Putting an End to Account-Hijacking Identity Theft Study Supplement
Part 3. Technologies To Mitigate Account Hijacking
The Study describes three authentication technologies: scanning tools, e-mail authentication, and user authentication. Discussed under scanning tools are the "presumptive forensics" of scanning and server-log analysis software. Discussed under e-mail authentication is the technology commonly referred to as Sender ID. Discussed under user authentication are several techniques for identity management, including shared secrets, tokens, and biometrics.
As noted in Part 1 of this Supplement, however, comments from TPs and others mention several newer technologies that they contend are more transparent to users, and these we describe here. (This is not an exhaustive list of solutions to the problem of account hijacking.) These technologies vary in degree of maturity, vendor base, and level of distribution in the marketplace. Not all of them were commercially available at the time this Supplement was published. For the most part, they are less expensive than the technologies discussed in the Study and are generally installed only on the financial institution's or service provider's system.
The Study includes limited information about the costs of authentication technologies, particularly whether or not the solutions are generally considered expensive to implement and maintain. But given the vast differences in the size and complexity of financial institutions and service providers that will integrate authentication products into their online Internet offerings, it is hard to arrive at meaningful conclusions about specific costs that will apply across the board.
A common measure of the expense involved in enhancing systems is the cost per customer, both to implement the new functionality and to maintain it into the future. A strategy that yields a reasonable cost per customer for a large institution may be considered too expensive for a smaller institution because the larger institution will have more customers over which to spread start-up costs and may benefit from volume purchases.
A major concern in addition to cost is whether the consumer's hardware or software will be affected. Many authentication technologies require the use of hardware and software that must be installed on the host system or on the customer computer, or both. Some technologies require the customer to carry a device for authentication purposes. Among the authentication technologies discussed here are several that can be used with little or no customer involvement. More specifically, for the most part the technologies discussed here require the installation of additional hardware or software only on the financial institution's or service provider's system.
Decisions about which technology to use should be based on research and knowledge acquired through thoughtful and thorough investigation. In particular, the decision to implement more robust authentication techniques should include an analysis of the types of online transactions customers will initiate. For instance, if an online session allows access only to nonconfidential information, a less rigorous authentication technique will be appropriate, for the risk is minimal and it will be impractical to build a complex defense structure to authenticate the session. But if the customer session allows interbank cash transfers, a more sophisticated authentication approach should be used in keeping with the greatly increased risks. Between these two extremes there are different types of transactions that should be individually addressed, both as to the risks they pose and as to the authentication required by each transaction. Risks and authentication techniques should be commensurate with one another.
What is it and how does it work?
One way to filter an online transaction is to know who is assigned to the requesting Internet Protocol Address (IPA). Each computer on the Internet has an IPA, which is assigned either by an Internet Service Provider or as part of the user's network. If all users were issued a unique IPA that was constantly maintained on an official register, authentication by IPA would simply be a matter of collecting IPAs and cross-referencing them to their owners. However, IPAs are not owned and may change frequently. Additionally, there is no single source for associating an IPA with its current owner, and in some cases matching the two may be impossible.
Some vendors have begun offering software products that constantly scour the Internet for IPA information. These products identify several data elements, including location, anonymous proxies, domain name, and other identifying attributes referred to as "IP Intelligence." The software analyzes this information in a real-time environment and checks it against multiple data sources and profiles to prevent unauthorized access. If the user's IPA and the profiled characteristics of past sessions match information stored for ID purposes, the user is authenticated. In some instances the software will pick up on out-of-character details of the access attempt and quickly conclude that the user should not be authenticated.
In addition to IPA verification, certain geo-location technologies also attempt to limit Internet users by determining where they are or, conversely, where they are not. Geo-location software inspects and analyzes the small bits of time required for Internet communications to move through the network. These electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined for a user, they are compared with cyberspace distances for known locations. If the comparison is considered reasonable, the user's location can be authenticated. If the distance is considered unreasonable or for some reason is not calculable, the user will not be authenticated. The FDIC is aware of at least one company that markets a commercially available product utilizing geo-location technology.
IPA verification or geo-location may prove beneficial as one factor in a multifactor authentication strategy. However, since geo-location software currently produces usable results only for land-based or wired communications, it may not be suitable for some wireless networks that can also access the Internet–that is, for cellular/digital telephones.
