With so many financial organizations offering customer services online, and so many automated attacks being targeted at them, I have been dealing with a growing number of requests for specialist security reviews of such companies' customer authentication processes. For many of these organisations, the need to review their authentication processes has been driven by their boards of directors – typically in response to the phishing threat.
Unlike many other internet-based security threats, phishing appears to be one of only two IT security issues regularly discussed at board level – the other being viruses or worms.
What surprised me initially was that many of these organizations were not particularly worried about the financial losses of a fraud committed as a result of a successful phishing attack, nor even the loss of reputation. Because the threat applies equally to all organizations in the same vertical market, they don't believe that customers will leave them and turn to a competitor.
Instead, they worried about the loss of customer confidence in their online offerings. If their customers no longer trusted their internet service offerings, they would be forced to (re)open and (re)staff their high-street stores or offices – leading to much greater operational and managerial costs.
A phishing attack is a difficult threat to counter, but there are still a number of ways to eliminate many of the more dangerous vectors used in the attack (such as cross-site scripting, or fake copies of the legitimate site) – all through having a well-designed and robust online authentication process.
Having completed a dozen or so similar engagements in the past six months alone, the focus has typically been on evaluating the resilience of the client's customer authentication processes to a wide array of automated internet-based threats. These engagements are often conducted as a paper-based exercise – reviewing all the documentation that pertains to the authentication processes and then examining their strength in relation to each listed threat.
The key is to bring together similar attack vectors (such as PIN guessing, date of birth guessing, password guessing, login failure messages, and so on) each with their own impact and likelihood of exploitation, into distinct threat groups (for example brute-forcing and account enumeration). This makes it easier to categorize the relative risks to the business. Similarly, it makes it easier to propose improvements to the authentication processes – whether that be server-side application changes or internal processing of data.
The most dangerous and difficult threats are posed by key-loggers and their screen-grabbing cousins. While many financial organizations have tried implementing some kind of login that includes only asking for random parts of a customer's PIN or "memorable word" to protect against key-loggers, in many cases they are compromised – opening the customer-authentication process to exploitation through a range of different or easier attack vectors (such as network sniffing or proxy logging).
Even those that have implemented mouse-only authentication requirements (clicking on a graphical keypad to input the account PIN number, say) have often failed to counter attacks as simple as shoulder-surfing because they echo the selected numbers or characters on the screen for any passer-by to see (or record with screen-grabbing Trojans).
While some of these security inadequacies would be picked up during a normal penetration test or security assessment, the paper-based review helps to identify many more vulnerabilities or departures from best practice – many of which would normally be hidden from the remote consultant. For example, it can analyze how logon credentials are automatically locked and unlocked, and determine the internal levels of time-dependant triggering.
The paper-based process also allows security consultants to include internal processes for review – how accounts are created and how confidential client information is accessed – whether that is during the issuing and activation of account PIN details, or when the customer helpdesk helps with a forgotten "memorable word."
In the meantime, care must be taken by the consultant to ensure that country-specific laws pertaining to lockout-resetting procedures and access disablement are properly enforced.
For me, the most enjoyable part of carrying out authentication reviews is that, even after having dealt with literally hundreds of customer authentication processes over the years, I'm still learning new things and better ways of implementing them. A year ago, I would have been scratching my head when thinking of a way to detect and prevent man-in-the-middle attacks. Since then, I've been party to developing several successful solutions capable of thwarting these, and many others in which I have found loopholes.