I started writing about phishing a long time ago, it seems now. It must be at least two years, I think, maybe more. Then it seemed a very obscure activity, and I can recall one editor being less than impressed with the whole issue. Now it’s bigger than even I thought it might be. [Insert some statistic here to illustrate size of problem, usually cobbled together by someone hoping to make money out of scaring people.] But it remains scary, because phishers are getting better. Don’t be taken in by the rather pathetic attempts that sometimes land in your inbox. Phishing — the art of relieving you of the contents of your bank account/online auction account etc — is going to remain with us, and get more sophisticated.
So “solutions” are always interesting. And here’s another one, which reveals imagination on the part of the folk developing it, and, I suspect, how convoluted and advanced the war is going to become. BioPassword, a Seattle-based company, yesterday introduced what it’s calling “the industry’s first multifactor authentication software solution that authenticates users and reduces fraud over the Internet.” In English, this program allows companies to figure out, based on two different methods, whether you’re you signing into your account with them, or someone else. What’s interesting about it is the second method uses the way you type: Are you a pecker, a touch-typist, or what?
BioPassword are calling themselves the “first” because other methods use as their second authentication factor something that’s not actually software driven — something you know (your mother’s maiden name), something you are (a biometric) or something you have (i.e. a smart card). None of these are cheap, and once the bad guy knows it (your mom’s maiden name), or has it (a copy of your thumbprint, a smart card) he’s in for keeps. They’re also claiming their solution is cheaper than all these, because it’s built into the software. Another advantage, they say, is that it doesn’t require the user to do anything extra, other than typing in their name and password. Which presumably they’re doing anyway, unless they’re using some password storing software, or speak to their computer using voice recognition technology.
So how does this work? Well, as far as I can figure out, a pop-up window appears when you log in. You’d probably be asked to type something a few times — or, possibly, not informed at all about what is going on, to preserve the “naturalness” of your typing, since most of us type differently when we’re being, or feel we’re being, watched. The software would monitor typing speed over time, adjusting its accuracy. What is being typed is not being stored, so there’s nothing a sophisticated phisher could capture in the authentification software, but the rhythm and pattern of the way you type.
On his blog BioPassword CEO Mark Upson says the company has been trundling around the press and analyst offices. He rightly identifies the frustration users have with tokens — those little bits of plastic that spew out supposedly random numbers which act as an extra authentication for most banks and company networks. Reckons Upson: “The more token users I talk to, the more I see how frustrated they are having to deal with a piece of hardware they lose, break, and have to travel with at all times. We will get a great uptake on using our technology in lieu of the token or worst case as a backup when the token is not available for whatever reason.” (That’s not the only problem: phishers have now found a way to capture the numbers from these tokens as the user enters them using remotely installed software. The software then throws up an error message to the user, while the bad guy quickly enters the digits himself. Expect the makers of these tokens to increase the rate at which the number changes.)
He also rightly poopoos the keyboard fingerprint scanner you can find on some ThinkPads and other laptops as novelties since banks don’t use them and with good reason: “The problem is once someone has my electronic fingerprint, I’m hosed as it can be used over and over again.”
Then there’s the “profiling” approach: watching your customer’s behavior — we’re talking about when they log into their account, what they do when they’re there, etc — which he also rightly suggests is going to throw up a lot of false alarms (unless you’re a real creature of habit, you probably don’t log on at the same time or do the same things when you do log on. Maybe you do. I’m assuming here.)
I haven’t tried the BioPassword thing, but my instincts tell me it’s not a bad idea. I can think of at least one chink, though: If the bad guy has installed a keystroke monitor, it shouldn’t take too much effort to tweak such software to capture the same data as that being monitored by BioPassword — the speed and rhythm of the user’s typing. In the end it’s just another kind of data that makes up identity theft, and a bad guy could, I suspect, easily grab that data and then either mimic the user’s typing pattern, or automate the entry of username and password to mimic the user’s pattern. There are probably other problems, but it’s too early in the morning for me to think of them.
Bottom line: solutions like this are good, but they’re not really solutions. A solution implies an end to the problem. There’s no end to the problem of phishing. Where there’s people and money together on the Internet, there will always be a problem. BioPassword raises the stakes but it at best it will represent a challenge to the phishers and shut out the kiddies. But an end to the problem? Don’t bank on it.
You’re right, these so-called second-factors are not really a proper second factor when the new data is sent over the same channel.
One example of two-factor authentication that works pretty well, is the use of cellular phones. I go to my bank’s website, log in, then they call me before allowing me access to my account. This of course, brings about a new problem — I must always have my phone ready.
This is not fool-proof either, and I have yet to see any phishing “solutions” that are. Until there is a general-case solution, we just keep trying new things and use solutions to protect specific types of phishing attacks.