Below is a blog post in Dutch on re-usable identities instead of different passwords for all websites. The trigger for the blogpost is that Hold Security released the Dutch (or actually, .nl) part of the logindata/emailadresses that they discovered to be hacked. The NCSC (National Dutch Cyber Security Centre) IMHO focusses to much on educating users to prevent this, contrary to fnding/promoting solutions such as re-usable identities, including the Dutch eID Stelsel NL (similar to NSTIC in the US).
The latest security incident with the Dutch eID solution DigiD was all over the Dutch media. The DigiD of about 150 citizens from Amsterdam was stolen in December. The identity thiefs then used these DigiDs to change the bank account number for pensions etc from the victims. Although, in my opinion, DigiD is a success since it is used a lot, we really need to make it more secure. There are plans for this, but no final decision has been made. Below a more elaborate blog post in Dutch.
Weer DigiD fraude: we hebben haast
DigiD stond vanochtend weer groot en negatief in de landelijke kranten (bv Volkskant, NRC). Dit maal blijkt de DigiD van 150 Amsterdammers gestolen zodat uitkeringen en toeslagen naar criminelen konden worden overgemaakt. Het gaat hier om een bekende zwakheid bij DigiD: het wachtwoord wordt via de post verspreid dus iemand die je brievenbus ‘hengelt’, een criminele PostNL medewerker of iemand met toegang tot je huis kan vrij makkelijk jouw DigiD stelen. Hoewel ik inschat dat de financiële schade van deze 150 gevallen wel mee zal vallen ten opzichte van de investeringen voor een veiligere eID oplossing, is het erg vervelend voor de 150 mensen die het overkomt en is het slecht voor het vertrouwen in de elektronische overheid. En er zijn meer incidenten geweest en er zullen er meer komen.
DigiD is ontworpen als een laagdrempelig en relatief goedkope identiteitsoplossing. En vergeet niet, het is een succesvolle oplossing. Hierbij is de maatstaf voor succes of het gebruikt wordt. DigiD wordt veel gebruikt, ook in vergelijking met onze buurlanden. Het DigiD gebruik stijgt ook nog steeds, tot 100 miljoen keer afgelopen jaar. Er moet nu alleen wel tempo gemaakt worden met een opvolger. Ik heb al het nodige geblogd over deze opvolger: het eID stelsel NL en een DigiD smartcard, dat ga ik hier niet herhalen. Wel vind ik het opvallend dat ook nu, in bijvoorbeeld de Volkskant, bij dit incident een smartcard als oplossing wordt gepresenteerd. Maar als die smartcard gewoon via de post opgestuurd zou worden gaat dit echt niet helpen. Dat betekent niet dat ik niet vind dat een veiliger authenticatiemiddel geen goed idee is, maar de urgentie lijkt me meer in een veiligere uitreiking van het authenticatiemiddel. Dit komt meestal neer op een face-2-face uitreiking van het wachtwoord of smartcard, in plaats van per post.
Vlak voor kerst is een kamerbrief over eID stelsel en DigiD-kaart verschenen. Deze bevatte weinig verrassingen en een paar keuzes over met name wat privaat en wat publiek zal worden in het eID stelsel. Een citaat uit deze brief:
De definitieve besluitvorming over de inrichting van het eID Stelsel en de introductie van de DigiD-kaart kan pas plaatsvinden als de hiermee samenhangende uitgaven en ontvangsten volledig in kaart zijn gebracht en alle uitgaven zijn gedekt. De Tweede Kamer zal hier op een later tijdstip nader over geïnformeerd worden.
Gezien de toenemende problemen met DigiD hoop ik dat er ook snel tot daadwerkelijk besluitvorming inclusief financiering overgegaan wordt. Dan kunnen publieke en private partijen hierop inspelen en kan Nederland een volgende stap zetten naar betrouwbaardere digitale dienstverlening (overheid en bedrijfsleven). Dit geldt overigens ook mocht het eID stelsel en/of DigiD-kaart alsnog struikelen of in een beperkte vorm worden ingevoerd. Beter dat dit snel duidelijk is zodat marktinitiatieven de ruimte hebben. En als voor wat voor reden dan ook een opvolger van DigiD te lang op zich laat wachten, dan kan overwogen worden als tussenoplossing DigiDs via het gemeentehuis i.p.v. via de post uit te reiken.
