Dubious, philosophically speaking
"We want to identify people for who they are, not what they remember"
riiiiiiiiight
Mastercard and Visa are removing the need for users to enter their passwords for identity confirmation as part of a revamp of the existing (oft-criticised) 3-D Secure scheme. The arrival of 3D Secure 2.0 next year will see the credit card giants moving away from the existing system of secondary static passwords to authorise …
The most recent one that I have seen captures your DNA and Blood, sends a sample to a local Vogon spaceship, anaylses the results for any traces of Pan-Galactic Gargle Blaster, calls up Zaphod directly, asks he was drinking with you lately and if not zaps you into oblivion.
Why the importance of this diatribs, simples, it's great to have highly advanced techniques but they MUST BE AVAILABLE before anyone can use them and this takes bloody years......
meanwhile as I reach for a bottle of good Ol' Janx Spirit.... ------>>> Yes it's Friday
Covered by a very early Mythbusters episode. Also of note - the manufacturer offered some kind of guarantee that it couldn't be beaten. So that's two lessons in one ;)
Mine's the one with the hands in the pockets to stop someone cutting them off and using the fingerprints.
I've seen fingerprint authentication fooled for the cost of a camera and an inkject printer.
Or for the cost of a piece of sellotape (to lift a fingerprint), a small piece of photo-resist-coated PCB material, standard etchant, and a blob of silicone rubber. Which method has the advantage that it does not need any connivance from its victim. It's just a slight modification of the long-known method for putting a random fingerprint on an incriminating object. (Pray you have a good alibi if it's your print they lift )
Or for no cost at all. A brutal criminal will just cut off your finger(s) and leave you tied up while he empties your bank account. Mercedes used to sell cars that used the owners finger instead of a key. Until South African carjackers started cutting drivers' fingers off. Mind you, that was better than being shot dead and then having your fingers hacked off. Or vice versa. No way I'd drive any car except a rust-bucket in a country like that. Safer still to not go there at all.
No way am I ever going to carry a financial instrument that uses part of my body as a key.
Most people apparently do.
This morning I wondered if the woman in front of me was attempting to negotiate a hostile takeover of the bank via the ATM. LADY! YOU DON'T NEED TO QUERY YOUR BALANCE THREE TIMES IN A ROW! IT WON'T MAGICALLY HAVE MORE MONEY!
No way am I ever going to carry a financial instrument that uses part of my body as a key.
OH SO VERY AGREED. Anyone who has watched either The 6th Day or Demolition Man already knows exactly why biometrics for security are a very bad idea. Sure, high-end biometric scanners will usually check if the body part is still attached to its rightful owner, but the common criminals won't necessarily know this before hacking off your finger or plucking out your eye. And they might still do it out of spite anyway.
Stop this biometric madness. If you want better security, go down either 2FA, PKI, or some combination of these. Biometrics are going to be painful.
There is another issue to look at.
Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.
Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.
What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.
As such, it is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.
I don't understand the focus on 'biometrics'.
Given that it's not that difficult to fake a fingerprint, this means we will all have to wear gloves? Because otherwise anyone could swipe my fingerprints, and have my "secret" code (ie. my fingerprint).
Even if through some technological breakthrough somehow a brand new 'biometric' system will spring to life, it's not at all inconceivable someone will find a way to fake this in such a way that will fool the detectors.
This is a problem with *all* biometric authorisation (iris scans, etc.) ...
Passwords, on the other hand, are something only *I* know, and reading my thoughts is not only impossible today, it's quite possibly not even physically possible.
There are also more practical concerns, how will this work? Will I need a fingerprint reader? Will that work with my BSD system? Or do I need a smartphone? What if I don't have a smartphone? Will this system even be secure? History has thought us that these sort of systems often contain flaws (sometimes quite serious ones). At least the current systems are well understood (flaws and all).
The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox.
In any case, I don't see how 'biometric authorisation' will make matters better, especially if this means it *replaces* passwords (rather than supplement them).
