Bruce Schneier is the person well known to everybody interested in IT security. Recently he published blog post about why two-factor authentication is not solving all security problems. For those who don’t know what this term means, two-factor authentication is basically system where first you’re giving your “constant” password (password which doesn’t change), then if you’ve provided correct password system is sending you another one which is generated for you just for this single use (this password can be generated also by some small device provided to you by system admin). When you’ll provide valid second password system would let you in. Mr. Schneier is writing that it’s not as safe as many people used to think, because it can be intercepted (for details read his post), so he suggest to use transaction based authentication, instead of session.
And here come my bank which is using transaction based authentication, but only partially. How it goes, when I’m going to make a money transfer:
1. I’m logging in to my bank account (using “constant” password) and fill information about transaction into web form.
2. After submitting a web form, bank is sending me one-time password via text message to my mobile.
3. I’m filling this one time password along with my main password into web form and my transaction is being processed.
Problem is that when I’ll authorize one transaction this way. Every other transaction during this session would require only “constant” password to be provided. So, if somebody would want to steal my money, he just needs to use one of the techniques described by Bruce Schneier and wait till I make my first transaction, then he is free to do anything as to intercept main password is not big challenge.
I hope that my bank’s admins would rebuild this procedure to comply with good security practice which is transaction based authentication. Till then I must be double careful:(