Common use of Passwords and PINs Clause in Contracts

Passwords and PINs. Text-based passwords and PINs were the only encountered implementations of knowledge-based factors. Other knowledge-based schemes have been proposed in the past, such as cognitive and graphical passwords [Zviran and Xxxx 1990; Xxx et al. 2005], but none of them are used by the banks examined in the survey. Using knowledge as a single factor for authentication is quite unsafe. Passwords and PINs are often kept static for longer periods of time to keep them memorable. As long-term secrets, passwords and PINs entered as plain text on a user’s computer can be collected by software-based keyloggers, to be used instantly in subsequent attacks [Xxxxxx and Xxx Xxxxxxxx 2007]. Despite this vulnerability and as shown in Table I, a relatively large number of banks still use passwords or PINs exclusively in home and ACM Computing Surveys, Vol. 49, No. 4, Article 61, Publication date: December 2016. 61:14 X. Xxxxxx et al. Table I. Knowledge Authentication Factor Use in Online Banking in 2015 Knowledge factor↓ Possession factor Regular sites (80) Mobile apps (60) Mobile sites (25) None Present None Present None Present PIN 2 17 5 20 2 3 Password and PIN 1 6 1 0 1 0 None N/A 3 N/A 1 N/A 1 Unknown 0 2 1 mobile banking (20% for home banking, 35% and 60% for mobile banking applications and sites, respectively). The “Password and/or PIN” knowledge factor in Table I requires some explanation. It relates to banks that offer different combinations of authentication options that support either passwords, passwords and PINs, or PINs only. This is because they offer different physical or electronic authentication devices, each with its own set of knowledge factors. For example, a bank can require a password to log in, and either physical paper or an electronic device to derive one-time passwords from for transaction authorization. The electronic device requires a PIN to be accessible, while a PIN is not necessary for the physical paper. Passwords are popular in both situations where knowledge is used as a single factor and when a possession factor is used. PINs are only popular in combination with a pos- session factor. If the only factor is knowledge, it is logical that passwords are preferred above PINs, since passwords offer more security due to their higher complexity, making them harder to guess. An explanation for why PINs are still quite popular in multi- factor scenarios is that they are often an intrinsic part of the authentication method. For instance, some OTP generators require the use of some knowledge to unlock their functionality. If the knowledge has to be provided on the (often relatively small) device itself, a PIN would be the most practical way since its entry requires less buttons and button presses compared to a password. Some banks provide additional proprietary software to detect or protect against pas- sive password or PIN sniffing attacks against home banking. The use of this software is mandatory at eight banks and optional at one bank. We did not study this software in depth on how passwords are protected, but it is implied by documentation that some possible offered features include a scanner for malware-based sniffers and an overlay for password and PIN fields that offers a randomized keyboard to be used with a pointer device, such as a mouse. Another security enhancing feature is the use of an on-screen keyboard with ran- domly placed buttons, offered for home banking on a bank site and not through soft- ware. Passive sniffing of keyboard and mouse data will not gain passwords or PINs in an attack if this feature is used. Two banks offer this through their sites for password entry and one bank offers this for PIN entry. In addition to using a password, one bank implemented a system that relies on questions answerable by the user. Upon registration, the user creates three pairs of questions and answers. Whenever the user wants to log in, the bank asks for the password and one of the user-chosen questions. The user has to enter specific letters (chosen by the bank) of the answer and not the entire answer. This ensures that all secret knowledge cannot be gained in a single password sniffing attack. However, it does not protect against long-term repeated passive attacks, or against active and social engineering attacks. ACM Computing Surveys, Vol. 49, No. 4, Article 61, Publication date: December 2016. A Survey of Authentication and Communications Security in Online Banking 61:15