The Dutch Banking Association (NVB) for a couple of years now makes internetbanking fraud numbers in NL public, with updates every half year. The damage for the first half of 2012 was €27.3M, compared to €35M for the whole of 2011 (see graph below, with the amount for 2012 calculated by simply doubling the first half of 2012) . The relative increase, again calculated by simply doubling the 27.3M to get a number to compare to the €35M, is roughly 1.5 times. This means the growth is less than it was the previous years (see the graph below). Also if you compare the first half of 2012 to the second half of 2012, the growth has decreased to 14%. This does not mean that I’m optimistic, the fraud still increases, and the absolute numbers are also becoming worrisome. With ~11M internet banking users, this is ~€5 per user, which is IMHO significant.
The Dutch Banking Association (NVB) in the Netherlands provides numbers of internet banking fraud, I think twice a year (see also my last post on this). Yesterday the announced new numbers, together with a new awareness campaign for the public. The numbers they announced yesterday about the first half of 2011: amount of incidents is 2400 and the damage is €11.2M.
I extrapolated these numbers for the whole of 2011 by simply multiplying them by two (which is probably optimistic) and compared them to the 2009 and 2010 numbers. The bottom-line is is that internet banking fraud still increases a lot with more than twice the damage in 2011 than in 2010. The relative increase is however less dramatic than from 2009 to 2010, when it increased with a factor of five. The amount of incidents increased with a factor of about 3.5, and thus there is also good news: the amount of damage per incident decreased (to an average of ~€4.500 per incident). I guess this is because the Dutch banks improved their detection of internet fraud, and are more effective in quickly stopping money mules.
Non-technical countermeasures such as continuing awareness campaigns and the Electronic Crimes Taskforce (which hunts cybercrimes) are needed, but really preventing internet banking fraud also depends on better authentication means and other more technical measures. What I found somewhat remarkable is that the NVB press release and also e.g. the article in the Volkskrant (a Dutch national newspaper) talked about ‘old fashioned’ phishing emails a being a big part of the problem, while I’m personally more worried about malware on the consumers devices (laptop, smartphone, tablet etc). An anecdote is a colleague of mine that was very recently the subject of an attack involving advanced malware that infected his PC irrespective of up-to-date patches and virus scanners. The malware then waited till my colleague made a transfer, and added a transfer to empty his acoount to a money mule in Portugal. Such malware is undetectable for ‘normal people’, including the browser indicating a valid website certificate. He however noticed this right after the transfer because the browser was acting strangely, and was able to stop the transfer by calling his bank. I’, however sure that for someone less ‘nerdy’ the browser’s strange behavior would have been too suble to notice.
The below graphs show the fraud numbers for 2009, 2010 and (extrapolated for) 2011.
The Dutch Banking Association (NVB) provided numbers on how much fraud there is in the Netherlands with internet banking (in Dutch). Since we’re doing a project called cidSafe for several companies in the financial sector in the Netherlands on consumer identity (see this recent presentation in English, or the website which is mostly in Dutch), I was very interested in these numbers.
The fraud with internet banking in NL is €4.3M for the first 6 months. Although I agree with the NVB that this in itself is not a huge number, the increase is very big. In the whole of 2009 the fraud was €1.9M, thus an increase of about 450%! By the way, victims of internet banking fraud are usually reimbursed by their banks, and all Dutch banks use two-factor authentication. Compared to the numbers recently released in Germany, internet banking fraud seems a somewhat bigger problem in the Netherlands than in Germany (with an estimate of €17M in 2010 about twice as much fraud as NL, but with 5 times more inhabitants). Also in Germany there is a big increase in internet banking fraud compared to 2009.
The NVB press release mentions phishing as the main method of fraud. I couldn’t find more details on this, but simple phishing of username/password won’t work since all internet banking services in NL use some form of two-factor authentication (smartcard or SMS one-time-password based). Malware attacks are becoming more advanced, as e.g. the recent “Zeus In The MObile” malware showed that can even spread from desktop to mobile using social engineering. This article (sorry, again in Dutch) states that most attacks are a combination of relatively simple phishing or malware (keylogggers) with social engineering to get the second factor.
If the increase in internet banking fraud would continue for a couple of years this will become a very serious financial problem (€39M in 2011?, €174M in 2012?). Add to this the emotional impact on victims and reputation loss for banks, and this increase in fraud is something to worry about. The weakest links appears to be 1) the home PC (and smart phone) and people’s ability to keep this malware free, and 2) people being subject to social engineering attacks. The question for me therefore what is more effective for banks to invest in:
- educating their customers, on the importance and ways to keep their PC/smartphone malware free, and to make them less susceptible to social engineering attacks, which will no doubt help but is not a silver bullet, or
- invest in technology, by providing more secure authentication means that are (not or) less sensitive to malware and social engineering attacks, which is very expensive and can be very annoying for users.
