Security Curve Weblog

Banks and Biometrics... I want to believe, I really do.

HelpNet has an article up by Paul Foote and Reena Hora about why biometrics are a "must have" for banks - the title ("Biometric Security for Financial Meltdown Solutions") seems to imply a link between the crazy stuff going on in the bankerage world and biometrics, but it's really more about how to prevent fraud by using biometrics. Interestingly, this article got some play over at eWeek as well. If you haven't done so, it's an interesting bit of reading.

Now, I've been a huge advocate of biometrics. I want to believe... I really do. I started my career at a biometrics company, I've tried (in almost every job I've had) to push biometrics in all sorts of industries. I was a dedicated follower of HAAPI and the BioAPI. I've tried them all: fingerprint (with optical and capacitance readers), iris, voice, signature, etc. And I have consistently obtained no traction on deploying them past a pilot stage. Particularly in a banking context. Historically, it's been a tough sell.

Foote and Hora tell us:

"To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems, or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control. Realtime North America’s bioLock is the only biometric system which goes beyond access control and is even able to control a field, function or value within the ERP system--such as the amount of an outgoing wire transfer."

And that's *absolutely true*. For large transfers outside of an institution, most firms would agree that strong auth is where it's at. In fact, a lot of institutions have had strong auth in place for quite a while now. For example, a system that I helped deploy to do just this was in place in 1999 within a particularly large (and now defunct) institution. So no argument there.

The problem, in my opinion, is that the authors hitch the "strong auth" train to biometrics without examining the (multitude of) other alternatives - and they don't seem to acknowledge that not all biometrics systems are created equal. First of all, a single factor biometric is not always better than a password. For example, the biometrics company I worked for used a glass platten to scan fingerprints. My fingers leave a lot of oil on glass. By shading the platten, one could log into the system using just the residue of the oils from my fingertip. Is a system like that better than a password? I don't think it is. So what we're really talking about is strong, two-factor, auth.

And is a biometric-based two factor system necessarily "better" than a token-based system? I'm not sure we can make that assumption either. I't might be the most expensive solution. What's the expense, you ask? How about enrollment, readers/scanners, upkeep/maintenance, and support overhead. Supporting a system like this one is big bucks. But is more expensive always better? It might be, but I'm not prepared to accept that without some evidence.

And is it true that users are clamoring for it? I don't think so. I think the users clamoring for biometrics are the ones that haven't used it. Take a look at the Bloomberg, as an example. They've had their UBL model out for 5 years now -it's a system that uses a biometric to log on to the terminal. And guess what? People hate it. The consider the fingerprint solution a "deal breaker" and would rather go with Reuters (trust me, not something Bloomberg wants to hear). They don't, however, hate the token-based solution. Another example? I piloted iris scanning in a Wall Street firm. People hated that too. In fact, it gave people headaches during field testing. A deal-breaker.

So, is biometrics the "only" answer? I don't think it is. In fact, I think if you did a "find and replace" on this article and substituted "two factor" for "biometrics", the point would be just as true. As a biometrics supporter, I love to see the positive press, but I also think we need to find a legitimate argument for why biometrics are superior to the alternatives and lay that down. And I don't think we're there yet.

External Attacks - Bigger than we Thought?

For years risk and security professionals have been trying to escalate awareness about the frequency of insider attackers. We've been working to combat the perception that many "non-riskers" have that external pen test scans of firewalls and web applications are "cool" (heck Harrison Ford did a whole movie on firewalls) and the responsible assessment approach of interviewing employees, reviewing policies and procedures, performing scans on internal assets, and creating risk/benefit analysis - yawn inducing. How many times have you heard something like this: "The inside is safe, I trust my employees"?

But we know internal matters! And we've been pressing this point for so long that when an IBM executive mentioned that "90-95% of attacks" initiate from inside at this week's Security Summit - no one raised and eyebrow. Yeah, yeah - we're security people, we *know* that.

Or do we? Dark Reading just published a thoughtful piece on "Why Risk Management Doesn't Work" and in it references both the RSA report that Ed discussed earlier this week and a Verizon report on data breaches. The Verizon report is an analysis of hundreds of actual breaches across multiple verticals.