"Why does everyone automatically jump to fingerprints as soon as anyone mentions biometrics. Of the entire set of things that you could use on the human body (non-invasively) for biometric checks, the fingerprint is just a fairly small subset."
It's just the simplest representation to present in an argument, but the argument can be made for any and every biometric. Quite simply, just about anything man can create, man can either re-create or subvert. How do biometrics stop a Man in the Middle, for example, like a tampered entry point, which is physically proven to be impossible to completely secure simply because anyone can find and subvert a point outside a chain of trust and disguise it as a trusted point beyond the point of everyday detectability?
Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..
During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)
During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.
The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.
That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.
In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.
"The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox."
Then someone breaks your master password. Or your memory's so bad you can't even remember that password. And the moment someone says, "Tough!", that someone loses at least one customer. So what are you going to do? Customers are demanding turnkey solutions that don't rely on memory and won't take no for an answer.
I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).
My UK bank account is particularly unusable since it prevents me from using a password manager by asking for random characters from my password.
Having said which - the visa and mastercard verification MITM popups are the most half-assed and broken web abortions I have ever seen. They look exactly like a phishing MITM attack, they fail to work on some browsers, etc etc. Glad to see them go.
"I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."
Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).
I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).
See, sometimes forcible regulation brings good things. All Mexican banks offer 2FA, because they are mandated by law to do so. Pretty much every bank implemented some form of 2FA since 2007, and the last one that still used the corny "card number matrix" switched to physical real tokens sometime around 2011.
Meanwhile in the US, 2FA is nowhere to be found.
Some of my UK bank accounts have two factor authentication.
RBS/Natwest, Barclays and Nationwide have a card reader, so I have to put my card in it, enter a PIN and get a code which I enter into the website.
HSBC has a code generator which gives me a number to enter into the website.
Halifax and Santander send a code by SMS to my phone which I have to enter into the website.
> The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords
Even without a password manager. I have about two dozen passwords or so, and remember them all (most of the time!). It's not that I have great memory or anything
What was I saying?
Ah yes, not great memory, but I just learn to associate the passwords with the object/site/system I am trying to access, so that for example The Register becomes "8fLpow35" or whatever. Compared to the number of nouns one regularly uses in everyday language, a couple dozen passwords do not seem much. Of course it does require a little intellectual effort--not something I ever see as a bad thing, mind.
Not advocating this system, just presenting another possible approach to the too many passwords problem.
First time I encountered VbyV (many years ago) I called the card issuer and said "What is this?".
The call centre replied with, "We've never heard of it, so we've locked your card".
Frankly, its been downhill ever since.
Can't remember your password?
Re-set immediately just by using the details on the card and the date of birth.
Its not like my DOB is very secret.
I don't think I've ever, once, entered my a password on the entirely pointless and annoying Verified by Visa "service". Every time, it's "forgotten password", followed by a few basic details that I can remember and yet another relatively random slew of numbers and letters for the new password.
Are there any details on how the delusional, control-freak muppets are planning the next ludicrous "security theatre" of authentication?
The usual way IME is apart from the usual DOB and "memorable question", my bank asks questions regarding recent and/or regular transactions. "Which supermarkets do you usually shop at?" "When did you last withdraw cash from an ATM?" "Have you bought a lottery ticket online over the past week?" etc. Of course it is possible that the fraudster has a copy of my bank statement that is less than a week old, but far less likely than knowing my DOB or family details.
Not just that but from a retailer point of view it was a pain.
If you have an ecommerce site and spend a lot of effort with UX on your payment funnel then you capture the customer (who wishes to purchase), great!, however that pass over to 3DSecure and bam, forget their password, or the bank decides to reject the payment, etc.
Not so bad to have extra security when you are delivering physical goods to a new customer, but if you aren't then a third party is deciding whether a customer can shop with you or not and there is absolutely no way of finding out why they couldn't complete. There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.
> There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.
Which is probably the reason why they're scratching it (i.e., sod all to do with the customer's convenience or security).
