OT: 2-factor authentication hits the mainstream

[richb at pioneer.ci.net (Rich Braun)]

I just ordered my E*Trade security ID gizmo, to become an early-adopter in the
overhaul about to hit online finance.

Apparently the RSA Security two-factor authentication system that first became
familiar to me in the halls of Digital Equipment eons ago (and/or its
equivalent) is about to become a mandate for banks/brokerages right around the
same time the digital-TV mandate goes into effect and eliminates another yet
another old-way of doing things.

I have a lot of skepticism about the direction this will likely take:  what
sort of waivers are these financial institutions, not known for
consumer-friendliness policies, going to get from Congress once they get
enough consumers to sign up for 2-factor authentication gimmicks?  Will it
become well-nigh impossible to get your money back if someone figures out a
way to scam you or otherwise rip you off by some clever online scheme?

Just thought I'd post this here because I know a lot of y'all have had to deal
with those RSA keys in the past and probably in any work that you currently do
on internal systems at the likes of Fidelity.  The policy document in question
is on a government website here:  http://www.ffiec.gov/press/pr101205.htm .

There are (at least) two types of attacks that this policy addresses:  trojan
horse, aka phishing; and identity impersonation.

I have found that phishing attacks have gotten clever enough to fool almost
anyone.  Most recently, I bought something on eBay; using information about
the just-closed transaction posted publicly on their system, a hacker
generated a fake email using the details of the transaction to make it look
like an email that I would commonly expect to receive.  I (and hopefully you)
will be on the lookout for those in the future:  but in this case the phishing
attack worked well enough against me that I carelessly typed me eBay password
into some nefarious server.  Fortunately I became suspicious right afterward
and changed my eBay password, but this episode put to rest any expectation
that there is ANY 100%-effective way to avoid getting nailed by a phishing
attack against a single-factor password authentication method.  Someday
someone will be able to scam me or someone I know, despite all the
precautions.

Identity impersonation is harder for the banks to deal with, IMHO.  Humans are
always the weak point in any large organization.  They can be a strength in a
small organization:  if you've ever had an account at a small bank and visited
a branch regularly, your face became known to one or more of the tellers, who
would put an immediate halt to any effort by someone else to impersonate you. 
In a large organization, no matter what technology is deployed, there will
always be a way for an attacker to call them up, claim to be you, claim that
the password's been forgotten or the crypto-key failed or whatever, and get
some neophyte call-center clerk to open up a hole in their system.

And, of course, the next question is this:  will the feds require that banks
support client identity verification on platforms other than Windows? ;-)

-rich