Monday, June 27, 2016

Verification versus Authentication

On my Twitter feed, I see there is a continuous trickle of tweets asking for CIBC bank to adopt two-factor authentication ("2FA").  It looks like this:




You normally see about 2 or 3 of these a week - and they all originate at the same site about 2FA.  As you can see, after the request to consider that the bank adopts 2FA, there's a canned response that goes like this "We take security very seriously, so we have two step verification".

Of course, that irks me, and here's why:  The customer is talking about authentication (i.e. making sure the person accessing their bank account is the correct authorized person who should be accessing the account), and the bank is responding on the subject of verification. In the case of a bank sending a code to a phone number on file, all the bank is verifying is that regardless of whether they're authorized or not, the person trying to access that account also has the phone belonging to the person who's account is trying to be accessed. 

That's a fundamental flaw in security.

If you don't know the difference, two step verification is where you supply a password, and the bank sends you a code and you type this in as well.  So, imagine your other-half has your phone and you're in the middle of a messy breakup, and they know your password, the bank sends a code to your phone in their hands, and voila!  

There's a really obvious problem here, and anyone with an ounce of security savvy will tell you, physical access is 9/10ths of the problem.  This is why people are asking for 2FA.

With 2FA, you have to supply something in addition to the password.  This usually is two items out of this list of three:
  • Something you have (eg password)
  • Something you know (eg maternal grandmothers maiden name)
  • Something you are:  (eg biometric, location, etc).
It doesn't have to be those three, but they are the most common.

As you can see, the response from the banks totally undermines any confidence that they even understand what's being asked, because in the situation pointed out above, the bank is providing the tools to the attacker to complete the compromisation of the customer.


Of course, the access agreement is written with a totally one-sided assumption that the customer is the only person who could ever put the bank or the customer into jeopardy.

(click for bigger)



The part that says "Without limiting the generality of the first sentence in this Section 9," makes me shake my head, because of course, the first sentence says that you are on the hook for "any losses" whilst ignoring the logical reasoning where as often happens, the bank has set the customer for failure in the first place.

In a nutshell, the security situation can is analogous to going into the sea to scuba dive and the dive master says "There are sharks here, and we take your security seriously, so here's some fresh raw beef steaks to hit the Sharks with", and then having setup the divers with the tools to be eaten, has them also agree to an agreement which is totally one-sided and places on blame on the customers.

And people wonder why I banned the CIBC mobile apps from my house?