Wednesday, June 6, 2007

Losing the battle in e-Commerce authentication

Spending many years in the financial sector, and having a strong inclination into the Web Application Security component of e-Business, I have carefully watched the evolution of "secured authentication". I will briefly give an overview here, and then dive into why I feel we're losing the battle.

Over time, authentication on eCommerce/eBanking web sites/applications has become more complex. This increase in complexity (although perceived as necessary) has not necessarily been paralleled with an increase in security. Over time we have been trending towards more complex passwords - which unfortunately has often resulted in users forgetting more often, not changing their passwords, and even writing them down on post-it notes!

Password complexity failing, we have turned to other ways of authenticating users into our web-based systems. The issues have continued to hound and compound though, even as we've gone into scratch-cards, chip + pin smart cards, one-time-password tokens (like the RSA product, now famous), biometrics and all sorts of interesting combinations thereof.

I will make a statement that all these have failed us. We are very simply losing the battle against the 'evil hackers' because no matter how good of a mousetrap we build, the mouse always outsmarts us. Quite simply, the evildoers build better mice just as fast as we can build better traps. This is a race condition we cannot win.

Let's take for example, this specific little article on It describes how one genius idea (a Barclay's Bank "strong authentication" component was broken by the use of a targeted Trojan horse attack. This type of sophisticated screen-capture Trojan (called "Purchase confirmation") and documented at Codefish Spamwatch (currently down) is indicative of the lengths that attackers will go to in order to steal valuable account information. It's even worse-sounding if you consider that the article was posted on Apr 17, 2004! That's incredible!

What lengths are attackers going to in order to get your personal bank data? What types of attacks are next? Just what is the answer here?

I think these questions are best addressed by a line from P.T. Barnum - "There's a sucker born every minute". Yes - a good percentage of phishing and password-stealing attacks are very difficult to distinguish from legitimate sites and applications - but the majority of them, if given proper user education and carefulness - are detectable (at least today)!

Forget passwords, and their ever-increasing complexity. Yes we need to reach a level where we are comfortable with the fact that our front-door security (authentication) is "good enough" - but there has to be more to it. We must do the following, or we will continue losing battles:
  • Educate our users - There is no easier way to combat crime than to educate the user population on what they should and should not do in the digital world.
  • Establish baseline standards - Find what is "good enough" (read: enough mitigated risk) to be reasonably secure that the level of effort to keep people out isn't keeping out legitimate users. Remember, the balance is harder to obtain than we think.
  • Perform back-end analytics - check for anomalous activity such as a user logging in from two very different geographical regions (via IP address tracking) such as California and China within minutes of each other. There are some basic things we can do here...
    • Profile the user : What pages are visited, when, how long
    • Profile the source (machine being used to connect) : Basic machine-level checking (such as headers, some basic JavaScript, etc)
    • Profile the behavioral patterns of the user(s) on the system : What do general users do, and track patterns of behavior (i.e., people always log in on Friday mornings to pay bills after direct-deposits have gone through)
So to tie this all up...back to my point - why are we losing the battle against the evil criminals? We're banking on passwords, and authentication complexity to save us. We should have realized that approach wouldn't have worked long ago - when the ship first started taking on water, but now we're so invested in these password-based technologies that it's going to be a hard road to recover.

Let's hope we can change our perspective, and make better decisions.

No comments: