If you have followed this blog for any length of time you’ll know that I often return to issues and opportunities related to strong authentication. Last week’s news from eastern Texas is therefore of interest…
Apparently a customer of the PlainsCapital Bank lost $200,000 through one or more electronic transfers. The bank offers what they claimed to be a ‘two-factor’ authentication service. After a user name and password are entered, the ‘second factor’ for authentication is an access code that is sent to the registered user’s email address. The access code is entered by the user and their computer’s IP address is recorded (presumably to protect the session and for audit purposes). Unfortunately for the bank and its customer, the emailed code was intercepted by what appears to be a Romanian hacker and the money was stolen via an unauthorized funds transfer.
By definition two-factor authentication must include two of three different factors: something owned, something known or something inherent (e.g. a biometric). The first factor in this case is the user name/password combination, which is something known. The second factor, the access code, is also something known.
Because both of these are in the ‘something known’ category, this is not two-factor authentication. It may be stronger authentication that user name/password alone, but it is NOT two-factor.
The bank seems to have made an assumption that this code is ‘something owned’ because it was delivered to an email address that is controlled by the registered user. The problem with this is that the email account itself is very likely protected by a single factor (a user name/password) that can easily be collected by any garden-variety keystroke logger. The very idea that email is a suitable platform for sending secure access codes is odd to me — surely by now we all recognize the flaws in sending sensitive information via email?
An appropriate solution would include two unique factors combined with ‘security in layers’. A user name/password plus a code sent to a registered mobile phone would be one example. But I also like the suggestion in the article that layering good process — such as contacting the client (via phone) before such a large transaction was processed — would have also prevented this incident from occurring.
Perhaps it’s time to revisit what our Canadian banks are telling us about their security controls before casting stones towards our southern neighbours. It seems to me that without both strong authentication and security in layers, we — and our proud, large and stable financial institutions — are just as likely to suffer from this type of loss as this Texas bank.