The alternative for banks is to wait and see if others (police, government, operation system vendors, anti-malware vendors etc) will be able to counter this increase in internet banking fraud, this is however not what I expect they will do, as is also shown by the new awareness campaign by NVB.
I’m at the ISSE 2010 this week, which takes places in Berlin this year. I’ll share my impressions on two subjects that were hot (in the first two days, since I write this with one more day to go).
The ‘hottest’ item is the new German eID card (nPA), which will be issued starting 1 November. This is a ‘normal’ ID card, with an eID contactless chip. Technically the eID function seems to be better than what I’ve seen before, but more interesting for me was the business model behind it, and how they handle privacy.
With respect to the business model, it is interesting that it can be used for consumer-2-business authentication, thus increasing usage beyond citizen-2-government services. This is for free from the perspective of the relying party (aka service provider). Of course, running a so-called eID server to ‘talk’ to the eID card is not trivial, and much more complicated than becoming e.g. an OpenID relying party. There are companies ready to take care of this on behalf of the relying party, this will of course costs money. Citizen have to pay for the card, but since it is (I think) mandatory to have one …
With respect to the digital signature function, this is not present by default. A citizen has to go to a commercial party for this, i.e., a different business model for the signature function as for the authentication function. Reason seems to be that this is not considered a government responsibility (contrary to authentication/identification), and companies are already offering this as a service (I expect not a lot to consumers though). This probably also means that there will be only very few people that go to this trouble (and costs), and thus little coverage for consumers/citizens.
With respect to privacy: what is interesting is the ability to be a pseudonym-only authentication device, that relying parties need to register and motivate which attributes they want to read, user consent and proof-of-age function that does not reveals ones age. Also interesting is that kids below 16 are not allowed to use it to identify themselves, for privacy reasons I assume (can’t trust those kids to know what they’re doing J).
The Germans life up to their reputation of being privacy-conscious with this new eID card, good for them. When looking at some of the details, they also life up to another reputation of being very sensitive to academic grades: Doktorgrad is a data field for the card… Not sure how important this is for security purposes though, but at least the border control or webshop can properly address “Herr Doktor” J
The big question is now if this takes off with both public and relying parties, and how long this takes. There are examples in other countries that were earlier, where this went very slowly of not at all (e.g., Belgium).
There were some, mostly German, talks on phishing and malware. Quite scary actually how this is progressing. Cybercrime seems to become more professional, and is scaling up. I’m a strong believer in “good enough” security, especially when it concerns damage that is ‘only’ money/fraud, contrary to privacy loss. To quote a number, the German government (Bundeskriminalamt) estimates a €17 million fraud for phishing/malware in Germany for online banking for 2010 (with €3500 average damage). This in itself is not a number that surprises me, it is even lower than I expected, but if the growing trend (71% up from last year!) continues the coming years this number will increase quickly. Of course, costs to properly counter these threats, and the userunfriendlyness that often comes with it, are also huge.
Two things happened today that made me think about how current measures against identity theft are so very naive. The first is a US bank that I’m a customer with. I hardly ever log in on their website, and of course had forgotten the password. To assure that I am myself, I had to provide two answers about myself that I’m sure many (10s or 100s of) people know, and many more can very easily find out (including place of birth, which I had to put on page 5 of my PhD thesis that is publicly downloadable). And since the web interface did not allow me to do what I wanted (to terminate the account), I had to call them. During this call I had to provide those two same answers, plus my home address (which is listed in the phonebook). The funny thing is that I had to provide these answers twice during the same phone call, which did not make me feel more secure at all …
This type of static knowledge authentication is simply NOT suitable to authenticate any transaction that requires more than a very minimal level of assurance, and it is very naïve to use it for online banking (see also).
The second thing that happened today is a commercial I saw from the Dutch government, part of a campaign for a safer internet (“Veilig Internet. Heb je zelf in de hand”). The campaign seems to focus on peoples own responsibility to prevent identity theft. The commercial however was very limited, stating that people should change their password once in a while, and make sure who you email your personal data. The first recommendation is very naïve because 1) I’m convinced people don’t do this unless forced to and 2) it doesn’t help much against e.g. malware, phishing or using the same password at many sites. The second recommendation assumes that personal data is used to authenticate yourself, which it simply shouldn’t (see the first paragraph).
Although I welcome the attention that this campaign brings to the issue of identity theft, I wonder if spending more energy and time on better authentication and identity solutions for the internet wouldn’t be more effective than this campaign.