Indeed, at one time one of my cards had that stupid system. There were some very unfortunate merchants in France who had this system forced upon them by their bank (providing the checkout). Much as I liked them, I had no choice but to forego their services until, a few months latter, they wrote to tell me they were now accepting AMEX for those of us who could not / would not use that piece of shit of a "verification" system. I felt sorry for them since AMEX's merchant fees are double everyone else's, but...
At the same time, my bank was claiming that this was enforced from the receiving end and there was nothing they could do. I closed my accounts on that bank so I don't know what the latest status is, but none of the banks that I do business with nowadays seem to implement that sorry thing, thankfully.
Apparently the credit card companies charge retailers considerably more if they don't use 3Dsecure. On the other hand, the customer is more likely to avoid a retailer who does put the customer through the nuisance value of those bizarre credit card "security" setups. I still think that a pass number being sent by SMS each transaction is a far better way of doing things.
How is a free PAYG sim from Three a 'rip-off'?
Moreover how are calls charges of 3p a minute, texts at 2p and data at 1p/MB a rip-off either? Assuming you ever use the thing? I put £10 on mine months ago and despite periodically checking my emails via 4G and making the odd call I've still got over £7 on there.
Forgive me, but if you're in $FOREIGN_COUNTRY you're not going to be shopping online much are you? Services are a bit different, but it still seems like you're being a bit pedantic.
I'm not really in favour of using phones for 2FA either, but the original posters comment about a PAYG sim being a 'rip off' just seems like complete rubbish. It's only expensive if you use it a lot, but the original poster clearly wouldn't use it very much since they manage to get by without a phone at all.
AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection. And seeing as three and other networks are currently rolling out in-package calls for more and more roaming countries, that gets less of a deal.
When I go abroad to visit family I go for a while.
When in country I expect to be able to shop on line even when I have popped a PAYG SIM in my phone.
I could be booking hotels, motels, camp sites, ferries, flights using the new SIM either directfly on my phone or tethered to laptop or tablet.
I may even want to click and collect at stores.
For this to work in the age of the global traveller you would need to be able to switch phone numbers quickly, easily, and repeatedly from abroad.
Given that proviso it doesn't seem quite as secure.
"AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection."
Even in the US, it's pretty easy to pick a plan that has generous texting allowances if not unlimited texting, meaning even if they charge for receiving, it becomes just a drop in the ocean.
>Could you expand on that please?
What needs to be explained? How many people shop on-line while abroad as much as they do at home? How many people do it at all? Hands up please.
First off it's assumed $FOREIGN_COUNTRY is the country in which you do not live for most of the year, because then it's no longer foreign. $FOREIGN_COUNTRY is somewhere you are visiting for a business trip or holiday, not the house you own in France and live in for months each summer.
Many stores won't ship to a different street address than the one which appears on your bank statement, almost none will ship when the country is different, it's an anti-fraud measure. So immediately shopping on-line when abroad becomes more difficult.
Then there's the cost of shipping abroad, assuming you're buying from the country in which you normally reside, this isn't something you'd make a habit unless it was vital - e.g. arrived at your destination and realised you've forgotten something that can't be purchased locally. In these circumstances why would you not also be prepared to turn your phone on (or swap sims) to receive a text message?
Well, for many, their mobile is the only second factor available to them, so if you want 2FA, it's mobile or bust. If you declare 2FA bust, then you now have to figure out how to build a security system that's tamper-proof, turnkey simple, and doesn't require a second factor? Last time I checked, that means the general public is not accepting anything less than the impossible.
Ac,
not necessarily, Google Authenticator (I think that is what it is called) on my android generates pseudo-random sequence to be entered into web pages etc, and does not to be connect to the interwebs at the time.
Works quite well, especially here in the countryside, where SMS 2fa is a pain in the derriere due to having ropey mobile reception...
J
Agreed. It's bad enough that my bank occasionally needs to text me if I try to access online banking from a new laptop; moreso because I have barely any mobile phone signal at home unless I stand on one leg in the corner of my bathroom.
