Following an entry on the excellent Realtime Community Compliance Blog (hi Rebecca! Nice one!), I've been reading about social engineering attacks on US Credit Unions. The Credit Union Times reported that social engineers have successfully bypassed inadequate user authentication methods to authorize fraudulent transfers of large credit balances to other banks and, presumably, quickly moved on through unwitting money mules to lovely untraceable folding munny.
The Credit Unions appear to be using telephone call-backs as part of the authentication but those naughty scammers have allegedly discovered how to get the phone companies to redirect phones and thus spoof the phone numbers. They are also able to answer the pretty lame authentication questions typical of single-factor authentication schemes (you know - "What is your secret password? What is your mother's maiden name? What is your inside leg measurement?" - that kind of thing) evidently, perhaps through insider access to the Credit Union's systems, through phishing or spyware on the customers' systems (probably introduced using more social engineering techniques), or else by directly socially engineering the genuine customers into revealing the very same secrets. Now that's one excellent reason to be extremely dubious when out of the blue you get a call "from your bank, just needing to check a few things, but first we need you to authenticate. What is your secret password? What is your mother's maiden name? What is your inside leg measurement? ...".
In the past, I have personally been on the receiving end of what were probably legitimate but unsolicited calls from my bank, yet the bankers invariably went all defensive or indignant when I insisted that THEY authenticate themselves to ME before I would authenticate myself to THEM. The irony of it was absolutely lost on them. "We're your bank: trust us" was basically their best 'response', lame though it is. Some of them get quite obnoxious but the harder they insist, the wider my smile. It's fun in fact and a good wind-up for other unsolicited sales callers too. Anyway I digress.
It's not too hard to think of simple methods by which the bank could authenticate to its customers, like for example asking the caller to reveal certain letters from your password or confirm the amount of a specific transaction from your latest statement, but all such simple schemes are vulnerable to replay attacks. It's exactly the same problem that the bank has, but vice versa.
I'm sorely tempted to take in to my bank branch my own one-time-password bingo card just like the ones that various cheapskate banks are using to implement the el cheapo form of two factor authentication, cheaply, insisting that they read out and scratch off the next number whenever we speak. You can be sure that the bingo codes will be horrendously complex 'cos I know about entropy. You can be equally sure that the bank won't fall for it.
Of course all of this bank-authenticates-to-customer stuff is highly inconvenient for the bank, so we're left with "Trust us. We're your bank! No really! We are! We are we are we are! We are so your bank ...".
CUNA Mutual advised credit unions to "establish a password system" (single factor authentication - surely they have this already, no?) and "have a written agreement with the member for the use of these passwords" (to limit their liabilities, of course - again, don't they do this by default?). They said "If there is any doubt as to authenticity of the funds transfer request, credit unions are reminded they do not have to perform a wire transfer." (no, really? Golly!). Other advice included "Limit the amount of wire transfer that can be completed by a call center employee. Managers should approve all wire-transfer requests." (divisions of responsibility are good but do not address the basic problem of authenticating transfer requests), "Record conversations during the call-back and compare it to previously recorded conversations [and] listen to the caller. Does he or she have an accent that is inconsistent to your membership?" (that's an interesting idea but a rather weak and awkward control), "Perform an additional verification to the member’s work and/or cellular telephone number." (another weak control, but at least they are thinking along the right lines), and finally "send an e-mail to the member at home and/or work" (presumably confirming the transaction - a useful post-hoc activity that would make a stronger control if the transaction were put on hold pending final confirmation by digitally-signed email).
Come along CUNA Mutual: US banks are grudgingly implementing two factor authentication that European and other banks have used for years. Anyone who lags the field is a sitting duck.