Brian Krebs continues to the most important spade work on the eBanking cluster that melting down before our eyes (emphasis added):
In other words the bank believed them because their own weak authentication process failed.“When I first talked to the bank, my question to them was, ‘We’ve always done the same five payroll transactions a month, this was outside the norm, so why didn’t you flag them?’” Diaz recalled. “They told me because [the thieves] answered the secret questions correctly and because the amount was under $10,000 and their daily limit, they let it go just based on the amount.”
In the beginning things were simple:
Authentication, authorization and auditing - the gold standard for information security - ran on the bank's system.
But with eBanking for transactions under $10k, it appears that not only did banks add the very weak identity and authentication of the web, banks also removed authorization and a fair amount of auditing.
We start the process with a weak username/password "authentication" of random people on the web, and then use this to bootstrap the whole rest of the process! MQ Series is only going to propagate those weak credentials and the mainframe "trusts" it because it was sent from MQ, as long as its why under $10k why worry?
I am not sure this model makes it much longer, it reeks of an 1970s station wagon engine that's coughing and wheezing its last breath and spewing oil all over your driveway, and I am not alone.
Internet banking as we know it, the kind that happens when a user launches a browser, and goes through even a decent approximation of layered security on a bank's Website, is dead, made untenable by the massive fraud now draining hundreds of millions from corporate accounts."
-- Rebecca Sausner, Editor-in-Chief, Bank Technology News
It must not be bad enough to warrant change from the perspective of the banks. It all comes down to money with these bankers after all.
I will cheer when my bank finally offers strong authentication. I would love to use my shiny new, flat as a credit card VIP card (by InCard). But I'll also gladly do one time codes to SMS.
Again, they don't really seem to care. Apparently it doesn't cost them enough.
I would actually love to see service providers abdicate all identity responsibility. I would love to see them consume only a trusted, verifiable authorization decision. Let me pick my IDp. Let something else assert authorization based on trusting my IDp.
Of course, I know you're talking about all of the Ns in the N tier participating in authorization. We both know how well that's implemented.
I'm working on audit logging as the first step. I want audit logs to SCREAM that authorization is not properly implemented.
Posted by: Slonob | March 16, 2010 at 10:53 AM
will cheer when my bank finally offers strong authentication. I would love to use my shiny new, flat as a credit card VIP card (by InCard). But I'll also gladly do one time codes to SMS.
Posted by: mcse | March 18, 2010 at 02:52 AM
will cheer when my bank finally offers strong authentication. I would love to use my shiny new,mcse flat as a credit card VIP card (by InCard). But I'll also gladly do one time codes to SMS.
Posted by: clark | March 18, 2010 at 02:53 AM