Today, banks providing internet banking facilities are looking for implementing or have already implemented two factor authentications. This has been done by either identifying risks by the banks themselves or has been mandated by the regulatory authorities. Whatever has initiated this, it is more important to understand what a two factor authentication is, what are the business requirements and how is it going to impact the customers.

What are the threats that we are trying to protect by implementing a two factor authentication solution..? phishing attack, Man-in-the-middle-attack, Password sharing etc…

Two factor authentication means that you need to have two factors of authentication (to your online banking website) involved in either the initial login process and/or in further carrying out critical transactions or just while carrying out critical transactions.

So what are the factors that are involved in authentication..?

1. What you know – password, pin number, answers to security questions, security image
2. What you have – One time password (in various ways), ATM cards
3. What you are – Bio-metric solutions

There are many organizations that use any one of the above more than once. Like for example, using user ID and password while logging in to the online banking and answering some security questions while carrying out a critical transaction and claim to be implementing two-factor authentication. Whereas, in reality it is just one factor (what you know) used multiple times.

Using a combination of any of the two above is termed as two-factor authentication. A simple example would be using your ATM card and PIN number at an ATM machine. The ATM card is something that you have and the PIN number is something that you know. So two factors are used to authenticate and carry out your requirements on the ATM machine.

The password and PIN are very commonly used parameters and implementing bio-metric solution (one that authenticates by using finger scan or retina scan etc) are very expensive and does not justify the cost. There are different methods and solutions available for implementing two factor authentications, of which OTP (One Time Password) seems to be much safer from different threats. Let us see some of those solutions.

A Grid on the ATM card – Some organizations has implemented the second factor by forming a grid which is printed onto the back of an ATM card making it convenient to the customers. The login will be using a user ID and password and the next step will be to key in a combination number based on the grid values asked in the online application. The user keys in the value and the access is permitted. This same authentication factor can be used for making an online transaction.

Disadvantages:

• The card is used in many places and since it is an ATM card, it can be given to others for swiping on purchases. The grid behind the card can be easily memorized, though most do not agree with me, I am sure that I can remember and re-collect at least one card’s grid.
• If someone gets their hand to this card through any means, they can also take a photocopy of the card, the grid and use it whenever and wherever required.

A random number generating token – There are many vendors providing tokens or key fobs (known in different names) which generates random numbers and those numbers will be valid for just about 10 seconds (one form of OTP – One Time Password). This means that a new random number using some algorithm is generated every 10 seconds. Very good!

These are wireless tokens and there is a related component (server) that sits at the organization’s environment for validating the numbers generated on the tokens. Both, the server and token work on the same algorithm and is based on time stamps. So the server can understand what will be the number in the token during a particular time.

The user logs-in by providing a user ID and password along with a randomly generated number which will be keyed into the application. The application internally validates this number and allows access.

Disadvantages:

• The burden is in procuring these tokens, distributing it to customers, maintaining, customers losing these tokens etc.
• This solution is prone to Man-in-the-browser attack, which is similar to Man-in-the-middle attack

SMS on your mobile – A much better solution is using SMS as the second factor authentication (another form of OTP – One Time Password). Though it has some draw backs. Here the user logs in into the application using a user ID and password and no second factor is applied in the initial login. The screens available using this process is limited and information such as account number is limited to last 4 digits, customer name is not available, etc it is just your masked account number, the balance and a maximum of 10 previous transactions or you could customize the first page to provide very minimal information. There will be no access to the customer profile page as well.

When the customer requires to make any profile change or make online transactions, the user will be sent a onetime PIN number SMSed to the users registered mobile number which has to be keyed in using a virtual keyboard and that authorizes the transaction/change.

This second factor can be implemented for various transactions viz, adding beneficiaries, profile change, online transfers, changes to transaction amount limits, password change on lockout, statement above 10 transactions etc. The main advantage of this solution is that the customer is not bothered to carry any additional device for this purpose, and this cannot be compromised unless the mobile phone is timely compromised to obtain the PIN and also carry out the transaction. Since unique PIN numbers are used to carry out different transactions/changes, it also mitigates the man-in-the-browser attack to a great extent.

