The Banks Respond

As a followup to my post last week on strong authentication, I sent an email to each of the Big 5 Canadian banks.  I was curious as to what options there were for obtaining some type of multi-factor authentication solution.

My question was: “I’m considering opening an account with your bank, and I would like to use features such as bill payment and funds transfers using web banking.  However, a password protected web banking site does not provide the same protection as strong (2-factor) authentication.  Is your bank looking at strong authentication options as a potential future enhancement to web banking?”

(The responses have been anonymized, but are otherwise verbatim.)

Bank 1 Response:

In regards to strong two factor authentication, we use three factors: the 13-digit Access Card number, the 5 to 8 alphanumeric password and the question and answer challenges previously registered with our site.

Please be assured that our web banking is a fully secure site, and your account information is protected by a number of different security protocols.

Bank 1 also provided links to FAQs, their reimbursement guarantee and descriptions of site security features (e.g. encryption, monitoring, etc.)  Note their use of the phrase ‘fully secure’.

Bank 2 Response

We are currently in the process of introducing a new service as an added enhancement to our online security.  This is a variation on two factor authentication, which in combination with our online guarantee, provides protection that exceeds industry standard.

The new service prompts for five secret questions and answers.  It then needs to know if you are on a computer that you regularly use.  If you say ‘yes’, it grabs a ‘unique identifier’ for that computer.  You can specify more than one PC.  If you login from somewhere other than your identified computers, it prompts you for the answer to one of your previously supplied questions.

Bank 2 also provided a link to other security measures and to their qualified guarantee.

Bank 3 Response

… furthering our commitment to protect your accounts from unauthorized access and fraud, an enhanced login to web banking has been introduced. These enhancements include multi factor authentication questions that add an additional level of protection, ensuring that your accounts cannot be accessed by an unauthorized third party.

All customers are now required to enrol in the enhanced login.

As with the others, Bank 3 provides a guarantee and links to other security measures.


Well, it is clear that the representatives from these three banks do not understand strong authentication.

In each case, they have indicated that adding a second ‘something you know’ to the authentication process is a meaningful improvement.  While this is better than a password alone, it does not address the issue of losing control of one’s bank account with the escape of shared secrets.  Only by selecting two different factors (e.g. something you know — a password — and something you possess — perhaps a fob) can  the authentication strength be significantly increased.  This is standard knowledge in our industry…

Two of the three did indicate that monitoring was part of their security solutions.  Intrusion dection systems certainly can detect fraud when transactions occur outside the user’s normal spending patterns.  While on vacation a few years ago, I found that my credit card didn’t work — the company had blocked it when I started using it in a different country.  This was outside my normal pattern of use.  I assume that banks have similar setups with web banking transactions, but I’m a bit skeptical as to how well they would work.

For example, would monitoring prevent an external account being setup to transfer funds?  That is something I have done in the past, and I do regularly move money between accounts using web banking.  How would a monitoring solution know it was me vs someone who just knew my password and/or secrets?

But the most bothersome thing for me is the ‘guarantee’.  While there are a number of qualifiers to these guarantees, it is clear that the bank is going to refund your money if you are phished/hacked.  But… where does that money come from?  Well, directly from the bank’s customers in the form of increased borrowing costs, credit card fees and account service fees…

Implementing stronger security, such as that offered by strong, multi-factor authentication, is likely a more cost effective and efficient way of dealing with the issue of unauthorized online bank account access.  And isn’t this what all banks require for their physical-world bank machines today — that is, don’t we have to provide a PIN (something we know) along with a bank card (something we possess) in order to access our money?  A strange contradiction, one that is worth questioning as we move more and more of our personal business onto the Internet…


Identity Assurance — Trust Levels

3rd in a series [ <- previous ] [ <- first ]

The second part of the Assurance Component of the Pan-Canadian Assurance Model to discuss are Transaction Assurance Levels, or more simply, Trust Levels.

Trust Levels are defined in the pan-Canadian IdM&A Framework as ‘a pre-established statement of the level of certainty that is needed to access information or conduct a transaction.’  They are directly linked to the Information Classification.

The model establishes four trust levels:

1. No Trust — Anonymous Transaction.  Used with information that is unclassified (e.g. published information).

2. Low Trust — Routine Transaction.  Used for protection of systems containing basic information, i.e. information with a Security Classification of Low.

3. Medium Trust — Verified Transaction.  Used with systems that need to protect confidential data, such as some medical records, tax information, identity information, etc.

4. High Trust — Corroborated Transaction.  The highest level of trust; required for protecting information classified as High (e.g. cabinet documents, criminal trial information, etc.)

It is important to note that the ‘transaction’ referred to in this discussion is the business transaction that will be supported by the identity and access management system.  For example, medium trust is needed by business transactions that needs to be verified (due to the sensitivity of the information being protected).

