Everyone in security knows the 3 factors of authentication: something you know (like a password), something you have (like a smartphone or card reader) and something you are (like a fingerprint). But today, very few banks use all 3 factors for online security. And many, still rely on card readers as the something you have token. Card readers typically require you to insert your bank card, enter your PIN, and then report the 6 digit code displayed on the reader.
As the second authentication token, the card reader is critical to online security. So it was with some considerable concern that the following warning is now being issued after being logged into the Royal Bank of Scotland’s online banking:
Have you been asked to use your card reader and provide codes generated by it to someone over the phone? STOP!
– We will NEVER ask you for a card reader code to stop or verify transactions over the phone, if you are being asked to share this code over the phone, it’s fraud.
– You should NEVER log onto Digital Banking whilst sharing your screen with someone else. If you are being asked by companies you trust, such as your internet provider, to log in to your Digital Banking while sharing your screen, it’s fraud.
RBS is warning that it is possible to compromise the “something you have” token by spoofing the customer with fake news about his or her account. The vulnerable customer discloses the secret code from the card reader thereby enabling a potential theft from their account.
While knowledge can be stolen and physical tokens compromised by criminal manipulation, it is much harder to obtain biometric data (something you are). A determined thief, with access to things you touch, might be able to extract a fingerprint. But it’s hard work. And it is dangerous since the thief will need to enter your home or office to get at the print. Voice biometrics and facial recognition are much harder to steal. A good voice authenticator or a face recognizer will look for signs of liveness, and your identity, that makes it just too hard to break in.