If I had to do that for every online transaction - well, fuck that...
+1. I don't have a mobile phone, so I can't use online banking with one of my accounts for anything useful, like transferring to another account. All I can do is check the balance.
However, as with all things these days, it's not going to be changed by us moaning about this or that security scheme, it's just going to be forced on us no matter its shortcomings.
I never understood that extra verification step. I did it once for each card I have used online and have never been asked for the password again. I don't think I could even tell you what passwords I used now it was so long ago.
When a transaction goes through now, the verification window pops up, whirls around a bit then returns to the merchant and the sale is complete.
Am I missing something?
I'm not talking a few months, this is going back about 4 years maybe. New cards have been issued during that period and since that first time of setting it up I've never once been asked to enter my password again.
Same with our cards at work, mixture of Visa and Mastercard, never asks for the password.
Ahhhhh, loading your banks website in an iframe... What could possibly go wrong?!
VnV is even worse than that - it's loading an iframe that is most definitely not your bank's website, which then asks you for information...
Whoever thought that up must have had a really bad hangover an hour or two later...
Vic.
I don't live in a village. But I can get a mobile network if I'm either:
a) standing, absolutely still, at the end of my garden with phone in the air.
b) standing by a window on the upstairs rear of the house. And feeling lucky.
Other than this, texts usually get through but can take up to three hours to arrive.
I really should change network, but I can't find one that does work here. AIUI there were some planning NIMBY issues a few years ago and as a result no signal. Which will be even more entertaining when they build another few hundred houses nearby as they'll have no signal either.
"It’s pretty well known that passwords are severely flawed: weak ones are easy to remember and easy to guess; strong ones are hard to guess, but hard to remember,"
Is this the same "verified by visa" that limits you to a ten character password that won't let you use special characters, and can be reset just by having the card details, address and DoB of the owner?
And there's no way in hell I want to be tied to a bloody mobile to be able to make payments with my card. Mobiles lose signal, lose battery, get turned off, get lost, get left at home for quiet weekends away. If they're really going to insist on 2FA why aren't they rolling out hardware tokens?
If they're really going to insist on 2FA why aren't they rolling out hardware tokens?
Don't... please don't... they'll start to insist that we use the stupid (calculator size) chip and pin devices for every purchase. Annoying enough to have to use one every damn time I go to the online banking for one of my accounts, would just give up if I had to use the thing for every purchase online.
stupid how? Because it actually manages to provide a little security?
I think 'generate a token on the fly that's good for 15 seconds" is an excellent method, you have to be quick to steal that password and use it.
Got any suggestions for a better mechanism?
"stupid how? Because it actually manages to provide a little security?"
They're fine if you only ever doing online ordering at home, but it gets annoying when you've got the availability of internet connections at work and on the move, but you can't place an order because the damn fob is on your desk at home. I wouldn't mind as much if they let you have more than one of them, either the fobs or the little card readers, at least then you could keep one at home and one at work (or other second location of choice) but last I heard none of the banks will let you.
AFAIK, all those calculator things use the standard EMV (Euro?? Mastercard Visa) authentication package that is embedded in the chip on your bank card. As such they are pretty interchangeable - at the ery least I can log into my Barclays account using a NatWest device.
It's not too difficult to get a couple of the things (hint: most banks will send you a new one if it gets lost or breaks) and at work, all you need is to get one to share between a small group of trusted people.
It can be made relatively painless really easily too, perhaps you force authentication one (a year?) for each individual combination of retailer and delivery address.
"I think 'generate a token on the fly that's good for 15 seconds" is an excellent method,"
As far as I can tell - the same authentication code is given at the same time every day. You would have thought they would have used a 365 day calendar rather than a 24 hour clock.
Not sure what you mean by "calculator sized" - are they already rolling out hardware tokens? Don't use online banking myself as 2FA wasn't on the cards when they asked if I wanted it.