Disadvantages:

1. SMS sent is delayed in transit.
2. SMS sent does not reach the customer due to various reasons
3. Cost implications – payment to be made to the ISP’s for sending SMS’s
4. Customer out of the country and does not have roaming facility
5. ISP’s prioritizing private SMS’s over the SMS’s from the banks

I would prefer the last option, though it lists more disadvantages than the others. Let’s try and justify the disadvantages listed. Frauds that happen and result in financial loss are global issues and I think that all relevant stakeholders should come together for a solution to work and the government should be the enforcer and the regulatory bodies should be the initiators of this cause.

If the government, the ISP, the banks and the regulatory bodies come together, it would solve the disadvantages 1, 3, and 5. Point number 2 can be left as a risk in any business, if there is nothing we can do about it and point number 4, why is a customer trying to do a critical change or transaction while the customer is out of the country..? If it is a corporate account then it is a different scenario.

Your thoughts.

Now, let’s look at what is the definition of information assets. Information assets are basically data that is in transit or at rest and also that are available on papers. Having this in mind, I think it is easier to assess the C-I-A values of these assets. Let us take an example:

Contract documents is an information asset or let’s take the file server in an organization, the “data” in the file server is an information asset. How much impact the organization would have, if the information in the document is exposed to unauthorized persons..? – if the impact is less, confidentiality value is less and if the impact is high, confidentiality value is high. Similarly, this is applicable for Integrity and Availability. If the impact is high by losing the integrity or availability, it will be rated high or else low. After determining the C-I-A values the asset value is derived by either taking the highest value or with some simple calculations.

Let’s consider the C-I-A values for a hardware asset. The confidentiality value of the hardware asset is derived by the information that it holds and hence I feel that there would be duplication if we consider the confidentiality value here. We are considering the hardware asset as a whole and hence integrity of the server is not applicable here. Availability value is what we need to consider for an hardware asset.

As we have looked into the hardware asset, the same applies to software and service assets. Now let us look at the people asset.

If we are trying to consider the C-I-A values of a person, let’s say the CEO of the organization, yes he has confidential information. But how do we assess the confidentiality value? It is hard to determine the information that he is holding in his memory and it might also be varying constantly. Which means you cannot determine the “C” either as high or low at given point in time. I am not quite sure about the integrity aspect and coming down to the availability value; this definitely needs to be assessed.

Again, the availability value of people asset according to me should always be set to high, irrespective of his designation, age, gender etc. Why?

Controls are implemented based on the derived risk value. Risk value is proportionate to the asset value, which means if the asset value increases, so does the risk value. In this context, let us take an example:

Contract document (Information Asset) C-I-A = 5 * Threat = 3 * Probability = 3 = 45 (Risk Value)

IT Manager (People Asset) A = 3 * Threat = 3 * Probability = 1 = 9 (Risk Value)

In the above scenario, the information asset has a risk value higher that the people asset. If there is a fire break out in the organization, which of these assets will be well protected or rescued? People will always be considered first during a disaster and hence the asset value of people should always be rated as high. In this case you may ask, we already know that people is first, then why should be even consider listing people asset in the risk assessment exercise? Well, Your thoughts

I would even look to see why we need to consider hardware, software and service assets for the assessment, because all the values are anyway dependent on the information it holds or transmits.

Your thoughts again.

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.

It is important for every organization to constantly carry out risk assessment in their organizations to ensure that they are protected from new threats. Today terrorism has become a major threat for organizations as well and hence it is definitely required for organizations to include terrorism as a threat in their risk assessment exercise.

A constant risk assessment exercise does not only help in identifying and protecting against the latest threats, but also looks into the processes and controls that was defined and implemented years ago. Though the processes and controls might be working well, it might not include the risks due to the latest threats and if risk assessments are not conducted on a regular basis, these new threats might go unnoticed.

Hence organization are encouraged to have the risk assessment exercise as an annual activity and also when there is a major change within the organization. It is also important to keep a tab on the new threats that need to be included in their risk assessment exercise.

Now the next arising question is, what are the risks of having these armed CISF securities in the campus?