Kres

    Hi Sophie,

    your statement about security in remote transactions is ver valid. If you drill down into technology then it becomes even for your first alternative very scary.

    Reply
  2. Sophie Wrobel

    +Sai Strange – Point-of-Sale is the 'textbook use case' here. Self-checkouts are available in some popular consumer outlets here, and non-attended vending machines for cigarettes and to some extent alcohol are quite common.

    Problem with websites is the high cost of the card reader and low acceptance from online businesses, so most people can't be bothered. (Most banks do ID check via the Post these days, and use low-cost, hardware-based generator in combination with your bank card, or mobile transaction codes, with a few alternates in use… only some government services accept the online card).

    Reply
  3. Sai

    +Sophie Wrobel Ah, I wasn't thinking of point of sale type authentications, but for websites.

    What use is there for them at POS? Your credit card already has its own auth; your ID card has physical security for verifying age to photo. I don't see their need for crypto auth here.

    Reply
  4. Sophie Wrobel

    +Sai oh, it already has 'requesting party can only get access to (requested and authorized) subset of information' features. e.g. when theoretically verifying your age to buy cigarettes, only a 'Yes, over 18' or 'No, under 18' is returned, and not your address, voter status, or whatever.

    In practice? The market isn't ready, either on consumer or on sales delivery side. The hurdle of buying hardware (yes, even internet access and browser is not a given in many business retail points!), training staff, etc. is too high. And not every customer has one of those high-tech cards, and even when they do, many have chosen to disable the feature.

    Reply
  5. Sai

    +Sophie Wrobel Why? Not enough card readers?

    One idea I had for a similar system without that rollout problem was a government run OpenID type server, using 2FA from a hardware TOTP embedded in your government ID card, and capable of signing arbitrary data (including authentication requests) with whatever subset of government confirmed info (name, current voter status, address, etc) you tell it to. (All current and retroactively revokable, eg if your card is stolen.)

    If not disclosing your unique identifier (SSN, DL#, or 33 bits of info), it could give requesting parties either a one time only ID (no guarantee of uniqueness), a per site unique ID (guaranteed unique human but tied to requester's API key), or sharable unique ID (not tied to requester's API key).

    Would be easy to use, have most of the security properties you'd want, zero equipment needed other than the new card and a regular internet browser, etc.

    Reply
  6. Sophie Wrobel

    +Sai Yes, I have one of those crypto-signed cards. But I wouldn't consider it a working system at the moment – as there are almost zero practical use cases for them (as opposed to the tax system which handles many thousands of uses every month). 

    Reply
  7. Sai

    +Sophie Wrobel Germany and Spain issue ID / DL cards that have hardware crypto capability. Government-signed cryptographic signature of your identity.

    Downside: you need a chip reader to use 'em. :-/

    Reply
  8. Sophie Wrobel

    +Sai yes. But CA Cert use case is explicitly about identification, as a prerequisite for issuing authorisation (the digital certificate), so it does work.

    Law is slowly coming around too – even if it has taken its time. Digital signatures are acceptable for many things, and seeing that the minimum requirement for tax filing in a digital certificate with passphrase, and any alternative is hardware based 2way auth, it actually isnt that badly outdated. And since late last year enterpreneurs and freelancers have to file electronically, no fax signatures. Probably the exception rather than the norm, but it demonstrates that security in authorisation workflow is possible and accessible (even for ms patients). Other than elster, though, i can't name any other examples of somewhat modern systems, sadly.

    Reply
  9. Dirk Reul

    Oh I absolutely agree on the security aspect and the argument, that phone banking with a pre-shared secret is considered "more secure" or how a written letter can be be considered "more secure" when this does not even require more than data that can be retrieved from any receipt and a phone book, +Sophie Wrobel 

    +Sonny Mikeal no worries 🙂  I am talking about those people who are overwhelmed with the complex technical infrastructure we all deal with ease on every given day. Having to use more than one card, having to hook up an external reader, making sure it works: is too complex for many people. The bar for usability needs to be set by the lowest level while still providing adequate security. 

    What if you are too old and all that technology with is too much for you? What if you are not able to use your hands? Or if your motor control is limited (lupus, fybro, ms) many will not be able to insert a card into a smart reader or hook it up. To be clear, I am talking about people who are only physically challenged and otherwise handle their affairs on their own. They are dependent on being able to make bank transactions on the phone.  That is why usability needs to be massively improved. Mind you, we are talking about one system. The next one, will use something else etc.

    In the end, a balance needs to be struck.

    Reply
  10. Sai

    +Sophie Wrobel FYI there are actually some contexts (eg medicine, law) where faxed signatures are allowed and binding, but digital signatures aren't. Which, wtf?

    Reply
  11. Sai

    +Sophie Wrobel Wouldn't such DNA transfer technology also be suspect to replay attacks? Suppose, say, you had to spit on the paper you sign. I could easily collect your spit (or get it from something else, like a discarded cup) and put it on something else.

    Fundamental misconception: identification ≠ authentication. 😐

    Reply
  12. Sonny Mikeal

    +Dirk Reul no disrespect intended, so please ignore the 'you'd I throw around.
    I agree with you with regards to the User not understanding encryption and authentication. However, how is it possible that using a Public PKI card (CAC) is difficult to understand? The User uses similar devices daily.
    As for exploitation at the User end point… that is what the OP is pointing out.

    Reply
  13. Sophie Wrobel

    +Sai erm… of course they do, and always will be!

    I recall somewhere a CA Cert recommendation on signature checking: Make sure you get the version signed with DNA-Transfer Technology, namely a bare hand and physical contact with the paper. Digital transmissions of that paper invalidate the 'magic'.

    Reply
  14. Sophie Wrobel

    +Dirk Reul I agree that there is a large deficit in accessible devices. I also agree that the time investment needed to try phishing or spamming to obtain passphrases for 'old' methods is considerably less productive than 'new' methods. But that does not affect how secure, or insecure, a particular technology fundamentally is.

    And I have to give you extra credit on the 'usability' perspective, too: I'd consider myself to be a digitally savvy person, and yet there's one bank where I actually use telephone banking to deal with, because it's more convenient than online banking.

    But what is more worrying, and what triggered the post, is the observation is that certain operations are allowed via 'old' methods but not online, because of 'security reasons'. 'Accessibility reasons' is something I can understand (as you correctly point out), but 'security reasons' is not.

    And that really baffles me: why is telephone banking more secure than online banking? Perhaps some enlightened soul can clarify this for me! 😉

    Reply
  15. Dirk Reul

    The trouble with all the new and fancy secure methods is, they are not suited for people a) physically not able to use the horrific websites b) not able to understand how multi-factor auth works and how to implement it, because it is still much too complicated for the common user. I am talking quadriplegics, people with MS, Fybro with limited control or unable to use tools, token generators. In fact, I would say, why bother? Is there evidence that these methods are exploited in statistically significant numbers? We have to keep in mind, that a lot of people are not even remotely as digitally savvy as we are. 

    Reply

Leave a Reply

Your email address will not be published.