We are such a tolerant bunch, security professionals. The most recent example of this is the Citibank man-in-the-middle phish attack (the Jonah?). After a grand total of ONE known example of a Jonah amidst countless thousands (tens-of-thousands?) other phish attempts, two factor authentication now "does nothing" against phishing and is a "failure".
Methinks my two colleagues overindulge their fearless prognostication (really? a MITM phish? here’s two for you, Anton, and make sure you keep a spot open for me – I’m sure I’ll join the group sooner or later 
) to reduce a technique that is currently about 99.9% effective against phishing to worthless. Holding the logic true, we should essentially eliminate every single security mechanism we have in place.
Or, we could appreciate the value of two-factor for the security it does provide, recognize that every control loses some effectiveness over time, and consider options for bolstering security in those areas of new weaknesses. Call me silly.
I would prefer to see client certificate based authentication. If users do not type in credentials when they visit important websites (banks, credit cards, etc), there would be nothing to phish.
Robert
So, a bank that currently doesn’t have any two-factor authentication in place now… that would need to spend around $10 per customer to implement it… should they do so?
GREAT article. We have a tendency not to consider cause/effect and the consequences of our actions. To call the push for two-factor a “failure” is, at best, disingenuous.
Ryan,
$10 per customer! That’s insane. Is that for a web service or a Cyota device or what? In order to make a recommendation I’d need to know Threat Event and Loss Event frequency for phishing attacks for the bank. You’d also want to understand culture at the bank. Some banks see two-factor as more a marketing issue than a security control (they don’t get many phishing attacks at all, but implementing two-factor is a tacit expression of their otherwise very good security controls framework), some see it as a compliance issue, and some really want to do what’s right for the client. Finally, I’d need to know what their average one-time and annual phishing losses are.
If you want to be purely economic, if the lifetime cost of the control is greater than the loss expectancies during that timespan, then why put in the control (unless, of course, it’s a marketing gimmick)?
The Daily Incite – July 17, 2006
July 17, 2006 Good Morning: Hope you enjoyed your weekend. Mine was a blur of activity, but it always seems that way. I made some changes to the format of TDI, adding Technorati tags for each snippet and also a direct link. I know a lot of folks link
You think $10 is too low? I was assuming that banks do enough quantity that they could get a good price break. So, what I had in mind was a hadware token, with all the software, infrastructure, and personnel behind the scenes to run it.
The gist of the question is the bank has decided they need to implement some technological measure to combat phishing. If their budget is around $10/customer, should that best be implemented with two-factor authentication, or something else?
No, I was thinking $10 was too high! I can guarantee large banks aren’t paying tens of millions of dollars for a second factor.
There’s no way tokens fly. And it’s not just the start up costs, how would you like to be the customer service manager in charge of 1.5 million token users? And then there’s effectiveness. Against mass phishing attacks, they’re not going to reduce risk significantly more than much, much cheaper alternative forms of multi-factor auth.
My suggestion? Cyota and a question/answer addition to the website.
Gettin’ spanked over two-factor
OK, so I’ve been getting some flak from my post the other day about two-factor authentication and phishing. Pete Lindstrom over at spire gives me the wagging finger on the issue, saying that just because there is one phishing site using two-factor, it …
Gettin’ spanked over two-factor
OK, so I’ve been getting some flak from my post the other day about two-factor authentication and phishing. Pete Lindstrom over at spire gives me the wagging finger on the issue, saying that just because there is one phishing site using two-factor, it …