Strong Authentication: Back To The Future

The month of March will go into the annals of Information security. First the breach of RSA, then the issue of fake Comodo Certificates (with the subsequent claim by the Iranian Comodo Hacker) have gradually brought down the (few) certainties the Strong Authentication technologies relied on.

While commenting the beginning of this new era made of very few certainties for our digital identity, I could not help thinking about the (apparently) downward trend to which I was getting used with regards to the strong authentication mechanism adopted for my home banking (be quiet I do not currently have any RSA SecurID tokens, fortunately). Hindsight it could be interpreted as a strange omen (I would suggest RSA to follow the same path).

My first E-Banking contract dates back to 2005, and it was signed with a Regional Italian Bank. In that year, for perfoming operations such as money transfer, I was given a digital certificate stored in a floppy disk (in 2005 sigh!) for electronically signing every transaction. At that time I was firmly convinced that Digital Certificates were the most secure method to strong authenticate transactions, but I never used that certificate since, back in far 2005, a floppy disk was already a thing of the past.

A couple of years later the same bank made a Copernican (r)evolution and decided to dismiss all the certificates in exchange of OTP tokens (not manufactured by RSA but from competitor). Despite some scattered small issues due to a poor IT governance (in a couple of circumstances there was no way to make the PIN to be recognized  and I also was victim of a data loss related to the electronic transactions of the previous four months (of course rigorously without backup, even if the operations had effectively been made), I was quite satisfied with the tokens (but not with the bank). Of course needless to say that these kinds of incidents always happened when I desperately needed to complete the transaction.

Five months ago I changed my bank (looking for better conditions) and decided to open a brand new completely on-line account. Well! Guess what kind of device I was given to authenticate the transactions? After a digital certificate and a token, I would have expected at least a PKCS#11 OTP USB Key… Not at all, I was given instead an efficient (but not very elegant or technological) card with a numerical grid composed by 24 triplets. Nowadays for each operation I am asked to insert three numbers each of them belonging to a different triplet randomically chosen between the 24 printed in one face of the card.

Of course even the most fervid imagination could not imagine that the parable of the strong authentication methods for my bank accounts during these years, could be interpreted as a premonition. Actually banks always know more than the devil, especially when it comes to other people’s money, but I must confess, that, although my initial disappointment for the progressive weakening of the authenticated mechanism necessary to sign transactions, in the last month I changed my mind and now I feel more comfortable with a card having impressed a kind of Caesar Cipher (yes I know that is just not the same thing but the comparison is appealing: back to the future!) than with an OTP Token or a certificate.

I was almost thinking of trying the strong authentication via SMS, but just today I realized that it is not particularly advisable, most of all on the iPhone, where the 2FA (Two Factor Authentication) mechanism has just been compromised. Ok I have an Android terminal but maybe is better not to use any mobile terminals, the threats like Zitmo (Zeus in The Mobile), are always around the corner.

Leave a Reply

%d bloggers like this: