Comments on: Nothin’ Doing on the Failure of Two Factor

By: Security Curve Weblog

Security Curve Weblog — Tue, 18 Jul 2006 04:40:28 +0000

Gettin’ spanked over two-factor

OK, so I’ve been getting some flak from my post the other day about two-factor authentication and phishing. Pete Lindstrom over at spire gives me the wagging finger on the issue, saying that just because there is one phishing site using two-factor, it …

By: Security Curve Weblog

Security Curve Weblog — Tue, 18 Jul 2006 00:48:28 +0000

Gettin’ spanked over two-factor

By: Alex Hutton

Alex Hutton — Mon, 17 Jul 2006 21:08:26 +0000

No, I was thinking $10 was too high! I can guarantee large banks aren’t paying tens of millions of dollars for a second factor.

There’s no way tokens fly. And it’s not just the start up costs, how would you like to be the customer service manager in charge of 1.5 million token users? And then there’s effectiveness. Against mass phishing attacks, they’re not going to reduce risk significantly more than much, much cheaper alternative forms of multi-factor auth.

My suggestion? Cyota and a question/answer addition to the website.

By: Ryan Russell

Ryan Russell — Mon, 17 Jul 2006 17:14:59 +0000

You think $10 is too low? I was assuming that banks do enough quantity that they could get a good price break. So, what I had in mind was a hadware token, with all the software, infrastructure, and personnel behind the scenes to run it.

The gist of the question is the bank has decided they need to implement some technological measure to combat phishing. If their budget is around $10/customer, should that best be implemented with two-factor authentication, or something else?

By: Security Incite: Analysis on Information Security

Security Incite: Analysis on Information Security — Mon, 17 Jul 2006 14:14:06 +0000

The Daily Incite – July 17, 2006

July 17, 2006 Good Morning: Hope you enjoyed your weekend. Mine was a blur of activity, but it always seems that way. I made some changes to the format of TDI, adding Technorati tags for each snippet and also a direct link. I know a lot of folks link

By: Alex Hutton

Alex Hutton — Mon, 17 Jul 2006 11:55:36 +0000

GREAT article. We have a tendency not to consider cause/effect and the consequences of our actions. To call the push for two-factor a “failure” is, at best, disingenuous.

Ryan,

$10 per customer! That’s insane. Is that for a web service or a Cyota device or what? In order to make a recommendation I’d need to know Threat Event and Loss Event frequency for phishing attacks for the bank. You’d also want to understand culture at the bank. Some banks see two-factor as more a marketing issue than a security control (they don’t get many phishing attacks at all, but implementing two-factor is a tacit expression of their otherwise very good security controls framework), some see it as a compliance issue, and some really want to do what’s right for the client. Finally, I’d need to know what their average one-time and annual phishing losses are.

If you want to be purely economic, if the lifetime cost of the control is greater than the loss expectancies during that timespan, then why put in the control (unless, of course, it’s a marketing gimmick)?

By: Ryan Russell

Ryan Russell — Mon, 17 Jul 2006 00:30:47 +0000

So, a bank that currently doesn’t have any two-factor authentication in place now… that would need to spend around $10 per customer to implement it… should they do so?

By: Robert E. Lee

Robert E. Lee — Sun, 16 Jul 2006 17:36:11 +0000

I would prefer to see client certificate based authentication. If users do not type in credentials when they visit important websites (banks, credit cards, etc), there would be nothing to phish.

Robert