tag:blogger.com,1999:blog-6697950304516138442.post5798896728812578122..comments2010-02-17T13:46:22.597-06:00Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-6697950304516138442.post-58531894965462854952010-02-17T13:46:22.597-06:002010-02-17T13:46:22.597-06:00@matthewkrieger That&#39;s true, I suppose multifactor would defeat the information-harvesting model where sensitive data is collected and then auctioned in bulk.<br /><br />SMS authentication is an interesting idea, and it&#39;s nice to see a creative approach to the field. I don&#39;t know enough about cell phone security to give an opinion on how attack-resistant it is, and I haven&#39;t had any firsthand experience with such a system. It may well be the wave of the future, though. There are just too many problems with passwords alone, and the continuing absence of any commonplace public key infrastructure means institutions are going to need to bootstrap their own solutions.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.comtag:blogger.com,1999:blog-6697950304516138442.post-7910284216786208872010-02-17T12:38:34.729-06:002010-02-17T12:38:34.729-06:00@Ian - <br /><br />You make a great point about two-factor authentication not being a panacea for phishing exploits. Two-factor authentication schemes based on 1-time passwords should reduce some risk though because the exploit would have to be done at the same time (in-line) as the user&#39;s login, vs. later on.<br /><br />The inconvenience of physical tokens is (generally) inversely proportional to the tech savvy of the user. Bank of America (and I assume some other banks) have a two-factor scheme based on 1-time passwords/pins sent via sms.matthewkriegerhttp://www.google.com/profiles/matthewkriegernoreply@blogger.comtag:blogger.com,1999:blog-6697950304516138442.post-66267763422591607982010-02-16T15:51:41.036-06:002010-02-16T15:51:41.036-06:00@matthewkrieger,<br /><br />Well, true multifactor authentication definitely has some security benefits. For example, a brute force password attack is out of the question (assuming, of course, that the second channel is not compromised).<br /><br />But the frightening power of phishing attacks is that they largely bypass this type of security. Multifactor provides no protection against a standard man-in-the-middle. If a fake site tricks me into giving my password, it can trick me into punching in my one-time code too.<br /><br />I agree that SiteKey is not two-factor, and in fact I think the confused application of that term muddles the fact that it actually addresses a different need. Mutual authentication is about proving that the site you&#39;re about to log in to is the site you think it is, and unfortunately I don&#39;t think multifactor can help with that problem.<br /><br />So I&#39;m not totally opposed to <i>real</i> multifactor solutions, but they&#39;re no panacea, and the keyfob thing is a serious inconvenience. I shudder to imagine five years from now - I&#39;ll no longer have a different username and password for every site, I&#39;ll have a different username, password, and keyfob. I&#39;ll have to keep a little janitor&#39;s keyring next to my desk for all my fobs.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.comtag:blogger.com,1999:blog-6697950304516138442.post-9282536814771499952010-02-16T12:53:56.007-06:002010-02-16T12:53:56.007-06:00Ian,<br /><br />In your opinion how much safer do you think that some form of true two-factor authentication (I don&#39;t consider SiteKey to be two-factor - I&#39;m referring to some physical keyfob with changing numbers or one-time passwords, possibly sent via SMS) would make things in an online banking scenario?<br /><br />Regardsmatthewkriegerhttp://www.google.com/profiles/matthewkriegernoreply@blogger.comtag:blogger.com,1999:blog-6697950304516138442.post-84615872381115842792009-09-28T19:42:09.803-05:002009-09-28T19:42:09.803-05:00The RSA product security team would like to extend its appreciation for hearing from you in advance of your post last week. We take all responsible communication like yours very seriously and quickly confirmed no technical issues existed within our RSA Adaptive Authentication platform, including its Site-to-User module. As you referenced, we provided all RSA Adaptive Authentication customers with information about Clickjacking, the UI Redress attack that involves multiple and oftentimes transparent frames which can make certain Internet browsers vulnerable. Mitigations can include utilizing a Frame Buster or increasing the security within browsers. <br /><br />In addition to site-to-user, RSA Adaptive Authentication works behind-the-scenes with a risk engine that monitors device identification, geo-location, behavioral profiling, and feeds from a networked community sharing fraud data. An anomaly can trigger an alert to initiate an out-of-band phone call or challenge/response questions in order to verify an identity. <br /><br />Organizations that conduct business online should assume that all of their users’ PCs are compromised in some manner and should prepare their security infrastructures accordingly. You are right, there is no silver bullet in security. We recommend a comprehensive and systematic approach to help reduce online threats. This includes implementing multi-layered security such as risk-based authentication, two-factor authentication, transaction monitoring, and the shutting down of online attacks. We also encourage all Internet users to stay educated and take both technical and behavioral security precautions. There are dozens of resources online that provide tips and tricks to greatly help in this effort.RSAhttp://www.blogger.com/profile/00227151427564044670noreply@blogger.comtag:blogger.com,1999:blog-6697950304516138442.post-60475099956574165292009-09-26T11:52:46.736-05:002009-09-26T11:52:46.736-05:00my password is &quot;ianyoungismyfavorite&quot; for Commerce Bank in Normal, Illinois. <br /><br />That&#39;s the equivalent of phishing in a phish pharm.Tomajahttp://www.blogger.com/profile/06688482486677050479noreply@blogger.com