In Practice:

Trust Levels allow for a clear description of what we need to establish before we allow access to an application or information set.  On the surface, the Trust Levels differ little from the Security Classifications, but the exercise in assessing trust and assigning a Trust Level is important.  It forces the business to ask some key questions: How much do I need to do before allowing access to this information?  Have I classified the information correctly and is it reflected the Trust Level?

As can be seen from these questions, the word ‘trust’ forces the business to look at the Security Classifications in a somewhat different light.  That allows for better conversations around what the value of the information is and what an appropriate access solution might look like.

Next: Registration Process.

Canadian Bar Association, Privacy Section

The Canadian Bar Association / L'Assocation du Barreau canadien

I had the pleasure today to present to an attentive and curious group of privacy lawyers at the Canadian Bar Association.  The presentation was a rapid fire slide deck titled Identity Management: Drivers, Challenges and Opportunities; click here to view.

Many thanks to Jane Steblecki from Field Law for the opportunity.


Canadian IT Security Stats

The 2008 Rotman-TELUS Joint Study on Canadian IT Security Practices is a must-read for anyone involved with identity, security or privacy in Canada.

There were 300 participants, including responses from private companies, publicly traded corporations and government/not-for-profit organizations.  The survey results are primarily broken down into these categories, so I’ll summarize some noteworthy numbers for Government organizations:

  • 16 — percentage of organizations that have experienced a breach due to misuse of a public web application.
  • 26 — percentage of respondents that are planning to invest in Identity Management in the next 12 months (tied for second highest priority, behind storage encryption).
  • 39 — percentage of organizations that perform risk assessment annually.
  • 55 — percentage that indicated they have experienced a breach due to virus, worms, malware, etc.
  • 65 — percentage of organizations that allow outsourcing of IT security.
  • 66 — percentage of security groups that report to an IT executive (as opposed to CEO, Risk Management or other line-of-business executive).
  • 68 — percentage that indicated litigation as a ‘breach concern’.
  • 321,429 — amount, in dollars, the average breach is estimated to cost a government organization.
  • Zero — percentage of respondents that reported they have lost proprietary information due to a breach.

(For some interesting statistics from the Calgary Critical Infrastructure conference, click here.)


Infrastructure Security Stats


There were a number of interesting statistics cited at the Critical Infrastructure Protection Conference in Calgary, Sept 8th/9th, 2008:

  • 5.5 – the percentage of an average enterprise IT budget that should be spent on information security. (Yogen Appalraju, VP, Telus Security Solutions)
  • 26 – the percentage of identity data breaches that occur in the Education sector, highest among all industry sectors. (Dean Turner, Sr. Editor, Symantec Interet Security Threat Report)
  • 46 – average length of time, in days, it takes to patch an enterprise business application after a security vulernability is discovered. (Dean Turner, Symantec)
  • 52 – percent of problems in SCADA systems caused by lack of operating system hardening. (Michael James Martin, Senior Managing Consultant, IBM)
  • 75 – percent of oil and gas pipelines controlled by SCADA systems. (Brian Phillips, Director, Bell Canada)
  • 99.9999 – common availabilility expectation, in percent, of a SCADA control system. (Venkat Pothamsetty, Industrial Security Architect, Cisco Systems)
  • 245 – number of police offices in Canada dedicated to e-crime, out of a total police population of 62,000… (Brian Phillips, Bell)
  • 679 – number of US reported data breaches so far in 2008. (Patrick Gray, Senior Security Strategist, Cicso Systems)
  • 321,429 – The average cost, in US dollars, of a security breach for a government organization (Yogen Appalraju, Telus)
  • 500,000 – number of miles of pipelines in North America. (Brian Phillips, Bell)
  • 15,000,000 – amount, in US dollars, that Choicepoint was fined for failing to report data breaches. (Patrick Gray, Cicso)
  • 348,000,000 – number of attacks on utilities, January to June, 2008.  (Dean Turner, Symantec)


Calgary Security Conference Highlights

Last week I attended the 1st Annual Critical Infrastructure Protection Conference in Calgary.  It was the first year of the event so the attendance was a bit low, but the quality of speakers was excellent:

  • Stephen Flynnis Barack Obama’s Homeland Security Advisor and author of The Edge of Disaster.  He offered a captivating presentation on infrastructure security, arguing convincingly that the new battle-space is no longer military, but rather in civil infrastructure and economic zones.  But, despite the hype around national security, the larger threats of extreme weather, pandemic flu and other natural disasters should be of a greater focus for government security and readiness.  He believes in building in resiliancy– robustness, resourcefulness and recovery — into critical infrastructures to limit the impact of disruption, whether that disruption comes from man or nature.  A benefit of this approach is that it empowers individuals to act proactively and reactively against threats in ways that have not yet properly been explored.
  • Patrick Grey, the Senior Security Strategist at Cisco and a 20 year FBI veteran, spoke on a variety of Internet security topics.  He maintains that the biggest threats — bots, phishing and other malware — can be best defeated by user education and awareness.  75% of network breaches are due to human factors.  He also notes a change in the type of attacks being witnessed.  A few years ago, crippling worms were fairly common, and widespread network attacks proved difficult to prevent.  Now, hackers are much more economically motivated and specific targets (e.g. financial organizations) are being attacked in systematic ways.  Data breaches are now being tracked (primarily due to mandatory reporting legislation in most US states) and significant actions are being taken against companies that leave information exposed and do not report it to authorities.  For example, Choicepoint was fined $15 million for a data breach that affected 163,000 people.
  • Michael Legary, Founder and Chief Innovation Office at Seccuris Inc., spoke on the vulnerabilities found in virtualized environments (servers and virtual appliances).  He contends that there are often poor controls ‘at the boundary’of the virtual machine and the system hardware, with drivers available to allow hacker access to all components.  DOS-induced failures are possible, even with secured and managed applications, if VM maximum resources are not configured properly.  Vitual networks are inherantly complex, and are not anticipated in many network security architectures.  Several virtual machine rootkits — SubVirt and Blue Pill are examples — now are available to compromise systems.  Security vulnerabilities in VMware, the leading solution of virtualization, are emerging; last week alone there were 16 security vulnerabilities documented.  Solutions lie in improving controls, among them: limiting access to the host; hardening the operating system; firewall VM service ports; disallow file sharing between hosts; VM monitoring and reporting; and time synchronization to one source (to support audit activities).  Finally, Mr. Legary challenged the lower TCO claims for virtualized services — actual delivery costs may be much higher if all security measure and risk avoidance costs are considered.
  • Barry Kokotailo, an independent security professional, provided an entertaining talk titled “Anti-Surveillance or How Not To Get Caught’.  A number of tools were demonstrated including: data scrubbers, steganography software to embed secret data in innocuous carrier files; secure and hidden data storage tools; anonymous SMS messaging sites; and assorted USB-based portable applications.

For a full list of speakers visit the Speakers’ Bios page.  I’ll post the link to presentations when they become available.


Security for Energy Conference

On September 7th, I’ll be heading to the 1st Annual Critical Infrastructure Protection Conference  conference in Calgary, Alberta.  This is the first edition of this conference, subtitled “Cyber Security for Energy and Communications” .  With our oil sands attracting wide-spread internation attention — Warren Buffet and Bill Gates visited last week — the protection of these assets is obviously a top priority for both government and industry.

I’ll be helping to staff the Seccuris booth in the trade show, and catching whatever speakers I can.  It should be rather interesting to hear Dr. Steven Flynn, the Homeland Security Advisor to Barack Obama speak on infrastructure security — even if this topic is not related to my direct interests of identity, information security and privacy.

Michael Legary from Seccuris will also be speaking on “Virtually Secure: Uncovering the Risks of Virtualization”, a look at the security of virtual server environments.

Always interesting, too, to visit Calgary.  It is a rare example of how a city can be sophisticated and thriving, while still retaining its prairie town roots.


Security and Privacy Quotes

Here are the weekend quotes, a day early…

On security:

Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.Helen Keller, author and activist.  Keller, who was deaf and blind, was an advocate for many progressive causes including women’s suffrage and inclusion for people with disabilities.

On privacy and youth:

“Young people are very adept and comfortable with electronic communication. As advocates, we have to help young Canadians find the information they need to be their own privacy watchdogs” — Irene Hamilton, Manitoba Ombudsman, speaking at the semi-annual meeting of Canadian Privacy Commissioners, June 4, 2008.  Visit for more information.

On common sense?

“Many companies need to do more to prevent inexcusable security breaches.  Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops.”  Jennifer Stoddart, Canada’s Privacy Commissioner in her 2007 report to Parliament.


Canadian privacy confidence low

identity management survey

A survey of consumers and IT professionals by Computer Associates shows that consumer confidence in the privacy and security controls of companies is very low.  Only 7% of 400 consumers surveyed indicated tha they are ‘very confident’ their personal information properly protected.

The survey also found that 14% of consumers had experienced some type of identity fraud.  And 84% of those surveyed felt that retailers do not spend enough on online security and privacy.


Security and Secrecy Quotes

On security:

Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.Bill Gates.  Factoid: Gates and his teenage classmates were banned from using a PDP-10 timeshare computer after the operator of the system caught them exploiting flaws in the operating system to gain extra computer time…

On viruses:

“I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.” Stephen Hawking.

On secrecy:

“The very word ‘secrecy’ is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths, and to secret proceedings.”John F. Kennedy, 35th US President.  Interesting that JFK’s administration was involved in a CIA overthrow of Iraq.