My RSA token easily fits on a key fob - it's just an LCD screen with six characters on it - and if the banks were to use something similar its ~3yr battery life would tie up nicely with the expiration of the cards they give you. Do the ones the banks hand out actually include a calculator or something?!
We use internet banking with two Dutch banks. One has the calculator thing and the other has phone text two factor authentication. Both work fine, though the phone is just so much easier that it gets used far more often. Both are so much superior to the stupid MasterCard site where I just reset my password everytime I buy something online with it!
HSBC retired the RSA tokens, and replaced them by a device the size of a small calculator which you have to use the keys to enter a PIN, before it will generate the 'random' number to enter into the form on the website.
I have to have 2 because they couldn't make two different accounts work with the same device.
"Is this the same "verified by visa" that limits you to a ten character password that won't let you use special characters"
That's the one, though I thought it was an eight character limit. When I had to setup my mastercard one I came up with a completely random 20+ password that was fine, I couldn't believe it sometime later when I had to create my Visa one, when I tried to doing the same (different password obviously) and got an error telling it was too many characters!
The key quote about VbV:
"the scheme's only benefit is allowing banks to shift liability in the case of fraudulent payments"
That's 100% of the reason for moving to biometrics, right there. Remember how they originally put that into chip & pin before people moaned and they had to take it out?
Yes, precisely. The card companies are always looking for ways to shift responsibility, whether on to the user ("oh, our systems never fail, you must have shared your PIN, so tough luck") or to the retailer ("you didn't use 3D Secure? The fraud's your problem")
I suspect they have been trying to do this ever since credit really started to boom in the 80s, and I doubt they've never liked the joint liability the UK's Consumer Credit Act imposed upon them back in the 70s.
I recall in the recession of the 90s, when I was working on Computer Buyer, and a reader had lost money when a mail order PC firm collapsed. When we spoke to their card company, they were trying hard to argue that things like lots of people ordering PCs by mail order were completely unforseen by the people who drafted the 1974 Act, and so they really didn't have an obligation to pay out.
In my view, they have been wriggling for years, and this is just the latest in a long line of attempts to ditch some of their obligations.
When I buy something on-line I get to see some VbyV image/... and just wait a few seconds and it goes away. I have never been asked to enter a password!
Posting A/C in case someone could rip-off my CC card somehow.
Anyway: I have a card that I only use for on-line purchases, it has a lowish limit to reduce possible damage - people at the bank who I have spoken to seem to think that it is a good idea.
Why does it seem to me the goal is 0% fraud ? When did that suddenly become the aim ?
Back in the pre-internet days (yes, there really was such a time), it was more credit than debit card fraud (since we used to use cheques*) banks tolerated a certain amount of fraud, for a certain amount of money spent on security. I suspect it's still the same.
So rather than thrashing around for the "perfect" security (i.e.0% fraud), people should be thinking what can give me 1% fraud, for a reasonable (i.e. no damaging my profits too much) amount ?
Before the internet, but after the click-clack machines, merchants would call up for purchases over the floor limit. Most of the time this would be invisible to the customer, but every once in a while, the card issuer would halt the transaction until the customers identity was confirmed. I know because this happened to me, when I tried buying a >£100 item in 1985. It was considered "unusual" given my spending profile (weekly grocery shops) so I had to speak to Barclaycard.
Does it really matter if the odd £10 dodgy transaction gets passed, as long as you catch the unusual £5000 a stolen/cloned card would be used for ?
*Ask your grandparents
"Why does it seem to me the goal is 0% fraud ? When did that suddenly become the aim ?"
Because it's being demanded by the customers due to all the hype about card detail theft, and they won't settle for anything less.
"Back in the pre-internet days (yes, there really was such a time), it was more credit than debit card fraud (since we used to use cheques*) banks tolerated a certain amount of fraud, for a certain amount of money spent on security. I suspect it's still the same.
So rather than thrashing around for the "perfect" security (i.e.0% fraud), people should be thinking what can give me 1% fraud, for a reasonable (i.e. no damaging my profits too much) amount ?"
I suspect their margins are shrinking, lowering their tolerance levels. That and the investors are likely complaining about bleeding money.
"Does it really matter if the odd £10 dodgy transaction gets passed, as long as you catch the unusual £5000 a stolen/cloned card would be used for ?"
That was before fraudsters learned how to get around this by simply using quantity over quality. One £10 scam is tolerable but try a million of them. Savvy scammers have learned how to "smurf," or suck a card just enough to prevent it being flagged and then letting it sit. They're also tying geographic information to cards so thieves can perform transactions in the boob's hometown, making it harder to detect. In such an environment, the inch becomes the mile, drawing the fight into an all or nothing conflict.
It defeated the purpose of the fob: it's meant to be kept separate from the card so the thief/mugger steals the card but doesn't realize it has a fob until it's too late to go back for a second mugging. Sure, if the perp knows about it, they'll go for the fob, too, but at that point you're already up Crap Creek.
"VbyV" etc are only used when you are making online transactions. It's hard to see what biometrics device would be cheap enough for everyone to have one. Unless it is a test based on you having a webcam - or your reaction time on a keyboard or touch screen.
The mobile as 2FA is a good idea - assuming the mobile wasn't stolen with your credit card. Even if it was locked that probably won't stop people unlocking it.
What if criminals set up a spoofing mobile tower relay?
The little 2FA gadget from Barclays could be good - if they used a 365 day calendar rather than a 24 hour clock. Currently you appear to get the same code at the same time every day.
I just hope that when purchasing something that:-
- your phone is not in the car
- your phone is not located in one of the many mobile not-spots
- you're not trying to buy something over one of the peak times (new year anyone) when it can take hours to receive a message
- you don't have a flat battery
I guess it's early days & the details will follow in time, with a suitable resolution
so gone will be the ability of the person who's found my wallet to reset my password by entering the DOB as printed on my driving license and instead i'll have to carry a fingerprint reader with me at all times just in case i want to buy something online.
Nice to see someone agrees with me that its only implemented to shift blame for fraud
When I see VbyV it's in the form of a screen on the browser payment confirmation asking me to type in the code that has just been sent to my phone by SMS, a useful 2-factor system. What's all this password stuff people are talking about??
The SMS-to-phone is actually very useful. When my card was cloned a couple of years ago it was the flood of texts that alerted me to the fact, and allowed me to cancel the card before it was really hammered. The crooks still got 1600euros of stuff from sites that didn't use VbyV, but the bank reimbursed me for that.
If you don't have a mobile it can work to a fixed line, as I discovered when I made an online purchase when on a US business trip. The bank had my home landline number, and sent the text to that, where it was read out by a text-to-speech system. Would have worked fine had I not been in a Californian hotel, but my wife was not so amused to be woken up by the phone at 3am. She forgave me, the purchase was for her birthday :) That's when I gave the bank my mobile number...
It's hacker proof, works well at both Target and Home Depot, and it very difficult for the gov'mint to track. Of course, keep wearing your foil-lined hats, and don't let strangers look you in the eyes and steal your thoughts (most of them are gov'mint agents anyway). Luck to you.
So until VbV goes, I'll have to keep turning Adbloc Plus off if I'm using Safari on my Mac or keep using Firefox.
It was quite amusing when Safari wouldn't display the VbV screen when you're trying to pay for concert tickets and the timer on the main screen is counting down! Quickly re-enters all data into Firefox session, finally gets tickets paid confirmation, then spends an hour or so working out why Safari didn't work in the first place.
When by next year we will all need Faraday cages for our cards because every other person on the tube is taking £20 out of my bank as they walk past me. Maybe we need less authentication and more authorisation control? Surely a second completely distinct authorisation mechanism that asks "Are you sure you want to spend this?" would be better than more levels of authentication on a single mechanism?
For me, Verified by Visa asks me for user/pass (static), and a one time password (always different, pick up new list of 200 at bank when I run out), my bank's favoured authentication scheme. Occasionally I also need to enter a code sent via sms. That feature was opt-in though.
