Monday, June 2, 2008

Security vs Functionality on the Banking platform

I find it very interesting how some of the larger banking sites (I'm using Bank of Antarctica as the example, but I'm sure they're not the only ones like this) go to extensive lengths to keep their online customers' data secured, yet... there are some very interesting ways to get around all the extra security.

Let's take a real-world use-case and work it through. Say you're Joe User, and you've just opened an account at Bank of Antarctica. You're excited and can't wait to get home and use all the great features that Bank of Antarctica gives you online. You're also very security-aware (which is rare, I know, but go with me on this one) so you're looking to use as many security features as are available to you. When you login the first time, you set up your "secret questions/answers" and pick your picture for the site verification feature (you don't want to be a phishing victim, after all). You also enable the terriffic feature which requires you to set up your cell phone for SMS, so that when you want to login, or do any kind of transactions such as transfer money, Bank of Antarctica sends your phone a 6-digit SMS to use as a one-time password. So far you're psyched! Everything is working great, and you're feeling like you have a great chance of being secured.

Your feeling of being secured is unfortunately short-lived. As you discover that Bank of Antarctica has enabled their site for your cell phone's browser (a handy little feature I think is neat!) but since the mobile-code-applet which accepts your one-time password obviously won't load well on a cell phone, that doesn't exist. So you're now down to a username and password again... you can't transfer money *outside* your own accounts though - so that helps with the nagging feeling a little. Hrmm...

So. That fancy one-time password feature is only valid if I don't send a header that says I'm a cell phone, huh? And we all know that it's rediculously simple to fake browser headers, right?

So - I'm not necessarily saying this is the fault of Bank of Antarctica, but... maybe an overall flaw in the system. Since we have incompatible devices all over the place we often have to resort to the lower-denominator and that, sadly, is typically devoid of features which enable security. So what do you do as the system architect? Do you disable features since you can't secure them properly, or do you just hope they're not exploited? These are some very tough choices, and often they are not driven from the security office, but rather from the business. I've said it before, we as security professionals have to understand the business lest we become background noise.

I will pose this question for thought to the audience - What do you do if you're the systems architect? Use this use-case example of Bank of Antarctica. Do you disable mobile banking? Or do you take the risk? Are there other ways to mitigate?

(intelligent) Thoughts are always welcome.

2 comments:

Hannes@Home said...

Very good blog. I wish architects in banks have the same insights. I write a lot about this on my blog. If you wish, read the following entries:
http://mbanking.blogspot.com/2008/04/interesting-architectural-problem.html
http://mbanking.blogspot.com/2008/03/who-can-see-your-pin.html
http://mbanking.blogspot.com/2007/12/another-sim-swap-fraud.html
and others

Gary said...

Nice posts on your blogs....we can get lots of information from your blog. I also made a blog can you also visit it and give me advice .Moblie services

Google+