Schneier: tokens won't completely secure data

Counterpane Internet Security's CTO says financial institutions should be held responsible for fraudulent transactions

Technology isn't going to protect e-commerce customers -- stronger government regulation is what will get the attention of online banks and merchants, forcing them to stop being casual about security, said Bruce Schneier, founder and chief technology officer of Counterpane Internet Security.

Schneier's view counters a recent Federal Deposit and Insurance (FDIC) report concluding that a lack of security allows thieves to hijack customer accounts. The FDIC called on banks to upgrade existing password-based user authentication systems to two-factor authentication, combining a unique password with a secure card or token that the customer must present to access an online account. Schneier discusses his views in a "Communications of the ACM" (Association for Computing Machinery) article, and also shared his opinions in an e-mail interview, whose edited transcript follows.

IDG News: Is there a lesson in the huge breaches we've seen in recent weeks -- ChoicePoint, Paymaxx, Reed Elsevier PLC's LexisNexis and DSW. The attack vectors were all different, but is there a common lesson to be learned?

Schneier: The problem is that security of much of our data is no longer under our control. This is new. A dozen years ago, if someone wanted to look through your mail, they would have to break into your house. Now they can just break into your ISP. Ten years ago, your voice mail was on an answering machine in your house; now it's on a computer owned by a telephone company. Your financial accounts are on Websites protected only by passwords; your credit history is stored -- and sold by companies you don’t even know exist. Lists of books you buy, and the books you browse, are stored in the computers of online booksellers. Your affinity card allows your supermarket to know what food you like. Data that used to be under your direct control is now controlled by others.

IDG News: Basically you argue, in your article, that evolving attacks like man-in-the-middle and Trojan horses make two-factor authentication obsolete. But for the vast majority of online crimes and identity thefts wouldn't a second factor make things much harder for online thieves, both in the long- and short-term?

Schneier: No. All a second factor will do is force attackers to change their tactics. ... Two-factor authentication only works when the attacker tries to steal an access method to use later. The current trends in fraud we’re seeing are active and immediate. Either the attacker sets up a fake website and acts as a man-in-the-middle, prompting the user for his access codes and then immediately using them to log into the financial website, or the attacker has a Trojan horse on the user’s computer and sneaks fraudulent transactions into the financial Website during a legitimate session by the user. In both of those cases, two-factor authentication don’t make a bit of difference.

IDG News: Just this week, the compromise of a database owned by LexisNexis pointed to the shortcomings of user ID and password schemes. Wouldn't tokens have prevented the identity of those 32,000 people from being exposed to hackers?

Schneier: A second factor of authentication would mean that some fraud tactics would work and some would not. In the ChoicePoint case, attackers posed as legitimate businessmen and got accounts on the ChoicePoint system. If there was two-factor authentication, the criminals would have been users of that authentication system. Bank of America lost a backup tape with personal information on 1.6 million people; two-factor authentication would not have helped there. We don’t know how the LexisNexis hack occurred, but it’s certainly possible that two-factor authentication would have helped.

IDG News: If multifactor authentication can't work because we can never be sure that the end-user's platform is secure, doesn't that mean that no online transaction can ever be secure? Any Windows system could have a Trojan or rootkit on it, right? So why ever use an Internet-connected Windows system, or for that matter any Unix or Linux system to do e-commerce?

Schneier: No online transaction can ever be absolutely secure, but you can say the same thing about face-to-face cash transactions. Security isn’t black and white; it’s a continuum. And absolute security is never the goal -- the goal is to manage the risks well enough so that commerce can continue.

To me, we’re approaching the problem wrong. The problem isn’t how to secure the user’s computer or how to authenticate. The problem is fraudulent transactions. And the solution is to make the financial institutions liable for fraudulent transactions. Think about credit cards. As long as fraud was the responsibility of the cardholder, the credit card companies never bothered improving security. But as soon as fraud was their problem -- cardholders only had a $50 liability -- (credit card companies) did a lot to improve security. And they didn't worry about how well the cards were stored in the users’ wallets; they concentrated on fraud detection in their own databases. As soon as we make financial institutions liable for online fraud, they’ll figure out how to manage the risk.

IDG News: But what responsibility do users have? If all of us used encryption to protect e-mail and other correspondence, encrypted data on our hard drives, and made sure to use SSL or some other encryption when Web browsing, wouldn't that take care of the Trojans and man-in-the-middle attacks?

Schneier: Again, encryption defends against some attacks and not others. If there’s a Trojan on your computer, encryption doesn’t make any difference ... because the Trojan sees whatever plain text you do, and has access to any keys you type into the computer. Encrypted Web sessions can protect against man-in-the-middle attacks, but only if the user verifies the certificate of the remote site. But users never verify certificates, so they have no idea who they’re on a secure connection with. Man-in-the-middle attacks work just fine under SSL.

IDG News: Recently, banks like U.S. Bancorp and e-Trade, as well as Internet service providers like America Online have extended multifactor tokens to their customers. Are these programs a waste of time? Are you saying that, five or 10 years from now, they'll still be struggling with the same problems?

Schneier: In the short term, it will help. While it won’t make a difference against the newer attacks, those attackers who are still stealing passwords to use later will switch to other targets. But as more and more financial institutions start implementing two-factor authentication, the banks will start seeing diminishing returns. In the end, it won’t make any difference. Fraud won’t be reduced.

IDG News: Microsoft already offers multifactor authentication to Windows users (RSA SecurID for Microsoft Windows), but not many people have adopted it. Isn't the real story here that online consumers don't really care about security -- until they get scammed?

Schneier: I don’t know if that’s the “real” story. It’s certainly part of the story. The other part of the story is that banks don’t really care about security, unless if affects their bottom line. Keep in mind that I am not completely discounting two-factor authentication. There are applications where it works great. If I am an organization that's trying to control employee access to servers and applications, two-factor authentication is a great security addition. It makes sense in that kind of scenario.

The text of Schneier's recent article can be found at

Copyright © 2005 IDG Communications, Inc.