Essay:Online banking authentication recommendations

Online banking authentication recommendations put out by the Federal Financial Institutions Examination Council (FFIEC) are becoming the bane of users of financial institutions' websites, and the claims that they improve security are highly suspect.

Banks, credit card companies, and other financial institutions with an online presence are asking customers sundry personal questions in the guise of improving security while complying with "federal law" (actually FFIEC recommendations). Customer support personnel at financial institutions are being told it is a law, and they are repeating this falsehood to customers who complain about the extra layer of privacy invasion.

Examples of questions to increase authentication security include:


 * 1)  The name of the high school you attended.
 * 2)  The name of your favorite pet
 * 3)  The name of your first boyfriend or girlfriend.
 * 4)  Your grandfather’s nickname.
 * 5)  Your mother's maiden name
 * 6)  Your favorite method of preparing goat
 * 7)  The make and model of your first car
 * 8)  The name of your favorite niece or nephew.
 * 9)  The name of your best man at your civil commitment ceremony (with no offsense to those who prefer to "shack up").

Practical Consequences
The effect of these recommendations is that password spreadsheets will have many more columns; security will not be improved; and a there will be a marked decline in the convenience of online banking.

The elderly and less educated and technically competent customers will encounter problems, sometimes financially devastating, such as being unable to access their accounts in emergencies.

A benefit is that it may be easier to detect when unintelligent individuals hold multiple accounts under multiple pseudonyms. However, it is unlikely that this benefit will ever be seen; unintelligent individuals do not accumulate large amounts of money requiring laundering.

Futility
These measures are futile, and designed more to appease the masses and fend off bad publicity than improve security. If a password can be stolen, so too can answers to other questions which are just application specific passwords. Worse, these secondary passwords are less secure than passwords because they are usually accurately spelled names or places subject to dictionary attacks and investigation. And like all passwords, the greatest risk of theft comes from the bank itself. Certain bank employees have access to databases that contain this information on thousands of users, which can be used to attack accounts at the current bank, or used to attack individual users' accounts with other financial institutions.

No studies are provided showing that attacks against individuals by outsiders are a problem. However, media reports are full of reports about largescale attacks, such as bank employees unlawfully using information garnered from databases, missing back up tapes, and man in the middle phishing schemes setup with look alike websites. The authentication schemes do nothing to protect against such widely reported threats. Further, if a DNS server is compromised, users' computers can be easily tricked into using a malicious man-in-the-middle server even when the user types in the correct URL.

Brave New World
An ancillary benefit of these recommendations (treated as law by most financial institutions) is to better "know your customer" pursuant to Patriot Act requirements. This allows the government to track persons of interest and of such low intelligence (e.g., Richard Reid) that they reveal actual details about their life by honestly answering such questions, or inept persons who use the same answers for multiple banking pseudonyms to launder money or bypass IRS regulations.

Another likely abuse is that innocents will slandered in the press after certain tragic events occur after details are released about them to the media by federal investigators who gather biographical profiles in part using "know your customer" information, similar to what happened to Richard Jewell.

Individuals (read: induhviduals) will be unable to shop around for banks that do not follow these "recommendations." Although we live in a global economy in which corporations are free to use slave labor in developing countries, individuals who rebel against these intrusions of privacy by choosing more anonymous, off-shore banks and credit card companies may be duly added to Homeland security no fly lists.

In the future, it is expected that all computers sold in the United States will be required to be equipped with a device similar to a glucose reader that is capable of decoding DNA from blood samples almost instantaneously. The collection of blood samples will be mildly painful, but of course, "it is a small price to pay for security. " After all, anybody who complains about the pain must have something to hide.

It's a brave new world.