One of the things that those of us in the security field wish that financial institutions would do is institute better security, such as two factor authentication instead of one factor authentication (e.g., username and password). I hadn’t really given much thought to this or even devoted many electrons to it on this blog, but two factor authentication when the stakes are higher is a good idea. In real life, I use a couple of institutions that use two factor authentication. One of them does a good job, and one of them does a bad job.
The one that does a good job is Everbank. Everbank is an institution that allows you to get a bit more creative with your finances. Originally, I bought a foreign currency CD (certificate of deposit) with a yield of 6%, with a 6 month expiration (so, 3% yield). I bought New Zealand currency. At the time, the idea was that the US dollar was losing value for a number of years and so I could buy $10,000 (or however) of New Zealand currency and six months later since the dollar would continue to depreciate, it would be worth say $10,800. That’s an 8% capital gain which wasn’t unreasonable. Plus, I get the 6% interest. Not a bad deal, huh? New Zealand is a commodity-based economy with a stable population and political environment so it seemed like a low risk investment. Unfortunately, this was before the 2008 market swoon when the stock market fell into the toilet and flushed itself. As a result, everybody flocked back into the US dollar and my great plan absolutely backfired on me knocking me out with a huge loss (thus demonstrating the fact that the entire investment community is out to get me).
However, Everbank is still a good bank. It’s interest rates on checking accounts is the highest I have seen, and it still has very safe investments. Its yields are better than anyone else’s (disclosure: I have no affiliation with Everbank, they’re just the best I have seen for certain types of investments for the average Joe). I don’t use its website very much, but it has a nice dual factor authentication mechanism. First, on the home page, you enter in your username. Next, you click the button and it shows you an image that you pre-selected ahead of time. You then have to answer a couple of challenge questions that you set up earlier and click Next. Finally, you enter your password. It’s a nice process that is slightly more cumbersome than any other bank I use but I appreciate how they are protecting me and my money (from phishers and from me making more bad financial decisions).
Allow me to contrast that with another bank I use, UMB Bank. This is a bank that I have to use because it contains my employer sponsored Health Savings Account (HSA). Even though I have company health insurance, there is a $1500 deductible that I have to pay (after that, I have a co-pay of 10% up to $1000). Because I signed up early for the HSA, my employer deposits $1500 into my HSA. I can then use that amount to pay for whatever health expenses I have. I’m still out of pocket $1000 if I need $1500 + $10,000 = $11,500 of health costs (which is easy for me because of my stupid left hip), but $1000 isn’t too bad.
Anyhow, UMB Bank is the bank account where my HSA is located. I have only ever accessed that bank account once because the two form authentication there is broken. I originally signed up for the account, entered in my username, set up 4 secret questions out of a choice of approximately 20, and then set up my password. When I go to the page a couple of weeks later, I enter in my username and then it authenticates against that. I then get to answer my secret questions. Unfortunately, in all of their brilliance, UMB doesn’t present me with a secret question that I previously answered. Remember, there was a list of 20 and I only answered 4. For some reason, UMB asks me a question of which I did not previously answer! For example, suppose it asked me “Where is your vacation home located?” Well, I don’t have a vacation home so I would never have answered that question. Yet when I try to login, it gives me that question! WTF! I close the session and retry and it presents me with yet another question I don’t have the answer to. Thus, I have no way to log in to access my account and view my funds.
I guess that’s one way to do security, make sure that nobody can get into my account – neither me nor phishers. Of course, it completely destroys the usability of the website and makes me wish that I could go somewhere else. Mark my words, if I could take my funds elsewhere… I would.
PS – the design of UMB is not very good, in Firefox the fonts are too small.
Bank of America has a similar system to Everbank. It displays both a picture and a phrase. Unfortunately, neither of these are two-factor authentication. They consist of something you know (your username), something you know (your password), and something you know (your secret question answers). That's still one-factor authentication. It consist solely of "things you know".
Two-factor authentication chooses two of these three things: something you know, something you have, or something you are, such as your bank card and pin, your password and security token, or pin and fingerprint.
The picture and phrase are to help you confirm that you are in fact talking to the bank before you enter your password. Since all it takes to get the picture and the phrase is your username, it isn't really much of a help. If you were to enter your username into a fake site, that fake site would just contact the bank and ask for the picture and phrase, and repeat them back to you.
GregM has it exactly right; as I was reading this, I was planning to say pretty much the same thing he said (both about the two-factor auth and the MitM attack). But I won't, because he said it.
What I will say is that, while UMB's system is obviously stupid for asking you questions you didn't answer, it's not silly to answer questions for which you don't have an obvious answer. "Where is your vacation home?" is, as I see it, a perfect question. No one can possible "know" my answer to it, because I don't have a vacation home, and I can answer "Ouagadougou". Now, instead of the "security question" becoming a bad password to back up my good password, it's just another good password... especially if I augment it to "Ouagadougou8492", or some such.
[Ouagadougou is the capital of Burkina Faso. And I've just been offered the opportunity to hep someone spirit $17.3 million out of there. You think I should?]
Yes, two-factor authentication was a misnomer, to be sure. I was trying to distinguish it from the single username/password technique.
Barry, I disagree with you that answering a question that has no obvious answer is a good idea. Lots of websites ask me questions. It's hard for me to remember an answer to a question that I made up an answer for several weeks or months ago. The idea of asking multiple questions is to make it more difficult for someone else to get into my account, not virtually impossible for me by forcing me to remember abstract concepts.
MY NAME IS DENNIS JAY HUGHES FROM THE STATES I AM A VICTIM OF CYBERBULLING GOING ON 4 YEARS NOW AS NO ONE SEEMS TO CARE AS I AM BEING VIOLATED OF MY RIGHTS OF COMMON USE OF THE INTERNET.. I DO HAVE A PICTURE OF WHO MAY BE DOING THIS AS SHE IS USING A TECHNICAL PROSPECT OF FIBER OPTICS IDENTITY UNKNOWN THIS HAS BECAME IT SERIOUS PROBLEM FOR ME AS I'VE TRIED EVERY ATTEMPT OF ICU TO THE FBI TO THE SAINT PAUL POLICE DEPARTMENT AS NO ONE IS OF ANY INTEREST TO THIS HIGHLY ILLEGAL PROCEEDURES OF FAKE WEB PAGES DEMANDING MONEY I FEEL YOU MAY BE OF HELP FINDING THIS WOMAN AND CONVICTING HER OF THE PRISON TERM SHE DESERVES AS I KNOW YOU & I TAKE THIS AS A SERIOUS MATTER.. MY PAGE JUMPS & HOPS MAKING IT UNCOMFORTABLE FOR ME TO USE THE WEB FREELY. HERE IS MY NUMBER 6512249261 THIS HAS BECAME FROM MYSPACE AND FACEBOOK RELATIONS CAN YOU HELP ME CITIZEN FROM USA..