In Depth
FFIEC: Second Thoughts on Second Factors
Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be
By Scott Berinato
Conventional Wisdom
Stronger authentication will lead to a net reduction in risk.
On Second Thought
Not exactly. Consider the glorious history of spam.
As security guru Bruce Schneier likes to say, if you start policing a troublesome street corner, crime doesn't really go down, it just moves to another street corner.
A good example of this rule of threat adaptation is spam. Spam started as a simple text-based e-mail; its subject field said exactly what the spam was about: pornography, pills, free money, whatever. Early spam filters got wise to this and filtered mail based on the subject lines of e-mails for keywords (Viagra, mortgage and so on).
Spam decreased, but only for a moment. Then spammers started using prosaic subject lines ("Hey, check this out") to avoid the filters and people's common sense. Users then started ignoring e-mails that seemed too general, so spammers customized subject lines ("Hey, Scott, check this out"). Then new filters were developed to search the body of the e-mail, not just the subject line, for keywords. This slowed the flow again, briefly. Then spammers started misspelling keywords and substituting numbers, spaces and symbols for letters (for example, "v1ag*ra" or "m0rt gage").
Filters now had to look for an exponential number of keywords. Eventually, spammers started using HTML for body copy, thwarting text filters. Filters adapted. Bad guys improved distribution. Good guys legislation. Bad guys moved offshore. Good guys started blacklisting IP addresses. Bad guys deployed bots to send spam from legitimate IP addresses.
And so forth. Security professionals should expect nothing different from the deployment of stronger authentication at banks. In the short term it might reduce authentication-based crimes, but that's an attenuating effect.
"The real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses," Schneier wrote last spring. "Two-factor authentication will force criminals to modify their tactics, that's all. In the long term, all it does is move the bad guys to a new tactic."
Therefore, CSOs and CISOs must anticipate where the guidance will force risks to migrate. In the online banking world, the scariest developments have to do with keylogging, rootkits (made famous by the notorious Sony antipiracy scheme), bots and the remarkable sophistication in all of these technical tools.
Looking over the past year's cases of identity theft, one can see another migration taking place. Few of the newsworthy identity thefts, in fact, were authentication exploits. ChoicePoint, for example, was defrauded for lack of background checks on customers. Bank of America physically lost backup tapes of customer data while it was in transit.
FFIEC
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Understanding Versatile Authentication and Its Benefits
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Implementing Best Practices for Web 2.0 Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
