OK, so I've been getting some flak from my post the other day about two-factor authentication and phishing. Pete Lindstrom over at spire gives me the wagging finger on the issue, saying that just because there is one phishing site using two-factor, it still has value; Mike Rothman over at Security Incite sides with Pete, pointing out that there is a security benefit to two-factor and saying that we shouldn't downplay it because of one event. In light of the criticism, I thought it would be a good time to point out why I hold the position that I do - since I didn't really do a full job of explaining my point in the previous post (at the time I wrote it, I didn't think it would be so controversial) I think it makes sense to more thoroughly explain it.
Anyway, let me start by saying that I think both Pete and Mike are very astute analysts. More than that, I think they're right: two-factor does have tremendous value from an overall security perspective. And suggesting that two-factor has no security value whatsoever would not be accurate or useful to our industry. However, I think it's important that we, as users of these systems (and ultimately the folks who will bear the cost) stay focused on where the value of two-factor is - and where the value isn't.
Historically, vendors have told us that two-factor will eliminate the phishing threat. For example, Microsoft said "If you get two-factor authentication to the consumer level, you reduce the phishing threat", RSA said "Providing consumers with two-factor authentication... protects against phishing and identity theft" and Entrust told us that their solution would "provide identity theft protection and protection from phishing attacks." Journalists told us that "The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat" and the Anti-Phishing Working Group told the DHS that two-factor auth was a key step in preventing phishing attacks. When somebody suggests "forced use" of something, you probably want to make sure that it does in fact solve the problem in question. So does two-factor do these things? The answer to this question is the crux of the point I made the other day.
You see, just because a tool is good at doing one thing doesn't mean it's good at everything. For example, a pipe wrench is useful, but probably not for changing your tires. Sure, a pipe wrench can be used to turn nuts and all, but try to twist a lug-nut with it and you'll get frustrated pretty quickly. It's all about choosing the right tool. I think two-factor is like a pipe-wrench: a good tool for one thing (authenticating users), but not for doing other things (authenticating institutions). If the reason phishing exists is because of insufficient client authentication, it would be a great tool for phishing. But that's not the cause of phishing. The cause of phishing is lack of server authentication. In other words, more authentication of the user doesn't solve the problem. Sure, maybe it helps a little bit - maybe it makes it harder for a phisher to attack a given institution - and in so doing causes phishers to go after "the other guy." But does it, like RSA and others said, "prevent" it? Clearly the answer is no, since somebody pulled it off the other day. Is it really our "only hope" like we were told by SecurityFocus? I hope not...
So, while I'm not saying that two-factor is completely valueless, I am saying that we should probably re-evaluate our assumptions about whether or not it solves phishing - particularly in light of direct evidence to the contrary.
Posted by Ed at July 17, 2006 07:57 PM | TrackBackI don't believe RSA/Microsoft/SecurityFocus talking about sole solutions anymore than I believe that this particular incident indicates complete control failure.
Any decent risk analyst could have told you that the "second factor" would be breached, and quickly. But hopefully the would also mention that even the most anemic of second factors would, for a time, dramatically change the phishing landscape. By adding a second factor, (I'll use FAIR terms, here) you are increasing Control Strength. By increasing Control Strength, you are increasing the Threat Capability needed to create a successful Loss Event. And by increasing TCap, you're actually reducing Threat Event Frequency, and, therefore, Loss Event Frequency.
It's very easy, really.
At the end of the day, I would argue that Phishing fraud presents a relatively small amount of risk to any specific FI, and most of these actions are taken for marketing/compliance reasons.
Posted by: Alex Hutton at July 18, 2006 11:05 PMAlex,
I'm in total agreement with you. I get so fired up about this because of the folks out there who are suggesting that we legislate two factor authentication because of the claim (mostly perpetuated by vendors) that it will eliminate phishing. Pretty much any bank that delivers a second factor will have to pay out the wazoo in order to implement - for example, even if you can get a token for two bucks a pop (laughably cheap - usually it's more like 8 a pop depending on volume) you're still talking about millions of dollars for most banks.
Citi, for example has 15 million users (according to Wikipedia,) so the token hardware would cost 30 million dollars. Then there's the cost of mailing those tokens: say (again, conservatively) 30 cents per user - that's 4.5 million dollars. Then help-desk costs rise, ACE servers get bought and deployed, backup servers rolled out, all the apps changed to accomodate the new mechanism (trust me, legacy apps would need to change), etc. At the end of the day, you're probably talking about upwards of 150 million dollars. But guess what - that's not just a one-time deal: old users leave and new users join, so the bank gets to keep paying and paying and paying... And we pay for it. The costs get passed on to the consumer, so we're the ones who foot the bill. Now, I don't mind paying for something that works - but I'm not happy about paying for something that doesn't fix the core issue.
Posted by: Ed at July 19, 2006 08:51 AMRight, when a simple Knowledge Based Authentication (questions/pictures) and Cyota turned up to 11 will similarly impact risk.
I did a study for one of the top 10 banks - they see more fraud from trusted family members than from mass Phishing. But even if you increased their Phishing Loss Events by a factor of 10, you're talking about increasing a few hundred thousand in IRT spending vs. a significant amount more for the KBA and Cyota. However, it's obvious that the government is looking for preventative measures, not reactive measures so these "silver bullets" get implemented regardless.
Posted by: Alex Hutton at July 19, 2006 09:27 AM