NatWest mobile banking fail and why real innovation in security is needed


Not a good week for NatWest innovative banking services. 

 NatWest Get Cash fraud  (Get Cash Pulled)

 A combination of a simple phishing attack and a fundamentally insecure service led to many users of the Get Cash service ( a sub set of the NatWest mobile banking app – powered by Monitise) being defrauded of cash from their accounts.   

 The system allows users to get cash from an ATM by keying in a ‘secure cash code’ into the terminal.    The assumption is that once you have logged in to your app you are legit and so you ping the system for the code.   A user name and password level of security – that’s it!.   No better than 99% of all apps on the Net today.   

 Needless to say the service was shut down once the fraud started becoming rampant.   

 Does the drive for customer convenience completely outweigh basic security rules. ?   The problem with this kind of solution and others that rely on the presentation of self reported credentials i.e. user name and password are that these stateful artifacts are vulnerable to interception and re-use by a non-legitimate party i.e. the hacker, in this case through a phishing attack.  The system does not know that the credentials being presented are being done so by the ‘wrong’ person.   

 Any security system worth its salt (pun intended) thus needs to rid itself of the baggage of years and years of ‘traditional’ security solutions such as certificates, tokens, java-script scraping, cookies passwords, keys and OOB.  All shared secrets - incarnations of ‘security by obscurity’.  (The problem with Passwords ) (The end of passwords)

 Modern day hackers can crack passwords in seconds and bypass the defences laid by these solutions.   The conundrum for CIO’s and CSO’s is to find the balance between usability and efficacy.   As I stated in a previous blog – I am sure that most sites and custodians of your security are actually indifferent to your privacy and your security, hence the weakness of the solutions implemented.   Here is an example of just how weak the ‘latest’ technologies are :  
(The failure of RFID

Imagine if there were solutions that harnessed the ubiquity of SSO’s but were also strong in the 2FA sense.   In order to have universal appeal new solutions need to work in the BYOD / mobile domain.  No more needs to be said about the proliferation of smart mobile devices.   Effective solutions need to be easy for decision-makers to get and try out.  Gone are the days of lengthy POC’s and trials.   In the same way that consumers can try out tracks on iTunes and return unwanted products to sites like Zappos,  so security solutions should  be as easy to try out for free and get if they work and cancel if they don’t.   I think that professional services will take a big hit in the enterprise arena.   No longer required with SAAS. 

 We have already seen RSA take a big hit last year when its own defences were breached.   We are now at the stage that the Lance Armstrong’s of the security industry (i.e. those who have pulled the wool over the eyes of their customers for many years ) are going to be exposed as their solutions fail on an ever increasing basis.   

 It is time for security to come clean.  Only those solutions that are truly innovative will succeed.   When someone like the founder of Wikipedia says that a security failure could bring down a company like Facebook  (Security breach could bring down Facebook) maybe its time to wake up. 

Comments

  1. Ross Macdonald14 October 2012 at 08:46

    Check out this article covering pertinent subject matter - http://www.nytimes.com/2012/10/14/technology/two-step-verification-is-inconvenient-but-more-secure.html?smid=tw-share

    ReplyDelete

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. ) A lot of money has been thrown at this campaign – I would guess millions.  ( http://www.youtube.com/watch?v=Jx0Z5CiQMIw )   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! ( http://www.bankingtech.com/bankingtech/article.do?articleid=200002
Read more