The unbelievable weakness of identification/authentication, bank edition
So I am in the process of opening a new bank account + credit card with my existing institution. And I call to check on the status of the credit card. And the call goes like this:
press 1 for english, 2 pour francais
type in your 16-digit card number
what is the last 4 digits of your phone number
OK, here is you last balance ($$$ owing), statement date, … what would you like to do?
… option is talk to agent, change phone number, …
You see a problem with this? I mean, how is the knowledge of the 16-digit number which is something you can see on my card anywhere I use it (not even the CCV on the back, just the number), and my phone number, enough to say who I am?
Earlier I talked about being worried about port-out of your phone number. E.g. someone steals your phone number to their sim/phone, and then uses that to steal control of your bank account. But why bother with that hassle when I just need to know the last 4-digits of your phone number? Seriously? They didn’t even call me, I could have been calling from anywhere, including your mother’s basement!
Authentication is a tough problem. Are you who you say you are? Face-to-face we rely on pattern matching. We recognise each other by hair-colour, eye-width, smug-expressions, etc. And, somehow, our brain can withstand changes (e.g. the hair is not exactly the same, its ok). Take that online, and over a voice-robo-auto-attendant? And somehow my bank (I won’t name them) just gave up and went with 4-digits of phone?
I get it, its a hard problem, some shared secret only we would know, that is not susceptible to a replay attack. My phone number is susceptible to a replay attack (its on my business cards, I hand it out freely!).
Why can’t the bank give me a stack of lottery-ticket-scratchoffs, and I scratch a one-time number? Or something? Geez. I mean, the data it read me there (last balance, statement date) is the other thing they use to identify me.
Next step is they’ll have an api. And guessing a 4-digit number is only 10K combinations, on average it will take 5K tries. Lets say I can try ‘only’ 1 per second. Yup, 5000 seconds == 1.4 hours.
Sigh. Biometrics you say? Well, I’m on a phone. So voice print? But i’ve spoken publicly, online, lots of times. Want to see me speak @ OpenStack vancouver a few years ago? Sample my voice, snip out the words you need? Fingerprints? Over the phone? Well even if so, I mean, my fingerprint is not changeable, so, um, I’m sure its knowable, and not fixable that its knowable. OK, so no biometrics.
So I’ll put this out there. For society to continue, we need online trust & identification to be as simple as face-to-face, and usable by low-tech things like consumer<->banking relationships to just work. I mean typical consumer work, so, uh, prob no PGP-keys on U2F, it needs to work where there is no electricity, no money, no education. Low-techify it! Who wants to fix this? Comments on how?