For some reason my post on the GuardUno phishing scam emails seems to be a big hit in google so I thought it mught be interesting to see not only why the email is a scam but what a genuine non-scam communication from your bank about a system similar to GuardUno would look like.
First off the scam. The scam revolves around the idea that the bank doesn't know who you are or what your bank details are. Therefore the email, allegedly from your bank or on behalf of your bank, is asking you to fill in these details on a website so that they can send you this wonderful piece of security hardware. As should be obvious your bank already knows who you are, your address, social security number, account details and so on. Hence they would never ask you to fill them in again and hence any email asking you to go to a website and fill in such details is a scam.
Secondly what is industry best practice? Probably the best system is the one used by the Swiss Banks such as UBS and Credit Suisse. I've seen the UBS one in action and it is documented here so I shall explain that but my understanding is that other Swiss banks do online banking the same way.
To start off the Swiss bank issues you with a smart card (looks like a chipped ATM card) and a smart card reader (looks like a calculator) as shown in the illustration at the right. These are either sent to you or you pick them up from your bank after presenting some ID. I assume that multiple account families can have multiple cards and share the reader. At the same time you also get a agreement number, which probably doesn't resemble your account number, sent to you separately and, also separately, you receive the initial PIN for the card. The first time you use the card you are encouraged to change the PIN to something else.
When you go to the UBS ebanking portal you first enter the agreement number and receive back a series of digits. Then you insert the card in the reader switch it on and enter your PIN. Assuming you got that right you then enter the digits displayed on the webpage. The card reader then combines those with something on the card to give you back another string of digits. This is then plugged into the relevant part of the website and if it works you log in. Needless to say the whole process runs under the highest possible SSL security that your browser supports.
Critically you never ever enter your PIN or name or account number in the process. What you enter is your agreement number and a "password" that changes every time you login. And the system logs you out automatically after a certain amount of time so the chances of someone coming across your internet session while you are away from your desk is limited.
What does this mean? Firstly it means that you need some phyical thing to have access to the system not just a memorised password; because you need both a thing you know (PIN) and a thing you have (card + reader) this is inherently more secure. Secondly because the PIN is only entered into a separate device not connected to the Internet there is no need to worry about a keylogger being installed and having someone learn your details. Thirdly (and related to the previous one) the "password" sent over the Internet changes each time you log in anyone who manages to install some sort of sniffer that reads the HTTPS connection then it won't help them next time. Given that the session times out fairly quickly it is likely that by the time the hacker has decrpyted the HTTP traffic the password offered is invalid so spoofing is difficult. Finally, you will note that in no case does UBS have to ask its customer to ever fill in any personal details.
Blog Home : February 2007 : Permalink