Towards a more secure online banking ‘ moving beyond twenty questions.

Expo Theatre (Hall G) October 20, 2009 - Feedback     

Bookmark and Share

Nick Owen

Online financial applications have developed in a seemingly haphazard way. The result is images for host authentication, hidden cookies and inane questions. The session will break down attacks against session, host/mutual authentication and transaction authentication, and suggest more secure methods of protecting against those attacks without excessive inconvenience to the user and lay the groundwork for additional security. We will present a multi-layered approach that authenticates the user’s session, hardens the browser, strongly authenticates the server and can authenticate transactions without forcing the user to play 20 questions. Session themes will include keeping the user interface simple and consistent; the latest tools that could lead to new attack vectors, such as low-cost VoIP war-dialers; and where reliance on third-parties can create unintended consequences. For example, out-of-band authentication is becoming increasingly popular, but some rely on third-parties that protect their accounts using insecure means, negating the security benefits and increasing the likelihood of an attack on that third-party service. We will discuss the impact of this and how the divergent economic incentives of cell carriers impacts the security of SMS-based authentication systems.