Implementations of knowledge-based authentication (KBA) -- asking "secret", out-of-wallet questions that presumably only the end user knows the answers to -- on the Web have been on the rise in the past few years, particularly in online financial services, as part of efforts to fulfill FFIEC guidelines for additional risk mitigation measures that address the inadequacies of single-factor authentication. The concept of layered authentication -- the riskier the transaction, the more stringent the authentication measures -- is related to this, and KBA can be readily (and simplistically) adapted to layered authentication by simply increasing the number of secret questions that the system asks.

Of course, as a standalone method of authenticating users at login, asking out-of-wallet questions in addition to username and password doesn't rise to the level of strong (two-factor) authentication, since they're all variations on "what you know". So from a security standpoint it's difficult for KBA to really provide identity assurance. But isn't ease of use and peace of mind for end users that's driving financial institutions to implement KBA? (Let's put aside for a moment any cynicism about KBA being a cheap alternative for the FI.)

Apparently, though, there's a point at which users' confidence that the bank is protecting their assets tips over into suspicion that the bank's security isn't up to snuff or even that a fraudster is pumping them for personal information. And then there's the annoyance factor: the inconvenience in terms of the time and effort to remember all of the PINs, passwords, and answers and jump through those hoops. It's as if the typical Internet banking customer is a tender orchid needing just the right conditions to flourish.

The only problem is that in most cases this isn't true. Buck up and spend the cash on a real two-factor authentication system, mandate its use, and customers will adapt -- even thrive. There are enough different methods of two-factor our there that the difficult decision should not be whether to implement two-factor, but which form factor to choose.

My prediction for 2008 is that confusion will reign because part of the answer is provided by cable, satellite, or telephone service companies, and their incentive is to maintain confusion because that’s an effective “up-sell” technique.

The simple story is that over-the-air (OTA) analog goes away, replaced by OTA digital. For OTA consumers, it’s just a matter of getting an ATSC tuner (built-in to a newer TV, or standalone with a government-subsidizied coupon).

The part that is different for every locality and service provider: what to do with analog TVs on analog cable systems. For every locality there is a simple cable story: the cable company could tell you their plans for analog channels, e.g. “We’ll continue to carry local channels for our analog customers through [let’s say] 2012.” But the cable companies will generally avoid that story. (I tried to extract it from TWC and they failed the first test, answered the wrong question entirely.)

Why would they tell you a simple “analog on cable is OK for N years” story when they would rather upgrade you to a new digital cable set-top box, and while they’re at it, try to replace your phone too?

So, even if it’s true that analog cable customers will live just fine on the analog cable plant for quite some time, you’ll only see it either in extremely fine print, or omitted as a choice at all in most promotional materials.

Now, it is also true that for bandwidth utilization reasons, the cable companies would like to convert their cable plant to all-digital. If they somehow manage to convert all their cheap $8/month basic cable customers to some fatter bundle, all the better for them. The good thing is that digital OTA tuners will provide competition, so the cable company had better have something that competes with free digital for cheap customers, or they’ll just lose the low end altogether. (The only reason I have basic cable is because my analog OTA reception is poor. Once digital OTA becomes cheap (it’s not yet, standalone tuners are too expensive), I’ll be a digital OTA customer unless cable really makes it worthwhile not to switch. It’s a race to the bottom for my dollar.)

Once they start losing a significant number of customers to digital OTA, then they will start publicizing cheap basic analog and constructing cheap basic digital. But they will wait as long as possible.

10. Penetration Testing Goes Prime Time - No this is not a Tiger Team fan site! I liked the show and looking forward to more episodes and hopefully a few that go more on the computer side.

9. iPhone Hacking Reveals Security Press Whores - I knew this was going to happen and it is really kinda silly. A new device comes out and it is going to have problems. Yes they are cool hacks but you could still smell the press whoring dripping off of some of these.

8. Cross Site Request Forgery Goes Mainstream - Creating an article that diggs itself was just the start. PDP discovered a way to backdoor Gmail accounts via XSRF in April. XSRF has been around for a while under a few different names. Expect big scary things from it in the future.

7. PCI tip toes into Web Application Security - PCI has flirted with Web Application Security with it’s standard for a while. That flirtation continued with the nebulous and specific section 6.6 which says check our code or get a web application firewall. This is a best practive that will be made a must do in 2008. I hope they make it clear by then.

6. McaFee buys another network scanner to kill - In October McaFee announced the acquisition of ScanAlert. I covered my thoughts here. McaFee still has money and needs to diversify from their core AV business. I suspect more news in 2008.

5. Web Application Space Consolidates - First IBM acquires Watchfire, then in a fit of jealous rage HP acquires SPI. Neither of these seems to be spectacular valuations but I am sure the founders made out OK. This leaves Cenzic has the only pure play desktop scanner out there. They are clearly going insane, with there lame attempt to cash in on the virtualization craze. (I still laugh when I read that release.) It remains rather unclear where HP and IBM are going although it seems likely that SPI will end up part of Mercury and Watchfire will end up part of Rational. If the products remain as standalone offerings though is unclear.

4. Full Disclosure Dies - 2007 will go down as the year full disclosure died. Crappy treatment from vendors and now web site owners has driven the good guys out and the only people left are the bad guys that are in it for the money. Which leads to…

3. Russian Business Network gets more light shone on it - Scott Berinato wrote a great series of articles covering the shadowy world of the Russian Business Network and the groups it supports. Amazing stuff and blows my “kids from russia” quip out of the water. These guys are good and for real and are raking in the big bucks.

2. Web Application Security continues to rise - I have been in this space for 10 years now and it seems to have gained more exposure this year than the previous 9 combined. A full track at BlackHat, tons of coverage in the security media, and a general understanding from the CIO crowd makes 2008 look like a breakout year.

1. TJ Max leaks most credit cards in history - Really could there be any other #1. This article gives a good overview of how bad it really was inside TJMaxx. Sadly TJMaxx still had issues well into the year. They finally paid up to make it all go away.

Well there is my list of the top security stories of 2007. If you have any to add post them in the comments.

Post from: Grumpy Security Guy

Top 10 Security Stories of 2007