The entire report is worth reading, but the finding that really got me checking my assumptions was this: "data compromises are considerably more likely to result from external attacks than from any other source. Nearly three out of four cases yielded evidence pointing outside the victim organization. . . . Internal sources accounted for the fewest number of incidents (18 percent), trailing those of external origin by a ratio of four to one."

Four to one? Hmmm...that's definitely something to think about.

Mobile Malware Prediction Generator?

So, I read the other day on the Register that those guys are pretty fed up with all the mobile phone malware hype. They're irked that analysts like Gartner keep predicting it, and it keeps not coming to pass.

So, in the spirit of Cyber Security Awareness Month allow me to point out an alternative theory. Which is, that we're currently under seige - that our phones have already started to rise up against us like the machines in Maximum Overdrive. For realz...

It could be that mobile malware is out there already... hiding so that it can continue its killing spree unabated. Since these phones control the communications, isn't it plausible that they' just silence those who would bring the reality to light? The reality... that mobile phones are already conducting a systematic malware-based extermination campaign.

Analysts predicted that the phone malware threat would come; Gartner said it would come in 2007. And by their reckoning, we're right in the thick of it. McAfee predicted "The Year of Phone Malware" in 2006 - maybe it was. Maybe the phones are just too clever for us and they're keeping it under the radar. They're there - eavesdropping on our conversations and tracking us with their GPS.

My phone is smart. Like when I use the typeahead feature and it suggests words that never in my wildest dreams would I have thought to use (who knew I really meant "Hohn" when I started out to type "going"?)

It's smart - and it's angry. Like when it mysteriously puts me on mute when I'm on a conference call or when it hangs up on my boss in the middle of a discussion.

Smart and mean... like a miniature Dick Cheney that comes with me everywhere I go.

So put that in your pipe and smoke it, sarcastic people over at the Register. You can mock the phone malware pundits all you want. But in the meantime, I'm going to be plotting how to escape from the slave pens that our phones will set up once they have assumed command in the wake of their takeover.

Image Source: Slate.com

Innovate or Die!

So, did you hear? RSA has decided that "...IT security risk is the largest single obstacle to innovation in... businesses". Well, OK - to be fair, they didn't declare it by fiat - instead, these are the results of a poll (IDC conducted it). And - that's not exactly the question they asked.

Going back to the original report (you have to register if you want to download it), the question they actually asked was: "do you ever back away from innovative business opportunities because of information security concerns?" To which, 80 percent either said "often" or "occasionally". Now to me, drawing the conclusion that "security is the biggest barrier to innovation" because business folks "occasionally back away from a business opportunity because of security concerns" seems hyperbolic. Backing away from business opportunities when there's a legitimate security problem seems like good sense to me.

Looking at RSA's meta-message, it seems to me that their position is twofold: 1) security needs to be involved more strategically in the business, and 2) all innovation needs to be risk-based. I would agree with both of those things. #1 is good security sense, and #2 is good business sense. The issue though, comes about when trying to evaluate who's job it is to do what. Should Security reach out to the business more (a la #1)? Yes. Absolutely. Should IT security help make risk-based security decisions in conjunction with their businesses? Of course. But wait -all business innovation? Is it IT Security's job (for example) to do business risk analysis on things like derivatives trading? I don't think it is. But RSA seems to...

Art Coviello said: "The trading of derivatives is one example. You have very complex financial instruments that to me you need a PhD in applied mathematics to understand, and you have 25 and 30-year-old guys trading them in real time...You have to have the ability on a real-time basis to assess that risk." Now, I'm not saying that RSA's message isn't valuable. I agree that everything a business does should be based on risk. In fact, I argue that it already *is*. It's just not usually the IT security folks that are quantifying that risk.

For example, in financial services - the folks who do the derivatives trading (usually) have a pretty good idea of *exactly* how risky that is or isn't. That's their core competency. And I, for one, don't think that we in the IT Security business should be telling them how to do it. Now, I'm not saying that IT Security should be out of the conversation entirely - far from it. I just don't want to be the guy who goes in for brain surgery and gets a cardiologist because "hey, they both can perform surgery." IT Risk is IT Risk. Business Risk is Business Risk. Let the folks that are good at that do their thing - and by all means invite security to the party - but don't ask us to understand the business side even close to as well as the folks who've been doing it for 20 years.