Back in 1996, when leading the development of a
Deutsche Bank retail banking project, a software solution allowing the bank's customers to maintain checking, saving, and investment accounts from their home PCs, I became aware of
Multi-factor Authentication. An authentication factor is something that's used to authenticate a person's identity and multi-factor authentication is a system, using different methods for authenticating.
In our case, it was a simple two-factor authentication, using something you know (a password or pin) and something you have (a sheet of paper, issued by the bank, containing several one-time passwords).
The implementation was rather simple, for
read-access, like getting an account's balance, only the
account number and
pin was required. For
write-access, like buying or selling stock, the customer additionally needed to enter one of the
one-time passwords. And of course, requesting and activating a new sheet of one-time passwords also required entering one-time passwords from the old sheet.
More than ten years later and triggered by the growing number of
phishing attacks,
banks here in the US try to establish a much cheaper but also much weaker system, so-called
"sitekeys".
Phishing attacks, emails containing links to fake Web site, trying to steal your identity by tricking you into revealing your password and other personal information, unfortunately cannot be overcome by adding a so-called site-key. While still a customer, I have
never been a big fan of Bank of America's
higher standards, when it came to security and how the bank deals with Credit-Card fraud for instance.
This video from the school of Informatics at the Univerity of Indiana, shows a roof-of-concept and demonstrates how phishers might act as the man in the middle to defeat Bank of America's (BoA) SiteKey implementation.
PayPal on the other hand, is currently trying to do the right thing and started offering a form of real multi-factor authentication to its customers. Starting in the US, Germany, and Australia, PayPal provides One Time Password (OTP) tokens to its users. An animated demo of how the system works can be seen
here.
The token, which is about as big as a small USB Flash-Memory drive, can be had for 5 Dollars, surly heavily subsidized by PayPal. Again, account holders in the US, Germany, and Australia can order it
here.
PayPal's multi-factor authentication is backed by
VeriSign's Identity Proofing services (VIP IPS), which is also hosted by VeriSign and accessed through standard network protocols.
The multi-factor authentication is designed to address phishing problems. It combines the primaryfactor (something the user knows) the password, with a secondary factor (something that the user has) the One-Time-Password generating token.
If an attacker steals only the first factor, he will not be able to forge the second factor and will be unable to authenticate. If an attacker steals the second factor, he will not know the first factor and will be unable to authenticate.
VeriSign's VIP Authentication Service embraces open standards, and allows any Open Authentication (OATH) compliant device to be used for authentication.
Let's hope that majors banks join in and provide something better than the site-key.
