Burton Group Identity Blog

Blogger: Mark Diodati

I was speaking with a colleague at a large financial institution.  The topic: can organizations “push” information (e.g., bank statements) to consumers via email and still be compliant with the FFIEC guidelines (on the insufficiency of single factor authentication)?  After thinking about it, I believe the question is broader: Is security adequate when pushing sensitive information via email?

Some financial institutions email their customers to let them know that their statement is available online.  Is this a “push” or a “pull” authentication?  I believe it is a pull authentication, because the user must authenticate to the financial institution’s website to retrieve the information.  Some financial institutions place a URL link in the email body.  It’s better from an anti-phishing perspective to have the user type in the URL into the browser.

Ignoring the security question, there are many convenience benefits associated with sending statements via email.  Many customers don’t want paper statements.  Some customers use financial management software like Quicken or Money, and <ALT-TAB> between the software and the bank statement to reconcile.

When thinking about use cases and potential fraud, I believe that pushing statements via email is not secure enough.  Some concerns:

• Most people store their passwords in their email program (for example, Outlook Express).  Anyone can walk up to the computer, click on the e-mail desktop icon, and get access to the consumer’s bank statements.

• Most users access their email via POP3.  POP3 passes user credentials in cleartext.  Anyone with a network sniffer along the path can grab the consumer’s credentials and re-use them to access the consumer’s emails.

• Man-in-the-browser attacks are becoming more prevalent.  These attacks utilize workstation malware to capture user credentials.  If a consumer checked their email from a web browser at an infected kiosk, the email credentials could be captured for later use.  Maybe consumers shouldn’t use a kiosk machine to access their bank accounts, regardless of whether a statement is delivered via email.  Also, there is a risk that the consumer’s bank statement could be recovered on the kiosk machine. 

Some might argue that similar risks exist with paper statement delivery.  The differentiator is that the fraudster must have physical access to the consumer’s mailbox, which raises the attack bar.

What damage can be done once the fraudster gets the statement?   The bank statement has the consumer’s account number, postal address, and a list of transactions (including payee information).  This information is a treasure trove for initiating an identity theft attack.

I have other residual concerns about emailing bank statements.  How is the integrity of the bank statement maintained through electronic delivery?  How would the consumer know if the bank statement has changed?  I can envision a scenario where a fraudster takes money out of the consumer’s bank account, and modifies the bank statement to hide it.  I suppose this could be fixed with a customer support call if it is detected.

I am aware of another large financial institution which is evaluating plans to implement a push mechanism to distribute bank statements.  They’re considering using a consumer authentication-style PKI product, which would provide both the necessary authentication and message integrity to make the process relatively secure.  Also, Adobe Acrobat documents can be password-protected, which can mitigate some of the risks associated with pushing bank statements via email.

What are your thoughts?

Blogger: Mark Diodati

I’ve been working with smart cards for a most of a decade, and there is a relatively new spin on the technology that merits discussion – the personal portable security device (PPSD).  It combines the USB smart card form factor and USB flash memory on a single platform.  Unlike older USB devices that had both components but functioned in a standalone manner, the smart card controls access to the flash memory.  The combination is of interest to enterprises, and the payment and mobile communication industries.  Vendors that offer PPSDs include Gemalto (Secure Enterprise Guardian) and MXI Security (Stealth MXP).  I tested Gemalto’s Secure Enterprise Guardian product.

The combination overcomes the major problems of each technology.  For smart cards, it’s limited storage.  Smart cards on their own can store a maximum of 256kb of data.  USB flash drives can hold up to 8 GB (though the Secure Enterprise Guardian’s current storage capability is considerably smaller at 2GB).  The issue with flash memory is security, which is lacking relative to the smart card.  The smart card will lock itself after a specific number of invalid PIN attempts.  No diagnostic utility can bypass the PIN mechanism, and the smart card chip is physically tamper-resistant, more so than any other authenticator.  It’s a great way to provide device-level file encryption, because card component generates and stores the symmetric encryption key.  The encryption key never leaves the device.  No PIN, no symmetric key, no access to the encrypted files.  The PPSD typically has a public area which functions like a traditional USB drive, so you can share files with other people without authenticating.

The PPSD also supports traditional smart card/certificate functionality, so it supports Windows workstation logon, WiFi authentication, mutually authenticated SSL, S/MIME, and digital signatures.  The Gemalto PPSD also has a PKCS #11 interface that provides certificate functions for non-Microsoft applications (Firefox and some VPNs), as well as other operating systems (Linux and Mac OS).  Both the Gemalto and MXI Security PPSDs work with USB port control products, like Lumension’s Sanctuary Device Control.  One inherent limitation exists with PPSDs.  They don’t support physical-logical convergence initiatives, which almost always require the ISO 7816 (credit card sized) form factor. 

The Gemalto and MXI Security PPSDs also support one-time password (OTP) generation (the PPSD does not have a LCD, so the workstation is required to view the OTP).  Gemalto’s OTP generation is OATH-based and the MXI Security's OTP generation is RSA SecurID compatible (which provides broader platform support). The combination of OTP and certificate capability provides the broadest application support for a stronger authenticator.  The MXP Stealth product also provides biometric authentication.

The Secure Enterprise Guardian was immediately recognized by my Windows XP machine.  The device supports the CCID USB smart card specification, so the installation of the CCID driver was automatic via Windows Update.  Gemalto has worked with Microsoft since the release of Windows 2000 to embed its Cryptographic Service Providers (CSP), so they are present in the operating system.  A couple of mouse clicks and I was up and running.  Net result: this is the closest to a zero software deployment model for smart cards I’ve experienced.  When installing the Secure Enterprise Guardian, I was running with administrative privilege when doing the installation, and installation results on a typical enterprise workstation may vary.  Windows Vista deployments are simpler as the CCID driver is already present.

The device becomes a mobile, secure storage container for both applications and sensitive data.  There’s some intriguing functionality that I have not tested yet.  I’m interested to see how PPSDs work with workstation virtualization products (e.g., VMWare ACE or MojoPac).   
Some use cases include:

• “Secure” browser (e.g., limited functionality and trusted root list) with mutually authenticated SSL.  This combination is already productized by MXI for consumer authentication usage.  It should be noted that hardware-based authentication is not currently acceptable to U.S. financial institutions and their retail banking consumers.

• Storage of confidential data, along with the application necessary to access it.

• Microsoft PowerPoint presentations, along with the PowerPoint software.

• S/MIME with Outlook Express or Mozilla Thunderbird and the certificates stored on the smart card.

• Enterprise SSO application and associated SSO credentials

I’m not glossing over the complexity of smart card and file encryption across the enterprise.  The authenticator is part of a larger orchestration of smart card management systems, PKI, and key management.  Additionally, organizations should consider USB data port security white lists to limit the devices that can be installed on workstations.  But so much of stronger authentication is about user acceptance.  The PPSD provides the USB mobile storage form factor that users need, so its authentication and data protection capabilities make it a useful Swiss Army Knife.