Cookie-based Security Creates False Sense of Online Banking Security

- By John De Santis CEO, TriCipher

Throughout 2006, a series of high-profile incidents occurred that very painfully and very publicly highlighted how flimsy usernames and passwords are in protecting a person's online identity. Phishing and various other forms of online fraud sent the e-business community--particularly in financial services, which bore the brunt of these attacks--into a tailspin. In a bold move, one of the world's largest banks aggressively promoted its deployment of multi-factor authentication as a free, required service to all of its online banking customers.Subsequently, many banks have followed suit, adopting technology designed to verify that the bank's Website was really the bank's Website, and that users were who they said they were. Generally, the enrollment process required people to choose an image to use as a unique identifier, write a brief phrase and select three challenge questions. The Website then dropped a cookie on the user's machine that gets passed back and forth between the user's computer and the bank to confirm each other's identities. This process made customers feel safer, and demonstrated that banks were stepping up to the plate to protect their customers online. But where the cyber-rubber hits the road, they're relying on HTTP cookies for authentication--a method which is at best weak, and at worst, completely useless.

As a quick refresher, the term "HTTP cookie" derives from "magic cookie," defined in Wikipedia as a packet of data a program receives but only uses for sending it again, unchanged. Already used in computing, magic cookies were "webified" by Netscape programmers while developing an e-commerce solution for one of Netscape's customers to implement a virtual shopping cart.

From their inception, cookies have been fraught with both security and privacy issues. Cookies are easily hacked, often deleted by users (requiring frequent answering of security questions to view their accounts), and useless against Man-in-the-Middle (MITB) and Man-in-the-Browser (MITB) phishing attacks, which are occurring with increasing frequency.

To be fair, cookies, passwords and images are more secure than passwords alone, but not by much. In a nutshell, they raise the bar from nothing to...almost nothing. As a consumer of online services, I can appreciate the initiative to ensure my safety without any major inconvenience--but if it's not buying me a safer experience, then what's the point? When the cookies crumbles, then what?

The justification for using cookies for consumer authentication is that it's a step up from what's currently being used (usernames and passwords) and doesn't interfere with the online experience. It all boils down to the classic battle between security and convenience--more security means more complexity, and if it becomes too much of a hassle to bank online no one's going to do it. So the big nut the banks, the FFIEC, the auditors, security vendors, analysts and market researchers are all trying to crack is what is "good enough" security--meaning, secure enough to actually protect people, without making the user experience so complicated that it drives them offline. It's not an easy question to answer.

Gartner analyst Avivah Litan wrote a report highlighting the security flaws of cookie technology, stating that such a solution "... fosters consumer confidence but cannot be wholly relied on to effectively reduce fraud." She went on to say, "Online consumer service providers need a bifurcated strategy... one piece to build consumer confidence and another piece to keep the crooks out."

Unfortunately, the Gartner report came out after many banks had already followed suit in order to meet the tight window imposed by the December 2006 FFIEC deadline.

The irony of the FFIEC guidance is that, while it intends to ensure that banks do the right thing to protect online customers, it leaves more than enough rope for banks to hang themselves on security. Given the short timeframe banks had to comply and the wide variety of choices they had to sift through, it's conceivable that banks would lean towards cookie-based technologies. They're an improvement over what they had and cookies provide them with an FFIEC checkmark.

However, at the risk of raising the already nauseating level of fear-mongering that's par for the course in the security industry, I encourage you not to throw the baby out with the bathwater. Last year MITM attacks were widely perceived as a strictly theoretical threat. In 2006, these "theoretical threats" crippled a bank in Europe and compromised a major U.S. bank (despite its use of tokens) along with several brokerages in Canada. Cookies, and even tokens, would have been useless in stopping these attacks.

People are noticing. An August 2006 Gartner survey revealed that almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security. How many more users would defect if they knew they were being scammed by the very people promising to protect them? It certainly blurs the line between the good guys and the bad guys, doesn't it?

When the cookie crumbles, everyone loses. So why let it happen?