No client software or hardware is required, but integration with existing host applications is necessary since the application resides on the financial institution's or service provider's system. Customers have no interaction with these software packages and will be unaware of the packages' operation unless informed by their financial institution.
What is it and how does it work?
The Study focused primarily on unilateral authentication strategies when customers are authenticated to the financial institution. However, additional research also showed that many financial institutions do not authenticate their Web sites to the consumer (client browser) before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting consumers cannot tell they are being directed to spoofed Web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users have trouble telling they are illegitimate. Secure Socket Layer (SSL) coupled with Public Key Infrastructure (PKI) is a widely-accepted scheme for both encrypting and authenticating, with validation capabilities already built into all of the predominant web browser software. When a customer's browser connects to a Web page with an SSL certificate, the browser verifies that the Certificate Authority (CA) that issued the certificate is trusted and whether or not that certificate is still valid. Otherwise, the browser may issue a warning advising the customer that the site may not be secure.
Financial institutions can aid consumers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the client. More specifically, banking Web pages which collect sensitive information on form pages, or otherwise, should authenticate the page using digital certificates signed by a trusted authority prior to collecting the sensitive information. Certificates should be registered to easily identifiable business names rather than third party service providers to aid the consumer's understanding of the certificate's authenticity.
Digitally signed certificates can also be used to authenticate the customer making mutual, or two-way, authentication possible. Certificates issued to a customer can be stored in the customer's browser software, or with special tools, exported to a device. Client certificates can be created by a financial institution and issued to the client for specific use with that institution, or they can be issued by a CA directly to the client and accepted by the financial institution.
For mutual authentication to be performed, valid certificates must be present on the financial institution's Web server and in the customer's browser. Both parties to the session, the financial institution and the customer, may be authenticated through the exchange of certificates.
Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defense against phishing and similar attacks.
Digital certificate technology allowing legitimate Web sites to be authenticated to customers is more expensive than the other technologies discussed in this section. Certificates must be acquired and installed on Web servers as well as on customer systems. Creating policies and a management infrastructure for long-term support must also be considered.
What is it and how does it work?
Device authentication is a relatively new technology that adds another layer of security by attempting to identify the computer that is being used to access the system or application. The software incorporates technology to examine the unique hardware fingerprint of a PC. This ensures that only a specific authorized device can access a specific online account. Without this specific authorized device, no connection can be made to the network even though the correct password is used. The network is protected since only the authorized device is capable of establishing the connection. However, one disadvantage is that a consumer who attempts to access his or her account while away from home, using a PC that was not previously authorized, will be denied access. If the consumer were to purchase a new PC, that machine would have to be enrolled with the institution before it could be used to access the online banking system.
Device authentication allows only authorized users using previously enrolled devices to enter the network and access the Internet banking application.
Device authentication requires that the software be installed on the financial institution's host system and that each device that will be used to initiate Internet sessions be enrolled with the software. Although no client hardware or software is required, error recovery procedures will be needed to help legitimate users who are unable to access the system.
What is it and how does it work?
Scratch cards are less-expensive, "low-tech" versions of the one-time-password (OTP) generating tokens discussed in the Study. The card, similar to a bingo card or map location look-up, usually contains numbers and letters arranged in a row-and-column format, i.e., a grid. The size of the card determines the number of cells in the grid.
To authenticate, the user will first enter his or her user name and password in the established manner. Assuming that the information is correctly input, as a second authentication factor the user will then be asked to input the characters contained within a randomly chosen cell in the grid. The user will respond by typing in the grid cell element that corresponds to the challenge coordinates.
Even if a fraudster acquires a user's ID and password, the fraudster will not be able to access the system without physical possession of the scratch card itself. Even if the legitimate user's OTP is compromised, knowledge of that particular OTP will not permit the fraudster to log into the user's account since each login attempt requires the user to input a different OTP from a randomly selected cell on the scratch card.
Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry around. This type of authentication requires no training and, if the card is lost, replacement is relatively easy and inexpensive.
What is it and how does it work?
The Trusted Platform Module (TPM) uses an embedded chip to securely store passwords, digital certificates, and encryption keys for PCs. This hardware-based system is designed to verify the authenticity of both the user and the device. The TPM acts as a virtual vault and uses PKI to decrypt, sign, encrypt, and verify both the machine and the application software. The system is designed so that only trusted applications that meet all integrity checks would be permitted. But since all checks and authentications will be performed automatically for the user, the login process will not be expanded or complicated in any way.
