New Bank Logins

I first noticed this phenomena when ING started it a few months ago. It was a minor annoyance then because only one of my banks was doing it, but now, others have started following suit, and it’s getting very annoying. I’m talking about the new login procedures that some banks are using – enter your account/user name/number, then you’re shown a butt ugly picture that you chose, and then you can type your password/passphrase in. I’m just glad they haven’t changed the way Quicken accesses my accounts (yet). I’m put through extra inconvenience for something that ultimately isn’t any securer than my standard username/password.

This is supposedly to mimic two-factor authentication, but since I’m still only typing in my username and password, I still call it one-factor with a lot of annoying extras. The idea is that the user sets up this image and description of the image that only they should know – AKA, they’re giving some “secret” to the bank. The bank has to show this “secret handshake” so that the user knows that the web page they are on is in fact the bank. Then the user types in their part of the secret handshake (the password), and they’re allowed in.

Why don’t they just use SSL with mutual authentication? It solves both of these issues, identifying the server, and identifying the client, and is true two-factor authentication.

I see two reasons for not using PKI: 1) Phishing sites can have legitimate SSL certificates that are installed in the OS trusted root store, and 2) There is a cost associated with issuing client certificates.

The first is rather easy to address – Each bank (or a group of banks), needs it’s own root CA, or one designated by a “public” Authority (like Verisign) as for banks only. This trust root is not installed into the OS by default, the user must actively obtain it. Web browsers must display the signer of the certificate (in some way that cannot be manipulated by javascript – ie not a pop up, or not in the status bar). And users must be trained to pay attention to who signed it! If it’s not this “approved” bank authority, they shouldn’t continue the connection. Of course, not everyone’s going to pay attention to this, but then the bank has done what they can to CYA, and it’s up to the users at that point.

The second is not as difficult either. Each bank has their own CA (maybe signed by the root described above) which issues user certificates – once the PKI is set up, it’s very cheap to issue more certificates – ie issuing 1 certificate is about as expensive as issuing 300,000. Heck, if users wanted to opt into more security – allow them to pay a one time fee of $50 or so (cost plus some) to buy a hardware token or smartcard with reader, which is mailed to their registered address. Or even better – add smartcard capabilities to their ATM cards (I’m all for that). I’d pay an extra one time fee to get a hardware token for my bank account – especially, if I can use it on my mac and under Linux ( there are tokens that work under all three, without extra drivers).

Yes, it does cost money to set up a PKI – and to run it, but not as much as some people make it seem – the cost of a few machines, a little bit of extra work by the system admins, but nothing that they’re not already used to. Consider it a sunk cost, and think of all the other uses for a PKI.