For my friend who's with another bank, it asks for the digits displayed on some small plastic keyfob thing with the letters "RSA" on it. The digits seem to change every few minutes.
Many people shout that the password is dead or should be killed dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). Claiming that one of them can kill the password is like claiming to have found a substance that floats in the air and yet sinks in the water.
What can be killed is the text password, not the password. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Thank christ for that. My BAU job is working for a company that sells a PCI compliant PAAS. Their 3d secure integration is a folly I currently have to maintain that has never really worked (much like a lot of other stuff in this platform). I'm looking forward to the day when I can hit permanent delete on this rubbish.
2FA as implemented by most banks is actually secure, which involves a physical token (RSA's SecureID, but there are others) which you will know if it is stolen or not. You really have to have the token in your hand at the moment you're doing a transaction, so physically having them will assure you nobody can do stuff with your account. It also assures you that you can do stuff anywhere you are, as the only thing needed is that token and nothing more.
But I've seen that 2FA is increasingly being used to refer to something lazy. It is being referred to "we send your OTP via SMS", which adds stupidity to the formula. Instead of an actual token, it requires you to have 1) a cellphone number, 2) with coverage, 3) switched on during said transaction. Number 2 is an issue if you're travelling outside your country, but it can also be an issue in areas where you might have internet connectivity of some sorts, but no cell coverage. Why complicate stuff? There are even Virtual Token solutions (VASCO has one) where you can set up tokens on a smartphone if you don't want to spend that much on physical tokens. Hell, Blizzard has something like that for their Battle.net service!!!!
So the crooks and governments will steal billions of fingerprint hashes, iris scans, dna tests, whatever. It's all passwords in the end, the only difference being the hapless target can't change any of it.
Not only that, in the USA at least, passwords are protected from legal intrusions by the government, while biometric data can be easily obtained via a low level warrant. Yes, they can use your finger print to crack your phone and there is no redress.
BTW, as I recall it took less than a day for hackers to crack the Apple finger print scanner.
We really need to get back to cash on the barrel for all purchases and payments.
"We really need to get back to cash on the barrel for all purchases and payments."
I thought we were trying to go AWAY from cash on the barrel because it offered no guarantee in the case of mugging. At least a stolen card can be invalidated and the transactions usually traced and refunded. With cash, you're screwed. Plus the plods are developing ways to track cash by their serial numbers (that's how "Where's George?" works).
"The move to abolish passwords will no doubt be welcomed by customers. Today we have so many passwords to remember. As a result, most of us suffer from 'password fatigue' where we use obvious or reused passwords often written down on Post-it notes or saved in Excel files on laptops," he added.
Or kept in a password storing app if you've got half a brain. Instead I will now have to have a mobile phone that works everywhere if I want to make Visa purchases. This proved a little bit tricky for me when I was in Brazil recently. The current system works fine for me, and if Visa or anyone else thinks I'm going to give a private company any biometric information about me they are out of their minds.
The biggest issue about 3D Secure (VbV/SecureCode) has been that it has been a static password for 100% of the transactions - even for your low value transactions that you do every week. The consumer experience is terrible, merchants don't like it, and the card issuers are struggling to reduce fraud.
The newer risk based challenge systems allow for a thorough risk assessment of the transaction, if its low risk then let the customer through with no challenge, for the very small percentage of transactions that are high risk then challenge the customer (SMS, token, biometric - whatever the customer and card issuer prefer).
Come on, please. Do NOT do this.
I absolutely do not want a system that depends on sending a text message to a mobile.
1) What happens if I lose my mobile / it runs out of juice when I need to make a purchase? (Like, maybe, a replacement mobile)
2) I do not get any mobile signal in my office. At all.
3) What happens when we are mugged and the crooks take our card *and* phone?
If they have a token generating app that can work offline (or just via a data connection), and/or multiple ways of validating, that may be ok. But sending to the registered mobile is a massive, massive no no.