The tamper-resistant chip holds keys and certificates associated with the chip and the resident hardware device. The TPM verifies the connected device's integrity at boot-up, and the verification results in a chain of trust between machines. This process protects files from access by unauthorized applications or users. The two most commonly mentioned disadvantages of the TPM are its failure to recognize unlicensed or unrelated software (unrelated to the OS being used) and the cost of converting to another application once a product has been used for any length of time.
Although these chips are being installed on many PCs now distributed by major manufacturers, the chips are disabled. The concept holds promise, but operating system and application support is not wide spread. Plans call for future versions of existing operating systems to begin supporting TPM services
What is it and how does it work?
E-mail filtering software that attempts to identify potentially harmful e-mail can help consumers recognize fraudulent Web sites, warn them if sensitive personal information is about to be submitted to such a site, and preview Web mail at the server before it is downloaded to the host computer. The use of "disposable" e-mail address software may protect the "real" e-mail account from unwanted and perhaps harmful messages.
The software provides access to a constantly updated database of suspected and known phishing Web sites. Once installed on the consumer's computer, the software monitors the sites on the Internet that the consumer attempts to visit. When a Web site that the software has identified as suspect is selected by the consumer, a warning appears, informing the consumer that the site has been identified as potentially fraudulent. The site can still be visited, but the consumer will be aware of the potential problems related to it. The consumer's computer can be updated automatically or on command, much like most virus protection software packages. The consumer may also click to send a report of a suspected Web site to the software provider's central database. Some filtering software contains a feature that allows the user to preview e-mail. Previewing e-mail enables the consumer to set parameters that will allow only trusted mail to be immediately downloaded and will ensure that suspect mail is either deleted at the server or quarantined if a virus or worm is suspected.
The use of disposable e-mail address software enables the consumer to maintain a private, less accessible e-mail account when enrolling in Internet banking. Use of a separate disposable account for each membership will preclude the dissemination of the consumer's e-mail account and common login information.
Filtering and disposable e-mail software offer consumers a safer way to browse the Internet and use e-mail. The level of protection and effectiveness offered by filtering software depend on the consumer not ignoring the warnings generated by the software when it detects a potentially fraudulent Web site. The use of disposable e-mail addresses may reduce successful phishing attacks by making sure that phishing e-mails are never received by the consumer.
This software is currently available, and several variants of each type of product are freeware. The consumer-based character of this protection allows the consumer to install it on multiple PCs.
What is it and how does it work?
Out-of-band authentication includes any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction. This type of layered authentication has been used in the commercial banking/brokerage business for many years. In previous versions, a transfer of funds, a purchase, or some other monetary transaction was received by the financial institution from the customer either by telephone or by fax. After the institution received the request, usually a telephone call was made to another party within the company (if a business-generated transaction) or back to the originating individual. The telephoned party was then asked for the predetermined word, phrase, or number to verify that the transaction was legitimate and also to confirm the dollar amount. This layering precluded unauthorized transactions and also caught dollar mistakes, especially when a $1,000.00 order was intended but the decimal point was misplaced and the amount came back as $100,000.00.
In today's environment the methods of origination and authentication are more varied, and the originator may be an Internet banking account holder, an online shopper, or an international customer. The types of call-back are also more adaptable and imaginative. The millions of cellular phones, land-line telephones, PDAs (personal digital assistants), and VoIP (Voice-over IP) telephones provide for both manual and automatic transaction authentication. For example, when a user initiates an online transaction, a computer or network-based server generates a telephone call or an e-mail or text message. When the proper response–a verbal confirmation or an accepted-transaction affirmation–is received, the transaction is consummated.
This type of layered authentication would preclude most man-in-the-middle concerns. However, as with any authentication method, if the authenticating device and/or response were otherwise obtained by criminal elements, the system could be compromised.
Some households still do not have access to high-speed Internet access and must rely on telephone dial-up connections. For such users who also do not have a cellular phone, this system would be harder to use, although the use of e-mail authentication would still be possible. And although cellular phone ownership is sizable and coverage extensive, some areas of the country still have unreliable wireless connectivity.