So What Does Constitute “Reasonable” Security?
A couple of weeks ago, I tweeted about what I called a must-read article by Brian Krebs. Fellow identirati Anil John lamented yesterday that we hadn’t discussed this more in the community, and on second glance I can see why. The article covers a court case where the magistrate was basically asked to decide what constitutes “commercially reasonable” security. While most of our collective ire seems to have focused on the seemign unfairness of the ruling, and the implication that “passwords + challenge questions = multi-factor authentication” (as prescribed by the FFIEC guidelines), there is much more to learn from the story.
As the article described, part of the banks security infrastructure included risk-based security based on RSA’s Cyota product, which “rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site”. This actually provides a much better layer of protection than simply authenticating the user based on passwords. Context-based security is a key element in the multi-layered security architecture that is the future of enterprise security, as I laid out in my recent talk.
But the bank actually made a big mistake in it’s implementation. As the article describes, the bank reduced the threshold for kicking in the 2nd factor (challenge questions) to $1, effectively eliminating that component from their security architecture. They might as well have not had it, because they were completely ignoring any kind of risk calculation that was being done. Big businesses and most definitely banks need to understand the pentest framework properly in order to maintain their online security the best they possibly can.
In other words, all they had was “password+challenge questions”!
And as we have talked about ad nauseam, in this day and age this is simply not enough. Passwords and challenge questions are nowhere near what I would call adequate security for an environment that would include high risk transactions (like bank transfers). And while there will be great resistance to any (strong authentication) solution that would appear to increase friction for the user in executing their transactions (witness the continued lack of pins for credit cards in the US), I think the tides are changing with respect to users understanding the risks and wanting more from their online security.
Risk based security models also need to involve monitoring and alerts, even denial of access, for exception conditions (like a new device ID being used). And the 2nd (or 3rd, or…) factors employed must be commensurate with the nature of the online transactions. Challenge questions may be fine when we’re talking about a low risk consumer site like a gaming site (though even they have gone beyond these). Higher risk sites should employ more sophisticated factors like out of band challenges (the occasional SMS based challenge, or voice-based identification, for instance), so long as it is used with the correct risk scoring to trigger it. And despite the naysayers, I do believe externalized identity providers could help serve this market.
Crucially to all this, the FFIEC seems to recognize that security threats have evolved dramatically since their guidance was issued in 2005, and are preparing an update. From all indications, it would seem to put much more responsibility on the shoulders of financial institutions, asking them to put in place greater measures based on layered security to address fraud and attack vectors like Man-in-the-X attacks, and much more. Unfortunately, it will be too late to help Patco Construction. Let’s just hope other businesses are paying attention and getting ahead of the curve.