I received an e-mail today trying to enlist me in a marketing campaign for PhoneFactor. Of course, it was presented as a way to help myself, to encourage my bank to provide me with better security, but the ultimate goal was to get me to tell my bank that I want it to use the PhoneFactor service to ensure my account’s security. The subject of the e-mail says, “Join Our Nation Campaign for Better Online Banking Security,” but I have to wonder — is the security it provides really any “better?”
The text of the e-mail is as follows:
Tell Your Bank "I Want My PhoneFactor!"
A recent FTC survey found that 8.3 million Americans were the victim
of identity theft last year. To help consumers combat fraud,
PhoneFactor launched a national campaign for online bank security.
Identity Theft And Fraud Are On The Rise:
* The number of password phishing sites increased 559% in 2007.
* 80% of phishing sites were in the banking and financial services
* You are more likely to have your password phished and have your
identity stolen than be burglarized.
With PhoneFactor, when you login to your bank account, you
automatically get a call. You simply answer the call and enter a PIN
to complete the login. Even if a hacker has phished your password,
they cannot get access to your account.
Join Our Fax Campaign at www.iwantmyphonefactor.com
This essentially turns all online banking authentication into a two-factor login. Multifactor authentication uses one or more “factors,” which include:
- Something You Know: a password
- Something You Are: biometric identification
- Something You Have: a smart card
In this case, the two factors in use would be your login credentials at the Web site (username and password: something you know) and your cellphone (something you have).
Of course, the standard of convenience drops significantly. With PhoneFactor, not only do you have to log in to your account, but you have to do so with your cellphone handy, its battery has to be charged, and you have to wait for the verification call — whereupon you have to provide “something you know” (your PIN) again.
As I pointed out in the article, Making encryption popular, convenience is of key importance to improving uptake of good security practice, and PhoneFactor unfortunately just makes security much less convenient.
In addition to the problem of convenience, there’s the problem of introducing another party into your transaction. What are the security procedures like on the back end of PhoneFactor? Any time PhoneFactor must be used to verify a login, the service provider is alerted to the fact that a given bank customer is accessing his or her account — and the company is staffed by actual human beings, all of whom are imperfect, and none (or at least very few) of whom care about you personally, your privacy, or the integrity of your bank account. Will mistakes made by people at PhoneFactor lead to new attack vectors on your banking security that were unforeseen? Will employees of the company be able to use their position as the middleman to take advantage of you?
Is it worth it?
Convenience must be balanced against security, sometimes. In the long run, I hope that a more convenient, more verifiably secure system is developed that provides the same kind of two-factor authentication.
The convenience hit is actually very small for the common case, and the security benefit could be quite substantial. There will be edge-cases, however, where convenience might take a nosedive — such as being on a business trip and needing to access your bank account online, but realizing you left your cellphone charger at home. This could be especially problematic if the reason you need to access your bank accounts is to move funds from savings to checking so you can buy a charger for your cellphone.
The security concerns would probably never come back to bite you — but the fact that’s only a “probably” is really the problem. Once you start playing a statistics game to decide whether your overall security has gotten better or worse with a given security solution, you may need to rethink your solution.
The concept, itself, is a good one (at least for security purposes, if not for purposes of convenience). If PhoneFactor were open source software that could be deployed by the same company with whose Web site I wanted to authenticate (in other words, if it were open source software used by the bank, rather than a third-party service to which the bank has to subscribe), I’d be all for it. If it were closed-source software implemented by the bank (rather than bought from a third-party vendor), I’d support that as well, as an improvement to security.
It’s the third-party involvement with a cookie-cutter solution being offered as a package deal, and the problem compounded by the service being managed by that third party, that raises my concerns.
As for you — I guess you’ll have to decide for yourself.